Radiant Group Ransomware
|

How to Decrypt Radiant Group Ransomware (.radiant) Encrypted Files?

ByLockbit Decryptor

Our Radiant Decryptor — Expertly Designed for Secure Restoration

Our cybersecurity analysts have developed a dedicated decryptor and recovery protocol for the Radiant Group ransomware, an active crypto-extortion syndicate identified in September 2025. Radiant employs hybrid AES and RSA encryption and engages in multi-level extortion, combining encryption, data leaks, and reputational damage campaigns to pressure victims.

get help now

The decryptor has been created to:

  • Safely analyze encrypted files and logs in a sandboxed environment;
  • Identify the Radiant variant, encryption pattern, and victim-specific identifiers; and
  • Restore locked data through a validated decryption sequence while maintaining forensic logs and recovery transparency.

Our decryptor supports both cloud-assisted and offline/air-gapped execution. Each run initiates with read-only integrity verification, ensuring no data alteration before validation or recovery begins.

Related article: How to remove Kryptos Ransomware and Decrypt .kryptos Files?

How the Radiant Decryptor Works?

When victims provide ransom notes and encrypted samples, our decryptor performs algorithmic fingerprinting — examining file structures, AES key wrapping, and RSA header markers to identify variant-specific key sets. If the encryption scheme corresponds with documented Radiant patterns, a Proof-of-Concept (PoC) decryption is attempted on a few test files.

Upon successful validation, we initiate the full decryption process, producing step-by-step reports suitable for compliance, cyber-insurance claims, and legal proceedings.

Requirements for operation:

  • Original ransom note or extortion message (often includes a TOR link)
  • Two to five encrypted file samples (copies only)
  • Administrator access on a secure recovery environment
  • Optional internet access for cloud-based key verification (offline recovery available)

Also read: How to remove Ransomware with [[yan]] (.weax) from servers and NAS?

Immediate Response Plan After a Radiant Attack

  1. Isolate compromised systems immediately. Disconnect all affected machines from networks, VPNs, and shared drives to prevent further encryption or data exfiltration.
  2. Preserve evidence. Keep encrypted files and ransom notes exactly as found; do not rename, delete, or modify them.
  3. Capture system memory and collect logs. Memory dumps, firewall activity, and endpoint telemetry can reveal command-and-control (C2) connections or keys in memory.
  4. Avoid contact with attackers. Radiant communicates through Tox IDs or TOR portals — do not engage directly.
  5. Engage cybersecurity experts. Contact your IR team or a professional decryptor service before taking any restoration steps.

File Recovery and Decryption Options

Free Recovery Methods

Backup Restoration
 Restoring from immutable or offline backups remains the safest recovery path. Verify backup integrity using checksum comparisons or isolated mounts. Radiant variants are known to delete shadow copies and target mapped drives.

VM Snapshot Reversion
 If virtual environments (VMware, Hyper-V) exist, revert to clean snapshots created before the incident. Always verify snapshot authenticity before restoration.

Paid or Professional Solutions

Analyst-Guided Decryptor Service
 Our team performs a Proof-of-Concept (PoC) decryption to confirm compatibility before full-scale recovery. Every action is logged for compliance and forensic review.

Ransom Payment (not recommended)
 While some victims pay under pressure, there is no guarantee of receiving a working decryptor or stopping data leaks. Payment may violate legal or regulatory frameworks, especially where stolen data is involved. Always consult legal counsel before any transaction.

How to Use Our Radiant Decryptor — Step-by-Step?

Assess the Infection
 Confirm the presence of encrypted files and ransom instructions referencing Radiant Group or the TOR portal
 http://trfqksm6peaeyz4q6egxbij5n2ih6zrg65of4kwasrejc7hnw2jtxryd.onion.

Secure the Environment
 Disconnect impacted systems and disable administrative shares, RDP sessions, or backup syncs.

Engage Our Recovery Team
 Send encrypted samples and ransom notes to our secure intake. We’ll analyze and identify the encryption variant before delivering an estimated recovery plan.

Run Our Decryptor
 Launch the Radiant Decryptor as an administrator. For cloud-assisted mode, ensure a secure internet connection is available; offline kits are provided for isolated networks.

Enter Victim ID or Case Token
 Radiant’s extortion page or note typically includes an identifier (for example, FCE5078C3A0A2609DB79C4F1516DA0B11A6F48FC96C9E01BAC0D48A4DDB2A309F20DD0D295B2). Enter this token to map your unique case.

