Roshalock Ransomware

What is Roshalock Ransomware?

If your PC does not have an anti-malware program installed on it, then it can be vulnerable to the likes of Roshalock Ransomware, a highly malicious program that can put your personal files in file archives protected by a password and then demand that you pay money for it. Yes, this program wants to extract money from you, and you should not comply because there is no evidence that the people that created this program actually send the password. Therefore, we suggest that you remove this program instead of paying the ransom which can vary in amount. To find out more about this ransomware, we invite you to read this whole article.

What does Roshalock Ransomware do?

Our cyber security experts have obtained a sample of Roshalock Ransomware and tested it. They found that this particular ransomware is very different from most ransomware in that it does not encrypt the files using an encryption algorithm. Instead, it puts the files in file archives and puts on a password. You have to purchase the password from this ransomware’s developers. We do not know how much they ask initially, but we have received information that says that if you fail to pay the ransom within three days, the ransom is said to increase by 0.05 BTC.

Testing has shown that this particular ransomware can affect more than 2500 file formats which means that it can lock the majority of your personal files. It puts all of the targeted files in file archives named All_Your_Documents.rar and places them in {Drive letter}:\All_Your_Documents\All_Your_Documents.rar. Once the encryption is completed, this ransomware will drop a ransom note named All Your Files in Archive! .txt which is a simple text file that contains instruction on how to pay the ransom in English, French, Spanish, Italian, and German. It says that you have to get WinRAR and TOR browser and explains how to access the payment website and purchase the password to unlock the files. Again, there is no guarantee that you will receive the password, so we are of the opinion that you ought to delete it instead.

Where does Roshalock Ransomware come from?

Truth be told, there is not a lot of information on how this particular ransomware in being distributed. Researchers say that this ransomware was first spotted in February 2017 and since then it has been through several iterations. Researchers say that there are two versions of this ransomware and one of them is more sophisticated, being the newer one. Regardless, both of them are said to be disseminated through malicious emails that trick users into opening attached files that get your PC infected with this ransomware. The infection takes place silently and, in most cases, is successful, provided that the user does not have an anti-malware program on the PC to stop it. Furthermore, we have received information that Roshalock Ransomware could be distributed as some kind of file repairing tool, but the website that distributes it is unknown and the name under which it is promoted is a mystery as well.

How do I remove Roshalock Ransomware?

There is no doubt that Roshalock Ransomware is a dangerous computer infection. Testing has shown that it can lock many file formats which mean that this program can deny you access to your most valuable files. However, we do not recommend that you pay the ransom because you might not get the promised password. We, therefore, recommend that you remove this program using our guide which involves using SpyHunter’s free scanner to detect the malicious executable.

Delete Roshalock Ransomware manually

  1. Visit http://www.anti-spyware-101.com/download-sph
  2. Download SpyHunter-Installer.exe and run it.
  3. Launch the program and click Scan Computer Now!
  4. Copy the file path of executable file from the scan results.
  5. Simultaneously press Windows+E keys.
  6. Enter the file path in File Explorer’s address box and press Enter.
  7. Find and right-click executable file and then click Delete.
  8. Empty the Recycle Bin.
100% FREE spyware scan and
tested removal of Roshalock Ransomware*

Remove these Roshalock Ransomware Registry Entries:

\YURF.exe
\YUR6.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {0ba3e00d-b660-46e6-a2db-2672ee82dc98}
\YUR5.exe
\VIE3.exe
{09E23F2C-ED1E-43FC-9AA1-1332162A35AE}
\YUR131.exe
Online Alert Manager
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fsrpknov
Captcha5
\Win12.exe
Software\Microsoft\Windows\CurrentVersion kdmsh.exe
\YUR4.exe
\YUR18.exe
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run servises
{3BCF8450-D134-427E-AE9C-2A42CE8215CC}
SerialsWorld
bone thunk axis copy
Software\Microsoft\Internet Explorer\Explorer Bars {9CDB6E2A-B859-45BB-8F05-AF684301AB41}
Long Internet Team Stupid
penis.exe
\YUR12E.exe
Sys4.exe
\YUR15.exe
\YUR2C.exe
\YURD.exe
Cognac
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify nnnkiGvV
lljyn_df
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {BB4C402F-882A-4526-8C08-51278EA437C1}
Software\Microsoft\Internet Explorer\Explorer Bars {FCDEE81D-95A3-AE8A-D4FB-5A9FB8E32860}
%windir%\System32\kdmsh.exe
\VIE14.exe
Sys1.exe
%windir%\System32\kdwls.exe
SOFTWARE\Microsoft\Internet Explorer\Toolbar {8E21DC20-6E4E-42B3-9796-244EC9385CEF}
\YUR13.exe
\YUR20.exe
\Win14.exe
cont_mxlivemedia
{4D4DB474-8435-4FA1-8D91-512C0CE1E931}
{0389E53C-62CF-4CD6-9F4E-955A740E4385}
\YUR12.exe
\YUR1.exe
hlpproc
Sys2.exe
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify __c0040F39
Software\Microsoft\Internet Explorer\Explorer Bars {EB9539EB-598E-BCA7-3D4A-82F4F26E9738}
{157627A6-2A10-4aa1-B97F-90B8DC6F24AC}
software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad tfnslopk
Facegame
\YUR2D.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {C14E6230-757D-4246-81CE-B34E2940C722}
\YUR30.exe
\YUR14.exe
C:\WINDOWS\System32\kdwls.exe
{E4785213-3EFE-4c26-A9B4-332440E31F6F}
C:\WINDOWS\System32\kdmsh.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fdxbameg
BIND SUPPORT SEEK FIRST
{78B578D7-BCE1-4d83-9CD4-195BC34D8CB3}
\YUR8.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {B2BA40A2-74F0-42BD-F434-12345A2C8953}
\Win11.exe
\YUR10.exe
%windir%\system32\kdswe.exe
\YUR2.exe
\VIE2F.exe
Software\Microsoft\Internet Explorer\Explorer Bars {C2EC2654-52F0-3E63-9017-D0FA8FA79271}
\YURA.exe
Software\Microsoft\Windows\CurrentVersion kdid
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run andfor
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {D3CCFAF7-DF03-4E73-95EC-E5E139CC2BF2}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad xrdwbfgn
\YURE.exe
Somefox
software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad xokvrpwg
SOFTWARE\Microsoft\Internet Explorer\Toolbar {3B4EFB6A-06FD-40AC-B072-1FB7D1D456E8}
ptidle
\Win13.exe
memo site kind that
C:\WINDOWS\system32\kdswe.exe
vmdetdhc.exe
\YUR2A.exe
\YUR3.exe
\VIE5.exe
\YUR2B.exe
515.tmp
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad rwlfsdmk
Software\Microsoft\Windows\CurrentVersion kdksc.exe
\YUR12F.exe
FixCamera
advap32
ROAD ITCH AMOK PING
SmartMon
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE gi985993737
\YURC.exe
xydzyh
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ssqPhEVM
cokx
\YUR9.exe
GetPack19
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify cxqmyibm
\VIE2.exe
Sys3.exe
\YURB.exe
F5JMWNZTHI
\Win10.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run xqe6lJLnN1
\YUR11.exe
GetPack21
\YUR130.exe
SOFTWARE\Microsoft\Internet Explorer\Toolbar {57776700-7BC8-47AC-B43E-99C24B015570}
Disclaimer
Disclaimer

Leave a Comment

Enter the numbers in the box to the right *