The author of the Radamant ransomware kit has insulted the researcher responsible for creating a decryption tool in some of the malware’s new embedded strings.
After identifying their infected files by tracing the use of the “.RDM” file extension, users can download the tool, run it, complete the licensing agreement, select the infected files, and click “Decrypt”.
The decryption process ranges in duration from a few minutes to more than a day depending on how many files have been encrypted.
Shortly thereafter, the malware’s author came out with a second version that encrypts files using the “.RKK” extension.
But that’s not all that changed. Lawrence Abrams of Bleeping Computer reports that the developer also voiced his displeasure against Wosar and EmsiSoft in some of the ransomware’s core features.
For example, the embedded strings “ThisForHipFabianWosarANDF*CKYOU”, “emisoft.f*ckedbastardsihateyou”, and “radamantv2_emisoft_f*cked” appear in the malware executables. Additionally, the author changed the domain name of one of the command and control (C&C) servers to “emisoftsucked.top”.
Far from displeased, however, Wosar has taken the revisions as a compliment:
“I am not really sure how things work in your circles, but in my circles getting insulted by malware authors is considered the highest kind of accolade someone can get, so thank you very much for that,” he explained . “Just next time, please try to get the company name right. But it’s a common mistake, so I let that one slide.”
Wosar released a revised decryption tool just two days after the Radamant developer published the second version of his ransomware. That has not stopped the malware’s author from offering his product as a ransomware-as-a-service (RaaS) and from reportedly working on a third version. Even so, at 0-2 Wosar, the prospects for Radamant are looking bleak indeed.
To learn how you can protect yourself against Radamant and other forms of ransomware, please clickhere.