Roshalock Ransomware

What is Roshalock Ransomware?

If your PC does not have an anti-malware program installed on it, then it can be vulnerable to the likes of Roshalock Ransomware, a highly malicious program that can put your personal files in file archives protected by a password and then demand that you pay money for it. Yes, this program wants to extract money from you, and you should not comply because there is no evidence that the people that created this program actually send the password. Therefore, we suggest that you remove this program instead of paying the ransom which can vary in amount. To find out more about this ransomware, we invite you to read this whole article.

What does Roshalock Ransomware do?

Our cyber security experts have obtained a sample of Roshalock Ransomware and tested it. They found that this particular ransomware is very different from most ransomware in that it does not encrypt the files using an encryption algorithm. Instead, it puts the files in file archives and puts on a password. You have to purchase the password from this ransomware’s developers. We do not know how much they ask initially, but we have received information that says that if you fail to pay the ransom within three days, the ransom is said to increase by 0.05 BTC.

Testing has shown that this particular ransomware can affect more than 2500 file formats which means that it can lock the majority of your personal files. It puts all of the targeted files in file archives named All_Your_Documents.rar and places them in {Drive letter}:\All_Your_Documents\All_Your_Documents.rar. Once the encryption is completed, this ransomware will drop a ransom note named All Your Files in Archive! .txt which is a simple text file that contains instruction on how to pay the ransom in English, French, Spanish, Italian, and German. It says that you have to get WinRAR and TOR browser and explains how to access the payment website and purchase the password to unlock the files. Again, there is no guarantee that you will receive the password, so we are of the opinion that you ought to delete it instead.

Where does Roshalock Ransomware come from?

Truth be told, there is not a lot of information on how this particular ransomware in being distributed. Researchers say that this ransomware was first spotted in February 2017 and since then it has been through several iterations. Researchers say that there are two versions of this ransomware and one of them is more sophisticated, being the newer one. Regardless, both of them are said to be disseminated through malicious emails that trick users into opening attached files that get your PC infected with this ransomware. The infection takes place silently and, in most cases, is successful, provided that the user does not have an anti-malware program on the PC to stop it. Furthermore, we have received information that Roshalock Ransomware could be distributed as some kind of file repairing tool, but the website that distributes it is unknown and the name under which it is promoted is a mystery as well.

How do I remove Roshalock Ransomware?

There is no doubt that Roshalock Ransomware is a dangerous computer infection. Testing has shown that it can lock many file formats which mean that this program can deny you access to your most valuable files. However, we do not recommend that you pay the ransom because you might not get the promised password. We, therefore, recommend that you remove this program using our guide which involves using SpyHunter’s free scanner to detect the malicious executable.

Delete Roshalock Ransomware manually

  1. Visit http://www.anti-spyware-101.com/download-sph
  2. Download SpyHunter-Installer.exe and run it.
  3. Launch the program and click Scan Computer Now!
  4. Copy the file path of executable file from the scan results.
  5. Simultaneously press Windows+E keys.
  6. Enter the file path in File Explorer’s address box and press Enter.
  7. Find and right-click executable file and then click Delete.
  8. Empty the Recycle Bin.
100% FREE spyware scan and
tested removal of Roshalock Ransomware*

Remove these Roshalock Ransomware Registry Entries:

hlpproc
\YURD.exe
\Win11.exe
{09E23F2C-ED1E-43FC-9AA1-1332162A35AE}
Software\Microsoft\Internet Explorer\Explorer Bars {FCDEE81D-95A3-AE8A-D4FB-5A9FB8E32860}
SOFTWARE\Microsoft\Internet Explorer\Toolbar {57776700-7BC8-47AC-B43E-99C24B015570}
Software\Microsoft\Internet Explorer\Explorer Bars {C2EC2654-52F0-3E63-9017-D0FA8FA79271}
memo site kind that
cokx
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ssqPhEVM
BIND SUPPORT SEEK FIRST
\YUR11.exe
\YUR18.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad xrdwbfgn
\YUR30.exe
\YUR20.exe
Software\Microsoft\Windows\CurrentVersion kdksc.exe
Sys1.exe
\VIE5.exe
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify __c0040F39
\YUR2C.exe
cont_mxlivemedia
SmartMon
bone thunk axis copy
Sys2.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {BB4C402F-882A-4526-8C08-51278EA437C1}
Cognac
Sys4.exe
\YUR2A.exe
advap32
SOFTWARE\Microsoft\Internet Explorer\Toolbar {8E21DC20-6E4E-42B3-9796-244EC9385CEF}
\YUR2.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {D3CCFAF7-DF03-4E73-95EC-E5E139CC2BF2}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {C14E6230-757D-4246-81CE-B34E2940C722}
Software\Microsoft\Windows\CurrentVersion kdmsh.exe
{0389E53C-62CF-4CD6-9F4E-955A740E4385}
vmdetdhc.exe
ROAD ITCH AMOK PING
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run xqe6lJLnN1
penis.exe
Somefox
C:\WINDOWS\System32\kdmsh.exe
\VIE2F.exe
\YUR131.exe
lljyn_df
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run andfor
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {B2BA40A2-74F0-42BD-F434-12345A2C8953}
F5JMWNZTHI
{4D4DB474-8435-4FA1-8D91-512C0CE1E931}
\YUR12E.exe
\YUR15.exe
Online Alert Manager
\Win12.exe
SerialsWorld
\YUR13.exe
GetPack19
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {0ba3e00d-b660-46e6-a2db-2672ee82dc98}
software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad tfnslopk
Sys3.exe
\YUR5.exe
\Win10.exe
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE gi985993737
\YUR14.exe
\YUR12F.exe
\YUR10.exe
C:\WINDOWS\system32\kdswe.exe
\YUR1.exe
\YUR4.exe
\YUR9.exe
\YUR6.exe
Software\Microsoft\Windows\CurrentVersion kdid
%windir%\System32\kdwls.exe
{78B578D7-BCE1-4d83-9CD4-195BC34D8CB3}
\YUR130.exe
\YUR12.exe
\YURE.exe
{E4785213-3EFE-4c26-A9B4-332440E31F6F}
\VIE2.exe
Facegame
\YURF.exe
C:\WINDOWS\System32\kdwls.exe
software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad xokvrpwg
\Win14.exe
Long Internet Team Stupid
\YUR3.exe
\VIE3.exe
\YUR8.exe
\YUR2D.exe
xydzyh
Software\Microsoft\Internet Explorer\Explorer Bars {EB9539EB-598E-BCA7-3D4A-82F4F26E9738}
\Win13.exe
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify cxqmyibm
%windir%\system32\kdswe.exe
GetPack21
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify nnnkiGvV
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad rwlfsdmk
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run servises
%windir%\System32\kdmsh.exe
{157627A6-2A10-4aa1-B97F-90B8DC6F24AC}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fsrpknov
515.tmp
\YURB.exe
{3BCF8450-D134-427E-AE9C-2A42CE8215CC}
Captcha5
SOFTWARE\Microsoft\Internet Explorer\Toolbar {3B4EFB6A-06FD-40AC-B072-1FB7D1D456E8}
\YUR2B.exe
Software\Microsoft\Internet Explorer\Explorer Bars {9CDB6E2A-B859-45BB-8F05-AF684301AB41}
\VIE14.exe
FixCamera
ptidle
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fdxbameg
\YURA.exe
\YURC.exe
Disclaimer
Disclaimer

Leave a Comment

Enter the numbers in the box to the right *