Rozalocker Ransomware

What is Rozalocker Ransomware?

Rozalocker Ransomware is a new dangerous threat whose entrance results in the encryption of personal files. Unfortunately, at the time of writing, it is impossible to decrypt those files without the special decryption key. Cyber criminals behind this ransomware infection, of course, give users an offer to purchase this key and get files back. Judging from the language used by this malicious application, it targets Russian-speaking users mainly, so it does not surprise us at all that the majority of victims live in Russia. No matter where you live, you will discover that it is impossible to access personal files, e.g. documents, pictures, videos, and music files if Rozalocker Ransomware successfully enters the computer. Purchasing the decryption key is not a good solution to the problem even if extremely important files have been locked and you need to get them back badly. What users surely need to do is to go to delete Rozalocker Ransomware fully.

What does Rozalocker Ransomware do?

The entrance of Rozalocker Ransomware means that you could no longer access pictures, documents, and a bunch of other files. You could no longer do that because this malicious application encrypts them all by appending the new filename extension .enc (e.g. wallpaper.jpg.enc) to every encrypted file. Once all files are locked, a ReadMe.txt file is dropped on the computer. It is a ransom note which informs users about the condition of their files and tells what to do to unlock them. It becomes clear after reading this ransom note that Rozalocker Ransomware does not differ at all from other ransomware infections – it also seeks to obtain money from users. The ransom note inside the .txt file tells users that the ransom of 10 000 Rubles (approximately $169) has to be transferred in Bitcoins within 6 hours. If we believe this message completely, it is the only way to get the key for unlocking personal files. Last but not least, this infection also modifies the Hosts file. Specifically speaking, it adds a list of Russian websites, e.g. vk.com, free.drweb.ru, ok.ru, and others with the intention of blocking them for users. Users could not open any of these pages until they remove the ransomware infection fully from their computers and then fix the Hosts file modified by this infection.

Even though Rozalocker Ransomware tries to convince you that the only way to decrypt files having the .enc filename extension is to pay the required money, do not rush to do that. It is not advisable to send cyber criminals money because they might not give you anything in return. Also, specialists say that there might be other ways to unlock files. For example, specialists should develop the decryption tool sooner or later, so go to delete Rozalocker Ransomware but do not remove those important files yet. Users should also try out all free data recovery tools available. Theoretically, it should be possible to recover some files with their help if this infection has not deleted Shadow Volume Copies of those encrypted files. Finally, if none of these methods work, files can be recovered from a backup. It is, unfortunately, impossible to do that if you have never backed up your files before.

Where does Rozalocker Ransomware come from?

There is not so much information about the Rozalocker Ransomware distribution available, but, in the opinion of our researchers, it must also be spread as an attachment in spam emails. Undoubtedly, users are not informed in advance that malicious software will end up on their PCs if they open a certain spam email and download its attachment. As a consequence, they fearlessly open the attachment they see, especially if it looks like a harmless document and, consequently, allow a ransomware-type threat to show up on the computer and start working on it. Although this is a commonly-used distribution method of ransomware, it does not mean that it is the only one. Specialists say that these file-encrypting threats might be spread in a different way too, e.g. other malicious applications active on computers might help them to enter systems.

How do I delete Rozalocker Ransomware?

It does not really matter what you decide, i.e. to pay the ransom or not, you still need to fully erase Rozalocker Ransomware from your PC. This computer infection does not block any system utilities and does not place a screen-locking window on Desktop, so it should be possible to fully remove it by finding and deleting the suspicious recently opened file. One of the places it might be located in is the Downloads folder (%USERPROFILE%\Downloads), so go to check it first. After deleting it, fix the Hosts file if you wish to be able to open all the websites you want. Use the step-by-step instructions prepared by specialists at anti-spyware-101.com (see below this paragraph) or launch a reputable scanner SpyHunter. It will not only delete Rozalocker Ransomware for you, but will also undo the changes in the Hosts file automatically.

Remove Rozalocker Ransomware manually

1. Open the Windows Explorer (press Win+E).
2. Locate the suspicious file opened recently. It should be located in %USERPROFILE%\Downloads or %USERPROFILE%\Desktop.
3. Delete it.
4. Remove the ReadMe.txt file containing the ransom note.
5. Empty the Recycle bin and go to fix the Hosts file.

Modify your Hosts file

Windows XP

1. Click Start.
2. Select All Programs and open Accessories.
3. Click Notepad to open it.
4. Click File at the top and select Open.
5. In the File name field at the bottom type the following path: C:\Windows\System32\Drivers\etc\hosts and click Open.
6. Remove the list of Russian websites added by ransomware.
7. Click File at the top and select Save.

Windows 7/Vista

1. Open the Start menu.
2. Click All Programs and select Accessories.
3. Right-click on Notepad and then select Run as administrator.
4. Click Continue.
5. When Notepad is opened, click File at the top and click Open.
6. In the File name filed enter C:\Windows\System32\Drivers\etc\hosts and click Open.
7. Delete Russian websites placed there.
8. Save the changes (click File and select Save).

Windows 8/8.1/10

1. Press the Windows key.
2. Type Notepad in the search box and right-click on Notepad.
3. Select Run as administrator.
4. Click File and select Open.
5. Type c:\Windows\System32\Drivers\etc\hosts in the File name field and click Open.
6. Delete websites you no longer want to be blocked.
7. Click File.
8. Select Save to save the changes.

Download Removal Tool100% FREE spyware scan and
tested removal of Rozalocker Ransomware*