Righ file extension
.Righ file extension is a file extension that is associated with the latest variant of STOP (Djvu) ransomware. Security researchers discovered ‘Righ’ version about a week after the previous one, which is called Hets. Like all other versions of STOP (Djvu) virus, Righ encrypts files and thus makes their contents inaccessible. Criminals offer victims of the virus to buy a decryptor and a unique key, which are needed to decrypt the affected files.
Fortunately for victims of the virus, in some cases .righ files can be decrypted. This can be done thanks to the free decryptor, which was created by a group of security researchers. This decryptor can decrypt files encrypted with all versions of STOP (Djvu) virus, including ‘Righ’ version. Read more about the free decryptor and how to decrypt .righ files below in this article.
Screenshot of files encrypted by Righ virus (‘.righ’ file extension)
Righ virus
Righ virus is really a nasty malware. It infects the system when the user downloads or runs malware infected files. Criminals lure unwary users into downloading ransomware by hiding malicious code within cracked versions of paid software, free software, key generators, and so on. Upon execution, an instance of Righ virus is installed on victim’s computer.
Once installed on a computer, Righ encrypts files located on the drives connected to the computer. It uses a strong algorithm and a long key to encrypt files. If, before encrypting the files, Righ virus was able to establish a connection with its command-and-control (C&C) server, then it uses so called ‘online key’ that is unique to each infected computer. In case when Righ virus cannot connect to its command server, it uses the so-called offline key. This key, unlike the online key, is the same for all infected computers and can be determined by security researchers.
In the process of encrypting files, Righ virus tries to encrypt all files on the computer, therefore, to speed up the encryption process, it does not encrypt all the contents of the files, but only the first 154kb. Regardless of where the files are located on the internal drive, connected device or cloud storage, all files will be encrypted. The only thing that Righ virus does not encrypt is the files located in the Windows system directories, files with the extension .bat, ini, .sys, .dll, .lnk and files with the name ‘_readme.txt’. Thus, files of all types can be encrypted, including those common as:
.hkx, .vpp_pc, .sidd, .asset, .flv, .ibank, .wire, .7z, .desc, .sis, .webp, .eps, .wdp, .tor, .mddata, .sav, .wot, .x3f, .csv, .mrwref, .wav, .dng, .wpg, .wbm, .wps, .y, .xlgc, .odc, .m4a, .xar, .pdf, .xbdoc, .wmo, .qic, .arw, .wbc, .odp, .mef, .dcr, .xlsb, .rofl, .p7b, .accdb, .wp5, .re4, .bkp, .crw, .odt, .wma, .mp4, .itm, .dwg, .gdb, .wb2, .cfr, .rw2, .docm, .snx, .srf, .pak, .mdb, .2bp, .t12, .docx, .ai, .psd, .litemod, .crt, .zdc, .sb, .wcf, .pfx, .zip, .zi, .wp, .rwl, .dazip, .wri, .xml, .3dm, .yml, .3fr, .wma, .rtf, .nrw, .3ds, .wmv, .mdbackup, .wp4, .upk, .syncdb, .x3f, .xlsx, .txt, .1st, .sum, .wp6, .xy3, .xbplate, .sql, .xll, .sr2, .ods, .dba, .xlsm, .xxx, .wn, .wsd, .hvpl, .png, .der, .xyp, .kdc, .m2, .x3d, .xpm, .vpk, .0, .erf, .ntl, .slm, .zif, .mpqge, .wpt, .cas, .p12, .wbk, .qdf, .wbmp, .dmp, .xwp, .xld, .wotreplay, .ncf, .pef, .rar, .wmd, .raw, .sie, .iwi, .lbf, .srw, .bar, .xls, .r3d, .pptm, .bay, .xdl, .yal, .pem, .lvl, .hplg, .ppt, .ptx, .psk, .bik, .svg, .indd, .forge, .orf, .xmmap, .mdf, .das, .vcf, .epk, .icxs, .cer, .xlk, .jpg, .lrf, .xf, .mlx, .cdr, .xmind, .jpeg, .wpw, .blob, .zabw, .ysp, .fos, .layout, .ws, .hkdb, .iwd, .xx, .m3u, .pdd, .vfs0, .wpe, .zw, .t13, .rim, .kf, .big, .w3x, .arch00, .zip, .mov, .sid, .wpd, .xlsm, .pptx, .bkf, .avi, .rgss3a, .wpl, .z3d, .raf, .x, .kdb, .wpa, .py, .xyw, .wsc, .ff, .map, .jpe, .tax, .wmv, .d3dbsp, .xls, .wpd, .dbf, .ltx, .odm, .rb, .dxg, .esm, .bsa, .pkpass, .ztmp, .menu, .p7c, .wm, .xdb, .wgz, .fpk, .webdoc, .cr2, .wmf, .bc7, .vtf, .vdf, .db0, .wps, .itdb, .doc, .xlsx, .zdb, .js, .wsh, .z, .itl, .wpb, .odb, .pst
Each encrypted file receives a new name, Righ virus adds the extension ‘.righ’ at the end of the file name. Thus, if the file was called ‘image.jpg’ before encryption, then after it is encrypted it will be called ‘image.jpg.righ’. In each folder where the virus encrypted one or more files, it drops a file with the name ‘_readme.txt’.
