Roshalock Ransomware

What is Roshalock Ransomware?

If your PC does not have an anti-malware program installed on it, then it can be vulnerable to the likes of Roshalock Ransomware, a highly malicious program that can put your personal files in file archives protected by a password and then demand that you pay money for it. Yes, this program wants to extract money from you, and you should not comply because there is no evidence that the people that created this program actually send the password. Therefore, we suggest that you remove this program instead of paying the ransom which can vary in amount. To find out more about this ransomware, we invite you to read this whole article.

What does Roshalock Ransomware do?

Our cyber security experts have obtained a sample of Roshalock Ransomware and tested it. They found that this particular ransomware is very different from most ransomware in that it does not encrypt the files using an encryption algorithm. Instead, it puts the files in file archives and puts on a password. You have to purchase the password from this ransomware’s developers. We do not know how much they ask initially, but we have received information that says that if you fail to pay the ransom within three days, the ransom is said to increase by 0.05 BTC.

Testing has shown that this particular ransomware can affect more than 2500 file formats which means that it can lock the majority of your personal files. It puts all of the targeted files in file archives named All_Your_Documents.rar and places them in {Drive letter}:\All_Your_Documents\All_Your_Documents.rar. Once the encryption is completed, this ransomware will drop a ransom note named All Your Files in Archive! .txt which is a simple text file that contains instruction on how to pay the ransom in English, French, Spanish, Italian, and German. It says that you have to get WinRAR and TOR browser and explains how to access the payment website and purchase the password to unlock the files. Again, there is no guarantee that you will receive the password, so we are of the opinion that you ought to delete it instead.

Where does Roshalock Ransomware come from?

Truth be told, there is not a lot of information on how this particular ransomware in being distributed. Researchers say that this ransomware was first spotted in February 2017 and since then it has been through several iterations. Researchers say that there are two versions of this ransomware and one of them is more sophisticated, being the newer one. Regardless, both of them are said to be disseminated through malicious emails that trick users into opening attached files that get your PC infected with this ransomware. The infection takes place silently and, in most cases, is successful, provided that the user does not have an anti-malware program on the PC to stop it. Furthermore, we have received information that Roshalock Ransomware could be distributed as some kind of file repairing tool, but the website that distributes it is unknown and the name under which it is promoted is a mystery as well.

How do I remove Roshalock Ransomware?

There is no doubt that Roshalock Ransomware is a dangerous computer infection. Testing has shown that it can lock many file formats which mean that this program can deny you access to your most valuable files. However, we do not recommend that you pay the ransom because you might not get the promised password. We, therefore, recommend that you remove this program using our guide which involves using SpyHunter’s free scanner to detect the malicious executable.

Delete Roshalock Ransomware manually

  1. Visit http://www.anti-spyware-101.com/download-sph
  2. Download SpyHunter-Installer.exe and run it.
  3. Launch the program and click Scan Computer Now!
  4. Copy the file path of executable file from the scan results.
  5. Simultaneously press Windows+E keys.
  6. Enter the file path in File Explorer’s address box and press Enter.
  7. Find and right-click executable file and then click Delete.
  8. Empty the Recycle Bin.
100% FREE spyware scan and
tested removal of Roshalock Ransomware*

Remove these Roshalock Ransomware Registry Entries:

%windir%\System32\kdwls.exe
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify nnnkiGvV
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fdxbameg
hlpproc
{E4785213-3EFE-4c26-A9B4-332440E31F6F}
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {0ba3e00d-b660-46e6-a2db-2672ee82dc98}
\YUR12.exe
\VIE2.exe
515.tmp
SerialsWorld
vmdetdhc.exe
\YUR2C.exe
\YURC.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run xqe6lJLnN1
Sys3.exe
Long Internet Team Stupid
\YUR2D.exe
\Win11.exe
FixCamera
\YUR18.exe
\YURA.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {C14E6230-757D-4246-81CE-B34E2940C722}
\YUR30.exe
\YUR15.exe
C:\WINDOWS\system32\kdswe.exe
\VIE3.exe
\YUR4.exe
\YUR1.exe
memo site kind that
Software\Microsoft\Windows\CurrentVersion kdid
\Win12.exe
bone thunk axis copy
SmartMon
BIND SUPPORT SEEK FIRST
cokx
Sys1.exe
\YUR14.exe
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run andfor
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ssqPhEVM
\YUR6.exe
\YUR10.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fsrpknov
Online Alert Manager
\YUR3.exe
\YURE.exe
%windir%\system32\kdswe.exe
{4D4DB474-8435-4FA1-8D91-512C0CE1E931}
software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad xokvrpwg
\YUR20.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad rwlfsdmk
\YUR131.exe
Facegame
\YUR11.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {B2BA40A2-74F0-42BD-F434-12345A2C8953}
\YUR2.exe
{157627A6-2A10-4aa1-B97F-90B8DC6F24AC}
Sys2.exe
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify cxqmyibm
\YUR9.exe
{0389E53C-62CF-4CD6-9F4E-955A740E4385}
C:\WINDOWS\System32\kdmsh.exe
{09E23F2C-ED1E-43FC-9AA1-1332162A35AE}
%windir%\System32\kdmsh.exe
Software\Microsoft\Internet Explorer\Explorer Bars {FCDEE81D-95A3-AE8A-D4FB-5A9FB8E32860}
SOFTWARE\Microsoft\Internet Explorer\Toolbar {57776700-7BC8-47AC-B43E-99C24B015570}
\YUR8.exe
\YUR5.exe
Software\Microsoft\Internet Explorer\Explorer Bars {9CDB6E2A-B859-45BB-8F05-AF684301AB41}
C:\WINDOWS\System32\kdwls.exe
Software\Microsoft\Internet Explorer\Explorer Bars {EB9539EB-598E-BCA7-3D4A-82F4F26E9738}
\VIE14.exe
Software\Microsoft\Windows\CurrentVersion kdksc.exe
\YUR2A.exe
Somefox
GetPack19
GetPack21
Captcha5
xydzyh
\YURD.exe
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify __c0040F39
ptidle
\VIE2F.exe
cont_mxlivemedia
\YUR13.exe
\YUR12E.exe
Software\Microsoft\Windows\CurrentVersion kdmsh.exe
ROAD ITCH AMOK PING
advap32
\YUR130.exe
penis.exe
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE gi985993737
\Win10.exe
\YURB.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {D3CCFAF7-DF03-4E73-95EC-E5E139CC2BF2}
\YUR12F.exe
SOFTWARE\Microsoft\Internet Explorer\Toolbar {3B4EFB6A-06FD-40AC-B072-1FB7D1D456E8}
{3BCF8450-D134-427E-AE9C-2A42CE8215CC}
\YUR2B.exe
Sys4.exe
Cognac
\YURF.exe
\Win13.exe
{78B578D7-BCE1-4d83-9CD4-195BC34D8CB3}
Software\Microsoft\Internet Explorer\Explorer Bars {C2EC2654-52F0-3E63-9017-D0FA8FA79271}
SOFTWARE\Microsoft\Internet Explorer\Toolbar {8E21DC20-6E4E-42B3-9796-244EC9385CEF}
lljyn_df
\VIE5.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {BB4C402F-882A-4526-8C08-51278EA437C1}
F5JMWNZTHI
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run servises
software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad tfnslopk
\Win14.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad xrdwbfgn
Disclaimer
Disclaimer

Leave a Comment

Enter the numbers in the box to the right *