Roshalock Ransomware

What is Roshalock Ransomware?

If your PC does not have an anti-malware program installed on it, then it can be vulnerable to the likes of Roshalock Ransomware, a highly malicious program that can put your personal files in file archives protected by a password and then demand that you pay money for it. Yes, this program wants to extract money from you, and you should not comply because there is no evidence that the people that created this program actually send the password. Therefore, we suggest that you remove this program instead of paying the ransom which can vary in amount. To find out more about this ransomware, we invite you to read this whole article.

What does Roshalock Ransomware do?

Our cyber security experts have obtained a sample of Roshalock Ransomware and tested it. They found that this particular ransomware is very different from most ransomware in that it does not encrypt the files using an encryption algorithm. Instead, it puts the files in file archives and puts on a password. You have to purchase the password from this ransomware’s developers. We do not know how much they ask initially, but we have received information that says that if you fail to pay the ransom within three days, the ransom is said to increase by 0.05 BTC.

Testing has shown that this particular ransomware can affect more than 2500 file formats which means that it can lock the majority of your personal files. It puts all of the targeted files in file archives named All_Your_Documents.rar and places them in {Drive letter}:\All_Your_Documents\All_Your_Documents.rar. Once the encryption is completed, this ransomware will drop a ransom note named All Your Files in Archive! .txt which is a simple text file that contains instruction on how to pay the ransom in English, French, Spanish, Italian, and German. It says that you have to get WinRAR and TOR browser and explains how to access the payment website and purchase the password to unlock the files. Again, there is no guarantee that you will receive the password, so we are of the opinion that you ought to delete it instead.

Where does Roshalock Ransomware come from?

Truth be told, there is not a lot of information on how this particular ransomware in being distributed. Researchers say that this ransomware was first spotted in February 2017 and since then it has been through several iterations. Researchers say that there are two versions of this ransomware and one of them is more sophisticated, being the newer one. Regardless, both of them are said to be disseminated through malicious emails that trick users into opening attached files that get your PC infected with this ransomware. The infection takes place silently and, in most cases, is successful, provided that the user does not have an anti-malware program on the PC to stop it. Furthermore, we have received information that Roshalock Ransomware could be distributed as some kind of file repairing tool, but the website that distributes it is unknown and the name under which it is promoted is a mystery as well.

How do I remove Roshalock Ransomware?

There is no doubt that Roshalock Ransomware is a dangerous computer infection. Testing has shown that it can lock many file formats which mean that this program can deny you access to your most valuable files. However, we do not recommend that you pay the ransom because you might not get the promised password. We, therefore, recommend that you remove this program using our guide which involves using SpyHunter’s free scanner to detect the malicious executable.

Delete Roshalock Ransomware manually

  1. Visit http://www.anti-spyware-101.com/download-sph
  2. Download SpyHunter-Installer.exe and run it.
  3. Launch the program and click Scan Computer Now!
  4. Copy the file path of executable file from the scan results.
  5. Simultaneously press Windows+E keys.
  6. Enter the file path in File Explorer’s address box and press Enter.
  7. Find and right-click executable file and then click Delete.
  8. Empty the Recycle Bin.
100% FREE spyware scan and
tested removal of Roshalock Ransomware*

Remove these Roshalock Ransomware Registry Entries:

\YUR12E.exe
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify cxqmyibm
\YUR15.exe
penis.exe
\YUR2.exe
C:\WINDOWS\System32\kdwls.exe
\YUR5.exe
SerialsWorld
\VIE3.exe
{3BCF8450-D134-427E-AE9C-2A42CE8215CC}
\YURE.exe
%windir%\System32\kdmsh.exe
SOFTWARE\Microsoft\Internet Explorer\Toolbar {8E21DC20-6E4E-42B3-9796-244EC9385CEF}
C:\WINDOWS\System32\kdmsh.exe
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run servises
\YUR18.exe
BIND SUPPORT SEEK FIRST
\YURF.exe
\YUR20.exe
\YUR8.exe
\YUR30.exe
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify nnnkiGvV
vmdetdhc.exe
\YUR9.exe
C:\WINDOWS\system32\kdswe.exe
%windir%\System32\kdwls.exe
\Win14.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run xqe6lJLnN1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {D3CCFAF7-DF03-4E73-95EC-E5E139CC2BF2}
{09E23F2C-ED1E-43FC-9AA1-1332162A35AE}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad rwlfsdmk
\Win13.exe
\YUR2A.exe
\YUR2D.exe
{0389E53C-62CF-4CD6-9F4E-955A740E4385}
\VIE2.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {C14E6230-757D-4246-81CE-B34E2940C722}
\YUR131.exe
xydzyh
Captcha5
advap32
Software\Microsoft\Windows\CurrentVersion kdksc.exe
\VIE14.exe
Sys4.exe
\YUR10.exe
\YURC.exe
\YUR4.exe
\YUR2B.exe
Software\Microsoft\Windows\CurrentVersion kdid
bone thunk axis copy
cokx
SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNONCE gi985993737
\YURD.exe
Sys1.exe
Cognac
\YUR1.exe
\Win10.exe
\YUR2C.exe
\VIE5.exe
software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad tfnslopk
FixCamera
Somefox
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fdxbameg
GetPack21
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify ssqPhEVM
Online Alert Manager
SmartMon
\YUR13.exe
ptidle
515.tmp
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run andfor
\YUR11.exe
\YUR12.exe
Long Internet Team Stupid
{157627A6-2A10-4aa1-B97F-90B8DC6F24AC}
Facegame
cont_mxlivemedia
ROAD ITCH AMOK PING
Microsoft\Windows NT\CurrentVersion\Winlogon\Notify __c0040F39
Sys2.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {0ba3e00d-b660-46e6-a2db-2672ee82dc98}
memo site kind that
\YUR14.exe
\Win12.exe
Software\Microsoft\Internet Explorer\Explorer Bars {FCDEE81D-95A3-AE8A-D4FB-5A9FB8E32860}
{E4785213-3EFE-4c26-A9B4-332440E31F6F}
hlpproc
\YURA.exe
%windir%\system32\kdswe.exe
{4D4DB474-8435-4FA1-8D91-512C0CE1E931}
\Win11.exe
F5JMWNZTHI
\YURB.exe
SOFTWARE\Microsoft\Internet Explorer\Toolbar {3B4EFB6A-06FD-40AC-B072-1FB7D1D456E8}
\YUR130.exe
lljyn_df
Sys3.exe
Software\Microsoft\Internet Explorer\Explorer Bars {9CDB6E2A-B859-45BB-8F05-AF684301AB41}
\YUR3.exe
GetPack19
\YUR6.exe
\VIE2F.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks {BB4C402F-882A-4526-8C08-51278EA437C1}
Software\Microsoft\Internet Explorer\Explorer Bars {C2EC2654-52F0-3E63-9017-D0FA8FA79271}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad xrdwbfgn
\YUR12F.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad fsrpknov
software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad xokvrpwg
{78B578D7-BCE1-4d83-9CD4-195BC34D8CB3}
Software\Microsoft\Internet Explorer\Explorer Bars {EB9539EB-598E-BCA7-3D4A-82F4F26E9738}
SOFTWARE\Microsoft\Internet Explorer\Toolbar {57776700-7BC8-47AC-B43E-99C24B015570}
Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler {B2BA40A2-74F0-42BD-F434-12345A2C8953}
Software\Microsoft\Windows\CurrentVersion kdmsh.exe
Disclaimer
Disclaimer

Leave a Comment

Enter the numbers in the box to the right *