Screenshot of the contents of ‘_readme.txt’ file (Righ ransom note).
This file is a ransom demand message. In this message, the authors of Righ virus report that the victim’s files were encrypted and if the victim wants to decrypt them, then he needs to buy a decryptor and a key. Attackers demand to pay them $980, if the victim is ready to pay the ransom within 72 hours, then the size of the ransom is halved to $490. Criminals offer the victim to decrypt one small file for free to confirm the possibility of decrypting .righ files. Obviously, if the criminals were able to decrypt one file, then this does not guarantee that after receiving the ransom they will give the victim the key and the decryptor.
Threat Summary
| Name | Righ |
| Type | File locker, Filecoder, Crypto malware, Ransomware, Crypto virus |
| Encrypted files extension | .righ |
| Ransom note | _readme.txt |
| Contact | datarestorehelp@firemail.cc, datahelp@iran.ir |
| Ransom amount | $980,$490 in Bitcoins |
| Symptoms | Files are encrypted with a .righ file extension. Files called such as ‘_readme.txt’, or ‘_readme” in every folder with an encrypted file. Unable to open the files. Windows Explorer displays a blank icon for the file type. |
| Distribution ways | Torrents web-sites. Phishing emails that look like they come from a reliable source. Drive-by downloading (when a user unknowingly visits an infected website and then malware is installed without the user’s knowledge). Social media posts (they can be used to entice users to download malicious software with a built-in ransomware downloader or click a misleading link). Malvertising campaigns. |
| Removal | Righ virus removal guide |
| Decryption | Free Righ Decryptor |
The message left by the creators of Righ virus says that files cannot be decrypted without a key and decryptor. Unfortunately, security researchers confirm that a decryptor and a unique key are required to decrypt files.
As we reported above, fortunately a free decryptor was created. This decryptor can decrypt .righ files that were encrypted with an offline key. If the files were encrypted with an online key, then they cannot be decrypted, but there are several ways that could help everyone recover the contents of the encrypted files.
How to remove Righ virus, Recover, Decrypt .righ files
if your computer was infected with Righ virus and the files on it were encrypted, then you need to follow a few steps that will help you find and remove the virus, decrypt .righ files or restore their contents. Before decrypting or recovering files, be sure to check your computer for malicious software. Read carefully the entire instructions below, print it, or open it on your smartphone. This will allow you not to miss anything important.
How to remove Righ ransomware virus
The first thing you should do before decrypting or recovering .righ files is to scan the system for malware and other security threats. This step cannot be skipped, because if Righ virus is not completely removed from the computer, it will continue its malicious actions. In order to find all malware components and remove them from the system, we recommend using free malware removal tools. The best option is to first update your antivirus and perform a full scan, then use the free malware removal tools listed below to scan the system for malicious software and remove the found malware. It is advisable to use not one malware removal tool, but two or more, so you will significantly increase the chance of malware detection.
How remove Righ virus with Zemana Anti-Malware (ZAM)
Zemana is a malware scanner that is very useful for detecting and removing Righ ransomware virus. The steps below will explain how to download, install, and use Zemana to scan the system and remove ransomware, spyware, malware, trojans, worms, adware for free.
Click the link below to download the latest version of Zemana for Microsoft Windows. Save it directly to your MS Windows Desktop.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the downloading process is finished, close all windows on your machine. Further, start the set up file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown on the screen below, click the “Yes” button.
It will show the “Setup wizard” which will assist you install Zemana Anti Malware (ZAM) on the PC system. Follow the prompts and do not make any changes to default settings.
Once installation is complete successfully, Zemana will automatically launch and you can see its main window as shown on the image below.
Next, press the “Scan” button to perform a system scan for Righ crypto virus, other kinds of potential threats like malware and trojans.
When finished, Zemana AntiMalware (ZAM) will display you the results. When you are ready, click “Next” button.
The Zemana Free will begin to delete Righ ransomware virus related folders,files and registry keys. When finished, you can be prompted to reboot your system.
Run MalwareBytes Anti Malware (MBAM) to remove Righ ransomware virus
We recommend using MalwareBytes. You can download and install MalwareBytes Anti-Malware to search for and remove Righ ransomware from your personal computer. When installed and updated, this malware remover automatically searches for and removes all threats exist on the computer.
Installing the MalwareBytes AntiMalware is simple. First you’ll need to download MalwareBytes AntiMalware (MBAM) on your MS Windows Desktop by clicking on the link below.
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is complete, close all apps and windows on your PC. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup as displayed in the following example.
When the installation starts, you’ll see the “Setup wizard” which will help you set up Malwarebytes on your computer.
Once installation is finished, you will see window as displayed on the screen below.
Now click the “Scan Now” button for scanning your computer for Righ crypto malware, other malware, worms and trojans. This process can take quite a while, so please be patient. When a threat is detected, the count of the security threats will change accordingly.
Once finished, MalwareBytes AntiMalware (MBAM) will display a screen that contains a list of malware that has been found. Review the scan results and then click “Quarantine Selected” button.
