This week, computer security professionals has received reports of yet another ransomware called ‘Raldug ransomware‘. This ransomware spreads via spam emails and malware files and appends the .raldug file extension to encrypted files. This article will provide you a brief summary of information related to this ransomware and how to recover (decrypt) .raldug files for free.
What is ‘Raldug ransomware’? It is a malicious software which encrypts personal files until a ransom is paid to the cyber criminal. Once started, the .Raldug ransomware will scan the PC for some file types and encrypt them. It will encrypt almost of files, including:
.dwg, .vdf, .accdb, .zdb, .wn, .mpqge, .wsh, .icxs, .xbdoc, .doc, .ai, .gho, .tor, .3dm, .wp, .fpk, .upk, .vpk, .pef, .pptm, .t12, .fsh, .docx, .sb, .xar, .xlsm, .csv, .asset, .ibank, .xyw, .cas, .webp, .zip, .1, .pst, .z3d, .tax, .wgz, .xxx, .zw, .dxg, .mef, .y, .wbz, .wpa, .xls, .hplg, .wcf, .itl, .itdb, .layout, .wotreplay, .hvpl, .rofl, .cdr, .odc, .syncdb, .3ds, .iwd, .lbf, .forge, .wpl, .mrwref, .wbc, .bsa, .w3x, .lvl, .jpe, .dcr, .0, .bkp, .sis, .xml, .wpd, .zip, .js, .yal, .pptx, .dmp, .xll, .vcf, .odt, .sav, .xdl, .wmv, .p12, .eps, .blob, .rar, .erf, .raf, wallet, .dng, .ptx, .dazip, .ybk, .xx, .mov, .iwi, .rim, .slm, .xpm, .p7b, .wmv, .wpe, .ntl, .wpw, .wp7, .xmmap, .esm, .orf, .arch00, .cer, .db0, .pem, .xlgc, .kdb, .epk, .srw, .pkpass, .xmind, .bik, .raw, .vpp_pc, .map, .svg, .lrf, .rwl, .menu, .snx, .pdf, .xf, .zdc, .qic, .flv, .zabw, .xlsx, .odb, .big, .pfx, .mdb, .py, .wdb, .wps, .docm, .txt, .wp5, .xdb, .sidd, .wri, .litemod, .jpeg, .wps, .wbk, .mlx, .xls, .xbplate, .ff, .desc, .avi, .sid, .xlsx, .odp, .sidn, .wpt, .3fr, .x3f, .rb, .cr2, .crt, .t13, .gdb, .x, .re4, .css, .arw, .wpb, .mdbackup, .mp4, .1st, .sr2, .sum, .webdoc, .ppt, .cfr, .pak, .mcmeta, .r3d, .kdc, .wbm, .crw, .psk, .rw2, .qdf, .wma, .png, .dbf, .itm, .z, .ltx, .mdf, .odm, .x3d, .wbmp, .ncf, .xld, .wb2, .bar, .d3dbsp, .2bp, .bc7, .xlk, .ysp, .kf, .ztmp, .m3u, .ods, .wsd, .rtf, .sie, .wmd, .wp6, .xy3
When the ransomware encrypts a file, it will append the .raldug extension to every encrypted file. Once the ransomware virus finished enciphering of all personal files, it will drop a file called “_readme.txt” with ransom instructions on how to decrypt all photos, documents and music. You can see an one of the variants of the ransom note below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vpovVceDWN Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: firstname.lastname@example.org Reserve e-mail address to contact us: email@example.com Your personal ID:
We suggest you to remove .Raldug ransomware virus as soon as possible, until the presence of the ransomware has not led to even worse consequences. You need to follow the step-by-step instructions below that will help you to completely remove ransomware virus from your PC as well as restore encrypted personal files, using only few free tools.
Table of contents
- How to remove .Raldug ransomware
- How to decrypt .raldug files
- Use STOPDecrypter to decrypt .raldug files
- How to restore .raldug files
- How to protect your PC system from .Raldug ransomware virus?
- To sum up
How to remove .Raldug ransomware
In order to remove .Raldug ransomware virus from your PC system, you need to stop all ransomware virus processes and delete its associated files including Windows registry entries. If any ransomware virus components are left on the PC, the ransomware virus can reinstall itself the next time the computer boots up. Usually ransomwares uses random name consist of characters and numbers that makes a manual removal process very difficult. We advise you to use a free ransomware removal utilities that will allow delete .Raldug ransomware virus from your PC system. Below you can found a few popular malware removers that detects various ransomware.
Remove .Raldug ransomware with Zemana Anti-malware
We suggest using the Zemana Anti-malware. You can download and install Zemana Anti-malware to search for and delete .Raldug ransomware from your computer. When installed and updated, the malware remover will automatically scan and detect all threats exist on the PC system.
- Please go to the following link to download Zemana. Save it to your Desktop so that you can access the file easily.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- After downloading is complete, close all apps and windows on your computer. Open a file location. Double-click on the icon that’s named Zemana.AntiMalware.Setup.
- Further, click Next button and follow the prompts.
- Once setup is finished, click the “Scan” button . Zemana Anti Malware (ZAM) program will scan through the whole personal computer for the .Raldug ransomware virus and other kinds of potential threats. Depending on your personal computer, the scan can take anywhere from a few minutes to close to an hour. While the Zemana AntiMalware is checking, you may see number of objects it has identified either as being malicious software.
- Once Zemana Anti Malware (ZAM) completes the scan, a list of all threats detected is created. All detected threats will be marked. You can remove them all by simply press “Next”. When disinfection is done, you can be prompted to restart your computer.
How to remove Raldug ransomware with MalwareBytes Anti Malware (MBAM)
Manual Raldug ransomware virus removal requires some computer skills. Some files and registry entries that created by the ransomware virus may be not fully removed. We suggest that run the MalwareBytes Free that are fully clean your PC of ransomware virus. Moreover, this free application will allow you to remove malicious software, trojans, adware and worms that your PC system may be infected too.
Installing the MalwareBytes Anti-Malware (MBAM) is simple. First you’ll need to download MalwareBytes Anti-Malware from the following link.
Category: Security tools
Update: April 15, 2020
Once downloading is finished, close all windows on your machine. Further, start the file named mb3-setup. If the “User Account Control” prompt pops up as on the image below, press the “Yes” button.
It will open the “Setup wizard” that will help you install MalwareBytes Anti-Malware on the computer. Follow the prompts and don’t make any changes to default settings.
Once install is finished successfully, press Finish button. Then MalwareBytes will automatically run and you can see its main window as shown in the following example.
Next, click the “Scan Now” button to perform a system scan with this tool for the Raldug ransomware virus related files, folders and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC system and the speed of your computer. During the scan MalwareBytes will locate threats present on your system.
When MalwareBytes AntiMalware completes the scan, MalwareBytes Free will display a list of found threats. When you are ready, click “Quarantine Selected” button.
The MalwareBytes Free will remove Raldug ransomware virus and other security threats and add threats to the Quarantine. After the cleaning process is finished, you may be prompted to restart your computer. We suggest you look at the following video, which completely explains the procedure of using the MalwareBytes Anti Malware (MBAM) to remove browser hijackers, adware and other malicious software.
Remove .Raldug ransomware virus with KVRT
The KVRT tool is free and easy to use. It can scan and remove ransomware like the .Raldug ransomware, malware, trojans and worms. KVRT is powerful enough to find and remove malicious registry entries and files that are hidden on the personal computer.
Download Kaspersky virus removal tool (KVRT) on your Microsoft Windows Desktop by clicking on the following link.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After downloading is finished, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the Kaspersky virus removal tool screen as displayed below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan for the .Raldug ransomware virus and other trojans and harmful programs. This procedure can take some time, so please be patient. While the Kaspersky virus removal tool is checking, you may see number of objects it has identified either as being malware.
As the scanning ends, Kaspersky virus removal tool will open a scan report as shown in the figure below.
When you are ready, press on Continue to begin a cleaning procedure.
How to decrypt .raldug files
The .Raldug ransomware virus encourages victim to contact it’s authors in order to decrypt all documents, photos and music. These persons will require to pay a ransom (usually demand for $490-980 in Bitcoins).
Never pay the ransom! You might feel that you have no other choice but to pay up and decrypt .raldug files quickly. There is no guarantee that the developers of .Raldug ransomware will live up to the word and give back your files.
Use STOPDecrypter to decrypt .raldug files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.raldug).
Please check the twitter post for more info.
How to restore .raldug files
In some cases, you can recover files encrypted by .Raldug ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Use shadow copies to restore .raldug files
In order to restore .raldug documents, photos and music encrypted by the .Raldug ransomware from Shadow Volume Copies you can run a utility called ShadowExplorer. We advise to use this solution as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
Installing the ShadowExplorer is simple. First you will need to download ShadowExplorer on your Windows Desktop by clicking on the following link.
Category: Security tools
Update: September 15, 2019
When the downloading process is complete, extract the downloaded file to a directory on your personal computer. This will create the necessary files like below.
Launch the ShadowExplorerPortable program. Now choose the date (2) that you wish to recover from and the drive (1) you wish to restore files (folders) from as displayed below.
On right panel navigate to the file (folder) you want to restore. Right-click to the file or folder and click the Export button as on the image below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Run PhotoRec to recover .raldug files
Before a file is encrypted, the .Raldug ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file restore software like PhotoRec.
Download PhotoRec from the following link.
Category: Security tools
Update: March 1, 2018
After the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It’ll show a screen as shown below.
Select a drive to recover as shown on the image below.
You will see a list of available partitions. Select a partition that holds encrypted files like below.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.
Next, click Browse button to select where restored documents, photos and music should be written, then press Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, press on Quit button. Next, open the directory where restored files are stored. You will see a contents as shown in the following example.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your PC system from .Raldug ransomware virus?
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your computer from .Raldug ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Installing the HitmanPro.Alert is simple. First you will need to download HitmanPro Alert by clicking on the link below. Save it on your Desktop.
Category: Security tools
Update: March 6, 2019
After downloading is done, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the utility is started, you will be displayed a window where you can select a level of protection, as displayed in the following example.
Now click the Install button to activate the protection.
To sum up
Now your PC should be free of the .Raldug ransomware. Remove MalwareBytes and Kaspersky virus removal tool. We recommend that you keep Zemana Anti-Malware (ZAM) (to periodically scan your computer for new malicious software). Moreover, to prevent ransomware, please stay clear of unknown and third party programs, make sure that your antivirus application, turn on the option to stop or search for ransomware.
If you need more help with .Raldug ransomware virus related issues, go to here.