Roshalock Ransomware

What is Roshalock Ransomware?

If your PC does not have an anti-malware program installed on it, then it can be vulnerable to the likes of Roshalock Ransomware, a highly malicious program that can put your personal files in file archives protected by a password and then demand that you pay money for it. Yes, this program wants to extract money from you, and you should not comply because there is no evidence that the people that created this program actually send the password. Therefore, we suggest that you remove this program instead of paying the ransom which can vary in amount. To find out more about this ransomware, we invite you to read this whole article.

What does Roshalock Ransomware do?

Our cyber security experts have obtained a sample of Roshalock Ransomware and tested it. They found that this particular ransomware is very different from most ransomware in that it does not encrypt the files using an encryption algorithm. Instead, it puts the files in file archives and puts on a password. You have to purchase the password from this ransomware’s developers. We do not know how much they ask initially, but we have received information that says that if you fail to pay the ransom within three days, the ransom is said to increase by 0.05 BTC.

Testing has shown that this particular ransomware can affect more than 2500 file formats which means that it can lock the majority of your personal files. It puts all of the targeted files in file archives named All_Your_Documents.rar and places them in {Drive letter}:\All_Your_Documents\All_Your_Documents.rar. Once the encryption is completed, this ransomware will drop a ransom note named All Your Files in Archive! .txt which is a simple text file that contains instruction on how to pay the ransom in English, French, Spanish, Italian, and German. It says that you have to get WinRAR and TOR browser and explains how to access the payment website and purchase the password to unlock the files. Again, there is no guarantee that you will receive the password, so we are of the opinion that you ought to delete it instead.

Where does Roshalock Ransomware come from?

Truth be told, there is not a lot of information on how this particular ransomware in being distributed. Researchers say that this ransomware was first spotted in February 2017 and since then it has been through several iterations. Researchers say that there are two versions of this ransomware and one of them is more sophisticated, being the newer one. Regardless, both of them are said to be disseminated through malicious emails that trick users into opening attached files that get your PC infected with this ransomware. The infection takes place silently and, in most cases, is successful, provided that the user does not have an anti-malware program on the PC to stop it. Furthermore, we have received information that Roshalock Ransomware could be distributed as some kind of file repairing tool, but the website that distributes it is unknown and the name under which it is promoted is a mystery as well.

How do I remove Roshalock Ransomware?

There is no doubt that Roshalock Ransomware is a dangerous computer infection. Testing has shown that it can lock many file formats which mean that this program can deny you access to your most valuable files. However, we do not recommend that you pay the ransom because you might not get the promised password. We, therefore, recommend that you remove this program using our guide which involves using SpyHunter’s free scanner to detect the malicious executable.

Delete Roshalock Ransomware manually

  1. Visit
  2. Download SpyHunter-Installer.exe and run it.
  3. Launch the program and click Scan Computer Now!
  4. Copy the file path of executable file from the scan results.
  5. Simultaneously press Windows+E keys.
  6. Enter the file path in File Explorer’s address box and press Enter.
  7. Find and right-click executable file and then click Delete.
  8. Empty the Recycle Bin.
100% FREE spyware scan and
tested removal of Roshalock Ransomware*

Remove these Roshalock Ransomware Registry Entries:

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run andfor
Software\Microsoft\Internet Explorer\Explorer Bars {C2EC2654-52F0-3E63-9017-D0FA8FA79271}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fdxbameg
Software\Microsoft\Windows\CurrentVersion kdid
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {D3CCFAF7-DF03-4E73-95EC-E5E139CC2BF2}
Software\Microsoft\Windows\CurrentVersion kdmsh.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {C14E6230-757D-4246-81CE-B34E2940C722}
Long Internet Team Stupid
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ssqPhEVM
Online Alert Manager
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad rwlfsdmk
SOFTWARE\Microsoft\Internet Explorer\Toolbar {57776700-7BC8-47AC-B43E-99C24B015570}
software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad xokvrpwg
Software\Microsoft\Internet Explorer\Explorer Bars {EB9539EB-598E-BCA7-3D4A-82F4F26E9738}
Software\Microsoft\Internet Explorer\Explorer Bars {FCDEE81D-95A3-AE8A-D4FB-5A9FB8E32860}
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {0ba3e00d-b660-46e6-a2db-2672ee82dc98}
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {BB4C402F-882A-4526-8C08-51278EA437C1}
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify __c0040F39
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run servises
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run xqe6lJLnN1
bone thunk axis copy
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify nnnkiGvV
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify cxqmyibm
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fsrpknov
Software\Microsoft\Internet Explorer\Explorer Bars {9CDB6E2A-B859-45BB-8F05-AF684301AB41}
memo site kind that
SOFTWARE\Microsoft\Internet Explorer\Toolbar {3B4EFB6A-06FD-40AC-B072-1FB7D1D456E8}
software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad tfnslopk
Software\Microsoft\Windows\CurrentVersion kdksc.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad xrdwbfgn
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {B2BA40A2-74F0-42BD-F434-12345A2C8953}
SOFTWARE\Microsoft\Internet Explorer\Toolbar {8E21DC20-6E4E-42B3-9796-244EC9385CEF}

Leave a Comment

Enter the numbers in the box to the right *