Cyber threat analysts discovered a new variant of ransomware that called ‘Radman ransomware‘. It appends the .radman file extension to encrypted file names. This post will provide you with all the things you need to know about ransomware virus, how to remove .Radman ransomware from your computer and how to recover (decrypt) encrypted personal files for free.
Files encrypted by “.Radman ransomware”
The Radman ransomware is a malicious software that created in order to encrypt photos, documents and music. It hijack a whole PC or its data and demand a ransom in order to unlock (decrypt) them. The makers of the .Radman ransomware have a strong financial motive to infect as many machines as possible. The files that will be encrypted include the following file extensions:
.mrwref, .kdc, .ibank, .vtf, .lbf, .icxs, .mddata, .kf, .wma, .hvpl, .pptm, .wmv, .p7b, .das, .wpd, .bik, .sie, .wpb, .csv, .t12, .wsc, .py, .xmmap, .fos, .z3d, .dng, .mcmeta, .wp7, .wbm, .d3dbsp, .menu, .p7c, .rb, .mdbackup, .accdb, .xll, .forge, .cer, .xlsx, .zi, .p12, .sr2, .wsh, .db0, .wma, .3dm, .cas, .xlsb, .xwp, .ztmp, .wgz, .iwi, wallet, .odp, .crt, .xdl, .erf, .ysp, .odt, .zdc, .doc, .srw, .yal, .arch00, .bc6, .xbdoc, .docm, .xlk, .1st, .wpd, .lvl, .blob, .wsd, .raw, .zif, .epk, .wbk, .webdoc, .ws, .xls, .xls, .wmv, .zdb, .sidn, .dba, .apk, .itl, .xyw, .iwd, .rofl, .dmp, .mov, .wn, .re4, .y, .tax, .flv, .m4a, .wpe, .x3d, .xpm, .docx, .snx, .raf, .xld, .bkf, .wmf, .txt, .dcr, .bkp, .wcf, .mp4, .ff, .wotreplay, .odb, .lrf, .dbf, .r3d, .x3f, .3fr, .qic, .xdb, .ods, .wpg, .rim, .sav, .psk, .cdr, .2bp, .wot, .yml, .fpk, .wps, .xmind, .vpp_pc, .upk, .bc7, .rgss3a, .jpe, .sid, .wri, .sis, .m3u, .webp, .qdf, .asset, .litemod, .slm, .sidd, .vdf, .sql, .jpeg, .crw, .dwg, .wbc, .zabw, .vpk, .x3f, .wp, .layout, .big, .sb, .css, .wmd, .pak, .esm, .map, .pkpass, .itm, .png, .wpa, .wbmp, .pptx, .odc, .cfr, .pdf, .zw, .dxg, .pst, .zip, .wdb, .1, .dazip, .z, .rar, .m2, .wbz, .odm, .wm, .wire, .xlsx, .xar, .rw2, .pfx, .xml, .wpw, .avi, .der, .x, .itdb, .srf, .ai, .indd, .wmo, .mdb, .gdb
When the ransomware virus encrypts a file, it will add the .radman extension to each encrypted file. This means that a document file named ‘example.doc’, when encrypted, becomes ‘example.doc.radman’.
Once the ransomware virus finished enciphering of all documents, photos and music, it will create a file named “_readme.txt” with ransom note on how to decrypt all personal files. You can see an one of the variants of the ransom note below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-mVSS8cJcv3 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | .Radman ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Encrypted files extension | .radman |
| Ransom note | _readme.txt |
| Contact | @datarestore (telegram), gorentos@bitmessage.ch |
| Ransom amount | $980, $490 in Bitcoins |
| Symptoms |
|
| Removal | To remove .Radman ransomware use the removal guide |
| Decryption | To decrypt .Radman ransomware use the steps |
Therefore it’s very important to follow the steps below as soon as possible. The few simple steps will help you to delete .Radman ransomware. What is more, the steps below will help you recover (decrypt) encrypted personal files for free.
Quick links
- How to remove .Radman ransomware virus
- How to decrypt .radman files
- Use STOPDecrypter to decrypt .radman files
- How to restore .radman files
- How to protect your system from .Radman ransomware virus?
- Finish words
How to remove .Radman ransomware virus
Using a malware removal tool to search for and remove ransomware virus hiding on your computer is probably the easiest solution to remove the .Radman ransomware virus. We suggests the Zemana application for Windows personal computers. MalwareBytes Free and Kaspersky virus removal tool are other anti-malware utilities for Microsoft Windows that offers a free malicious software removal.
Automatically remove .Radman ransomware with Zemana Anti-malware
Zemana Free can scan for all kinds of malicious software, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the .Radman ransomware, you can easily and quickly delete it.
- Please go to the link below to download Zemana. Save it directly to your Windows Desktop.
Zemana AntiMalware
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your web browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
- Once the download is finished, please close all applications and open windows on your personal computer. Next, start a file named Zemana.AntiMalware.Setup.
- This will start the “Setup wizard” of Zemana onto your PC. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Free will start and display the main window.
- Further, click the “Scan” button to perform a system scan for the .Radman ransomware and other security threats. This procedure can take some time, so please be patient. While the Zemana Free program is scanning, you can see number of objects it has identified as threat.
- After the scan get finished, Zemana Anti-Malware (ZAM) will show you the results.
- You may get rid of items (move to Quarantine) by simply click the “Next” button. The utility will remove .Radman ransomware virus and other kinds of potential threats like malware and PUPs and move threats to the program’s quarantine. When finished, you may be prompted to reboot the PC system.
- Close the Zemana and continue with the next step.
How to remove .Radman ransomware with MalwareBytes Anti-Malware (MBAM)
If you’re having problems with the .Radman ransomware removal, then download MalwareBytes Anti-Malware (MBAM). It is free for home use, and searches for and removes various unwanted software that attacks your system or degrades personal computer performance. MalwareBytes Free can remove adware, worms as well as malicious software, including ransomware and trojans.
- Visit the following page to download the latest version of MalwareBytes AntiMalware (MBAM) for MS Windows. Save it on your MS Windows desktop or in any other place.
Malwarebytes Anti-malware
326384 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- At the download page, click on the Download button. Your web-browser will show the “Save as” dialog box. Please save it onto your Windows desktop.
- After the download is finished, please close all applications and open windows on your PC system. Double-click on the icon that’s named mb3-setup.
- This will start the “Setup wizard” of MalwareBytes Free onto your computer. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the MalwareBytes will run and open the main window.
- Further, press the “Scan Now” button to perform a system scan with this utility for the .Radman ransomware related files, folders and registry keys. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC system and the speed of your computer. While the MalwareBytes AntiMalware (MBAM) utility is scanning, you may see number of objects it has identified as being infected by malware.
- When finished, the results are displayed in the scan report.
- Review the report and then click the “Quarantine Selected” button. After that process is finished, you may be prompted to restart the PC system.
- Close the Anti-Malware and continue with the next step.
Video instruction, which reveals in detail the steps above.
Run KVRT to remove .Radman ransomware virus
KVRT is a free removal utility that can check your machine for a wide range of security threats such as the .Radman ransomware, adware software, trojans as well as other malicious software. It will perform a deep scan of your computer including hard drives and Microsoft Windows registry. Once a malicious software is detected, it will help you to delete all found threats from your machine with a simple click.
Download Kaspersky virus removal tool (KVRT) on your computer from the link below.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When downloading is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is finished, you’ll see the KVRT screen as shown on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button for scanning your PC for the .Radman ransomware and other malicious software. While the Kaspersky virus removal tool is scanning, you can see how many objects it has identified either as being malicious software.
Once the scanning is finished, you can check all items detected on your system as shown on the image below.
Review the scan results and then click on Continue to start a cleaning procedure.
How to decrypt .radman files
The .Radman ransomware encourages victim to contact it’s developers in order to decrypt all files. These persons will require to pay a ransom (usually demand for $490, $980 in Bitcoins).
We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your documents, photos and music. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
Files encrypted by “.Radman ransomware”
With some variants of the .Radman ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .radman files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos, .dotmap. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.radman).
Please check the twitter post for more info.
How to restore .radman files
In some cases, you can restore files encrypted by .Radman ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Recover .radman encrypted files using Shadow Explorer
In order to restore .radman personal files encrypted by the .Radman ransomware from Shadow Volume Copies you can run a utility named ShadowExplorer. We recommend to use this solution as it is easier to find and restore the previous versions of the encrypted files you need in an easy-to-use interface.
ShadowExplorer can be downloaded from the following link. Save it directly to your Windows Desktop.
438668 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the downloading process is done, extract the saved file to a folder on your PC system. This will create the necessary files as shown in the figure below.
Launch the ShadowExplorerPortable application. Now select the date (2) that you wish to recover from and the drive (1) you want to recover files (folders) from as shown on the image below.
On right panel navigate to the file (folder) you wish to restore. Right-click to the file or folder and click the Export button as on the image below.
And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Recover .radman files with PhotoRec
Before a file is encrypted, the .Radman ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your documents, photos and music using file restore software like PhotoRec.
Download PhotoRec from the link below.
When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will show a screen as shown in the following example.
Select a drive to recover as displayed in the following example.
You will see a list of available partitions. Select a partition that holds encrypted files as shown in the following example.
Click File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is done, press OK button.
Next, click Browse button to select where recovered photos, documents and music should be written, then click Search.
Count of recovered files is updated in real time. All recovered files are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered personal files are stored. You will see a contents like below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your system from .Radman ransomware virus?
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your PC system does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your personal computer from .Radman ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Visit the following page to download the latest version of HitmanPro.Alert for MS Windows. Save it to your Desktop so that you can access the file easily.
When the downloading process is finished, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. After the tool is started, you’ll be displayed a window where you can choose a level of protection, as shown on the screen below.
Now click the Install button to activate the protection.
Finish words
Once you have complete the few simple steps outlined above, your machine should be clean from .Radman ransomware virus and other malware. Your PC system will no longer encrypt your documents, photos and music. Unfortunately, if the step-by-step instructions does not help you, then you have caught a new variant of ransomware virus, and then the best way – ask for help here.