Start the Decryption Process
 Begin restoration and allow the tool to recover your data. Integrity logs and before/after verification reports are generated automatically.

get help now

Also read: How to Decrypt .bSobOtA1D / .babyk Ransomware and Recover Files?

Understanding Radiant Group Ransomware

Overview
 Radiant Group operates as a crypto-ransomware and data-extortion syndicate, active since September 2025. It targets corporate entities, encrypting data and leveraging public leaks and reputational blackmail to maximize ransom compliance.

Encryption Model
 Radiant uses a dual-key encryption system: AES for file content and RSA for AES key protection, ensuring strong encryption resistant to brute-force recovery.

Behavior and Extortion Strategy
 After infiltration, Radiant exfiltrates sensitive documents, databases, and customer records. Victims then receive a ransom note with a TOR site link or a Tox ID for negotiation. The group employs double extortion, threatening to leak or sell stolen data if payments are delayed.

Extortion Techniques Include:

  • Direct monetary ransom demands
  • Public data leaks (“Free Data” claims)
  • Denial-of-service (DoS) attacks
  • Media and investor exposure
  • Regulator complaints and SEO reputation damage

Radiant’s Known Infrastructure

TOR Leak Site:
 http://trfqksm6peaeyz4q6egxbij5n2ih6zrg65of4kwasrejc7hnw2jtxryd.onion

Communication Channel:
 Tox ID — FCE5078C3A0A2609DB79C4F1516DA0B11A6F48FC96C9E01BAC0D48A4DDB2A309F20DD0D295B2

Observed Victim:

  • Sector: Education
  • Country: United Kingdom
  • Extortion Date: September 24, 2025

Extortion Type:
 Radiant uses double extortion, combining encryption with threats of public disclosure and legal manipulation.

IOCs, Detections & Technical Indicators

File Extensions: (varies by victim) .locked, .radiant, or appended numeric IDs.
Ransom Note: Typically HTML or TXT with TOR and Tox contact info.
Encryption Algorithms: AES-256, RSA-2048.
Detected by Vendors:

  • BitDefender → Gen:Variant.Ransom.Radiant.A
  • ESET → MSIL/Filecoder.HiddenTear.Radiant
  • Kaspersky → Trojan-Ransom.Win32.RadiantGroup.gen
  • Microsoft → Ransom:Win64/RadiantCrypt.A!MTB

Known Tactics:

  • Exploiting unpatched systems and RDP vulnerabilities
  • Email-based phishing campaigns
  • Supply-chain attacks targeting vendors and MSPs
  • Use of leaked credentials and botnet delivery

Tactics, Techniques & Procedures (TTPs)

  • Initial Access: Credential theft, spear-phishing, and RDP compromise.
  • Execution: Deployment of AES/RSA encryptor binaries via scripts or service exploits.
  • Persistence: Scheduled tasks and service manipulation.
  • Defense Evasion: Deletion of shadow copies and event logs, disabling antivirus.
  • Exfiltration: Sensitive data transfer to remote servers or TOR networks.
  • Impact: Encrypted systems, leaked data, and reputational harm to the organization.

Victim Landscape — Regions & Industry Impact

Geographical Reach:

Industries Most Affected:

Timeline of Operations:

Conclusion — Secure Response, Forensic Recovery, and Resilience

Radiant Group ransomware represents a high-impact, financially motivated operation that blends encryption with multi-channel extortion. Victims should:

  • Isolate infected systems immediately and preserve all digital evidence.
  • Work with verified decryption services offering PoC-based recovery.
  • Avoid direct contact with extortion channels (Tox or TOR).
  • Rebuild resilience via patching, access segmentation, immutable backups, and employee awareness training.

Preventative actions remain the best defense: maintain offline backups, enable MFA for RDP, monitor external exposure, and establish an incident response plan.

Frequently Asked Questions

No. As of now, there are no publicly released decryptors for Radiant.

Through phishing, credential theft, supply-chain compromise, and remote service exploitation.

It uses AES-256 with RSA-2048 — cryptographically secure unless the attackers make key generation errors.

Disconnect infected machines, preserve ransom notes and logs, and contact an incident-response specialist.

Yes. The group runs a TOR-based leak site where it publishes samples and full data dumps from non-paying victims.

Patch known vulnerabilities, enforce MFA, segment networks, use endpoint protection, and maintain offline backups.

Contact Us To Purchase The Radiant Group Decryptor Tool

get help now

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *