Skip to content ↓ | Skip to navigation ↓

A new ransomware mimics many its predecessors but then shakes things up by incorporating disposable emails into its decryption process.

With big hitters like Locky, Cerber, and MIRCOP circulating in the wild, malware authors need not look far for inspiration when it comes to ransomware development.

Francis Antazo and Mary Yambao of the Tokyo-based security firm Trend Micro feel it is the success of those families that led computer criminals to develop R980.

As a result, the delivery method for this ransomware is all too familiar. Antazo and Yambao explain:

“R980 has been found to arrive via spam emails, or through compromised websites. …[S]pam emails carrying this ransomware contain documents embedded with a malicious macro (detected as W2KM_CRYPBEE.A) that is programmed to download R980 through a particular URL. From the time R980 was detected, there have been active connections to that URL since July 26th of this year.”


R980 uses the AES-256 and RSA 4096 algorithms to encrypt a whopping 151 different file types. For each file it encrypts, it appends “.crypt” to the filename, an extension which CryptXXX has used in some of its variants.

But it’s empty flattery, if anything. R980 doesn’t bear any semblance to CryptXXX.

Once it’s infected a victim’s files, the ransomware displays its ransom note:


Here’s where R980 gets interesting. To facilitate the decryption process, it abuses Mailinator, a service which automatically deletes emails after a few hours. The ransomware authors use that system to set up a series of disposable email addresses not only for themselves but also for the victims. That way they can control how cooperative victims complete their payments and receive the decryption key.

Each address is unique for each victim.


R980 does have a few tricks up its sleeve. Even so, you can easily protect yourself against this ransomware by disabling macros by default in their Microsoft Office applications. (I have yet to receive a legitimate file ask me to “Enable Content” in an Office document, so you won’t be putting yourself out that much.) You should also be careful around suspicious emails and email attachments.

How do you protect yourself against ransomware? Let us know in the comments!