Malwarebytes will now delete Righ virus related folders,files and registry keys and add items to the Quarantine. When the task is complete, you may be prompted to reboot your computer.
To learn more about this malware removal utility, we recommend that you read the following guide: How to use MalwareBytes Anti-malware.
Remove Righ ransomware with KVRT
Kaspersky virus removal tool (KVRT) is a free portable application that scans your computer for ransomware, trojans, spyware, worms, other malware and helps delete them easily. You can run this tool to scan for threats even if you have an antivirus or any other security program.
Download Kaspersky virus removal tool (KVRT) from the following link.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the download is finished, double-click on the KVRT icon. Once initialization process is complete, you will see the KVRT screen as displayed below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button . Kaspersky virus removal tool utility will start scanning the whole computer to find out Righ ransomware virus and other malware. This process can take some time, so please be patient.
When Kaspersky virus removal tool is complete scanning your personal computer, it will show the Scan Results as shown in the figure below.
You may delete threats (move to Quarantine) by simply click on Continue to start a cleaning process.
How to decrypt .righ files
Files with the .righ extension are encrypted and to decrypt them you must use the decryptor and a unique key. You cannot unlock these files simply by deleting the new extension or changing their file name. Fortunately, there is a free decryptor, which in some cases can decrypt .righ files.
STOP Djvu decryptor
To decrypt .righ files, use free STOP (Righ) decryptor
- Download STOP (Righ) decryptor from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
As we have already said, STOP (Righ) decryptor cannot always decrypt .righ files. More precisely, it has the ability to decrypt only those files that were encrypted with an offline key. Files encrypted with an online key are not yet decryptable.
How to find out which key was used to encrypt files
Below we show two ways to help you determine what type of key was used to encrypt your files. This is very important, since the type of key determines whether it is possible to decrypt .righ files. We recommend using the second method, as it is more accurate.
First of all, you can look at the personal ID that is given in the ‘_readme.txt’ file (ransom note).
Personal ID is highlighted here
Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Righ virus stores the Personal IDs used for encryption.
The ‘Perosnal ID’ is not a key, it is a set of characters by which everyone can find out which key was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, then Righ used an online key. If you could not understand which key was used to encrypt the files, then we can help you. Just write a request in the comments below.
What to do if STOP (Righ) decryptor says “Error: Unable to decrypt file with ID”
If during decryption of .righ files the decryptor reports ‘Error: Unable to decrypt file with ID’, skips files without decrypting them, then two cases are possible why this happens:
- files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
How to restore .righ files
Fortunately, there are several simple ways that give everyone a chance to recover the contents of encrypted files. The methods presented below can help in cases when a free decryptor cannot decrypt .righ files or when files are encrypted with an online key.
Alternative methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Run ShadowExplorer to restore .righ files
Now proceed to recover .righ files. We hope you have already completed all the steps that we discussed above. First of all, try to recover encrypted files using a free tool called ShadowExplorer. This program will allow you to recover your files from Shadow Volume Copies. These copies are created automatically by the OS when you work with your files.
Unfortunately, Righ virus can automatically delete these copies and thus prevent you from recovering your files. Nevertheless, in some cases, the ransomware cannot delete all copies, and the user gets the opportunity to quickly restore all files. Therefore, you should definitely try this method!
Download ShadowExplorer on your Microsoft Windows Desktop from the following link.
438668 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the downloading process is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the figure below.
Run the ShadowExplorer tool and then choose the disk (1) and the date (2) that you want to recover the shadow copy of file(s) encrypted by the Righ crypto virus as on the image below.
Now navigate to the file or folder that you want to recover. When ready right-click on it and click ‘Export’ button as shown on the image below.
Recover .righ files with PhotoRec
Another really working way to recover .righ files is to use a free tool named PhotoRec. It is created to recover deleted or lost files. Does the virus block this method? Fortunately, Righ virus cannot block it in any way. Why is this possible you ask. This is possible for the reason that when you delete files using the standard OS function, these files are not actually deleted. Just the Windows marks them as deleted and does not show them in the list of files. The program that we suggest you use, finds deleted files, including files that were deleted by the ransomware, and recovers them.
Download PhotoRec from the link below. Save it to your Desktop so that you can access the file easily.
When the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen like below.
Choose a drive to recover such as the one below.
You will see a list of available partitions. Choose a partition that holds encrypted photos, documents and music like below.
Click File Formats button and choose file types to restore. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to choose where recovered photos, documents and music should be written, then click Search.
Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is complete, press on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as on the image below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your machine from Righ ransomware?
Most antivirus apps already have built-in protection system against the ransomware. Therefore, if your PC system does not have an antivirus application, make sure you install it. As an extra protection, use the HitmanPro.Alert. HitmanPro.Alert is a small security tool. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
First, please go to the following link, then press the ‘Download’ button in order to download the latest version of HitmanPro Alert.
When the download is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the utility is started, you will be displayed a window where you can choose a level of protection, like the one below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of Righ ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .righ files; how to recover files, if STOP (Righ) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Righ related issues, go to here.
