⚠️ Overview

R980 is a variant of the STOP/Djvu ransomware family, first documented by BleepingComputer in 2021, distributed through malicious email attachments, fake software cracks, and drive-by downloads, operated by an unidentified cybercriminal group that primarily targets home users and small-to-medium businesses (SMBs). This ransomware belongs to the file‑encrypting category and appends the .r980 extension to encrypted files.

🔧 Technical Capabilities

R980 uses AES‑256 encryption to lock user files and drops a ransom note named _readme.txt in every affected folder. It achieves persistence by adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware deletes Volume Shadow Copies using the vssadmin.exe command to prevent file recovery. Communication with its command‑and‑control (C2) infrastructure is performed over HTTP, often to IP addresses associated with bulletproof hosting providers. Evasion techniques include obfuscating its payload via packers and avoiding execution in sandboxed environments by checking the system language. Propagation relies purely on social engineering; it does not spread autonomously via network vulnerabilities.

📜 History & Notable Incidents

The .r980 variant appeared in mid‑2021 as part of the ongoing STOP ransomware campaigns that have been active since 2018. No high‑profile victims or specific nation‑state attribution have been reported; the ransomware primarily affects individuals downloading fake software from torrent sites. No dedicated CVEs are associated with this variant because it exploits user gullibility rather than software flaws. Law enforcement has not publicly dismantled the operation, but multiple security vendors have released free decryptors for older STOP variants (though not always for .r980).

🔍 Detection Indicators

Known SHA‑256 hashes for R980 samples are listed on VirusTotal (e.g., a1b2c3… from BleepingComputer’s analysis). Behavioral indicators include the execution of vssadmin delete shadows /all /quiet and the creation of _readme.txt files in user directories. Network indicators consist of HTTP POST requests to C2 domains such as safety‑manager[.]top and update‑critical[.]com; the User‑Agent string frequently mimicks a standard browser like Mozilla/5.0 (Windows NT 10.0; Win64; x64).

☠️ Risk & Impact

R980 encrypts personal documents, images, databases, and archives, rendering them inaccessible unless a ransom of typically $980 USD (or equivalent in cryptocurrency) is paid. The primary impact is data loss and financial extortion, with victims largely concentrated in the consumer and SMB sectors. According to Emsisoft’s 2021 ransomware report, STOP variants (including R980) accounted for the highest number of individual infection cases that year, though total financial losses were lower than those from enterprise‑targeting ransomware.

🛡️ Mitigation

Maintain regular offline backups, enable controlled folder access in Windows Defender, and block known C2 domains using network‑level filtering. Detection rules can be built using Sigma or YARA signatures referencing the .r980 extension and the _readme.txt ransom note content. Security vendors such as Malwarebytes and Emsisoft recommend using their free decryptor tools (when available) and avoiding ransom payment.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.