RRBB ransomware encrypts users’ files. It appends the .rrbb extension to filenames. A ransom note named _readme.txt is produced in every folder with encrypted files.
Encrypted files cannot be decrypted. However, recovery may be possible using PhotoRec and ShadowExplorer tools designed to find and recover lost data.
RRBB belongs to the Djvu ransomware family. It encrypts files like documents, videos, and images. An example: “1.jpg” becomes “1.jpg.rrbb”.
RRBB encrypts only the first 150KB of each file. So you may be able to run large files like video or music without decryption.
When first infected, RRBB scans for images, videos, documents (.doc, .docx, .xls, .pdf) to encrypt. It adds a unique string of characters to each encrypted file’s extension. For example, “image.jpg” becomes “image.jpg.RRBB”.
A decrypt instruction file DECRYPT-FILES.txt is placed on the Windows desktop. In most cases, files cannot be recovered without paying the ransom.
RRBB runs automatically on start up. It hides files in system folders to avoid detection. Infected programs cannot open encrypted files.