RSAUtil targets Windows OS and is distributed via Remote Desktop Protocol (RDP) compromise. Once the hacker has gained remote access to the compromised system, he uploads a package of files that includes the following:


  • æ«ídG¿n_«t¿ßG¿G8.cmd - a CMD file used to clear all of the event logs on the compromised system to eliminate evidence
  • config.cfg - a configuration file used to determine whether the system was previously compromised, choose what victim ID to use for the infection, the name of the ransom note, the encrypted file name extension, and the public encryption key
  • DontSleep_x64.exe and DontSleep_x64.ini - prevents the infected system from sleeping or hibernating
  • How_return_files.txt - the ransom note that is dropped in every folder containing encrypted files
  • Image.jpg - used to replace the desktop background image
  • NE SPAT.bat - batch file used to configure remote desktop services and prevent the hacker from being disconnected when idle
  • svchosts.exe - the ransomware executable that launches the encryption process

If Finish is set to 0 in the config.cfg file and the ransomware executable is launched, RSAUtil will scan the compromised system's mapped and unmapped network shares, as well as any folders residing on the system, and encrypt the targeted files. Once the encryption process is complete, RSAUtil will display a ransom note with payment instructions for the victim.

Extensions appended to encrypted file names:,

Ransom note file names:

Email addresses associated with RSAUtil:,

  • Bleeping Computer provides more information about RSAUtil here.
  • The NJCCIC is not currently aware of any free decryption tools available for RSAUtil.


Image Source: Bleeping Computer