R980 targets Windows OS and is distributed via compromised websites and email attachments containing malicious macros. It uses both AES-256 and RSA-4096 encryption algorithms to encrypt 151 targeted file types. R980 appends .crypt to encrypted file names. It creates a registry key to maintain persistence connects to its C2 server to retrieve a custom Bitcoin address for payment. The attacker uses disposable Mailinator email addresses to communicate with victims. The ransom payment demand for R980 is currently unknown.

  • Trend Micro provides more information about R980 here.
  • The NJCCIC is not currently aware of any decryption tool available for R980.

One example of the R980 variant. Image Source: Trend Micro