RozaLocker Ransomware
The RozaLocker Ransomware is a Trojan that targets computer users in Asia primarily. The RozaLocker Ransomware is designed to target computers using Windows, and its first victims were located in Russia. These initial infections seem to have been contracted after computer users installed a free 'game' credited to Alexander Render (Саши Рендера). This corrupted game, delivered in an executable file named 'Setup.exe' contains no information about the game itself. The RozaLocker Ransomware is carried out by 'trainer.exe' that is installed by the setup file. In many cases, a UAC (User Account Control) alert will pop up, which can help some computer users prevent the installation of the RozaLocker Ransomware on their computers. This is typical of less sophisticated threats that cannot bypass UAC. The RozaLocker Ransomware attacks have surfaced in various parts of Asia, including China, Russia, Iran, Kyrgyzstan, Uzbekistan, and various Russian-speaking countries. It is not unlikely that the RozaLocker Ransomware attacks will spread to other parts of the world or that the people responsible for the attack will modify it to reach a wider array of targets.
Table of Contents
The RozaLocker Ransomware Uses the Yoda Crypter for Obfuscation
The RozaLocker Ransomware receives its name because various samples of the RozaLocker Ransomware include the string 'ROZALOCK' in their code. The analysis of the RozaLocker Ransomware can be difficult because the RozaLocker Ransomware is obfuscated with the Yoda's Crypter. Apart from this, the RozaLocker Ransomware has various features that are designed to detect virtual environments and prevent PC security researchers from studying it. The RozaLocker Ransomware will host its attack using a bogus instance of svchost.exe, which will appear on the infected computer's Task Manager. The RozaLocker Ransomware will encrypt files on all local drives, storage located on a network, and removable memory devices connected to the infected computer. The following are some of the files targeted in the RozaLocker Ransomware attack:
.a3d, .blend, .dds, .djv, .doc, .docm, .docx, .fb2, .fb3, .jpeg, .jpg, .lwp, .max, .obj, .ods, .odt, .otf, .pdf, .pdn, .pfa, .pfb, .png, .qpf2, .rft, .svg, .sxc, .sxw, .ttc, .ttf, .unity, .xls, .xlsm, .xlsx.
The RozaLocker Ransomware Claims Some Features that are Unusual in Ransomware
The RozaLocker Ransomware claims that it can collect passwords for online banking websites and social media accounts. However, the RozaLocker Ransomware does not have this capability. The reason why the RozaLocker Ransomware claims this is to scare computer users into paying the ransom since they will be afraid that their accounts will be compromised. However, the RozaLocker Ransomware does encrypt the victim's files. The RozaLocker Ransomware changes the encrypted files' extension to '.enc' and delivers a ransom note in the form of a text note that is dropped on the infected computer's Desktop. The RozaLocker Ransomware ransom note is in Russian and translated into English reads as follows:
'YOUR FILES are encrypted (EVEN WITHOUT CHECKING THAT THEY ARE PARTIALLY OPENED). WE HAVE YOUR LOGIN AND PASSWORD FROM VKONTAKTE, ODNOKLASSINKOV, ONLINE-BANKS AND OTHERS.
YOU HAVE 6 HOURS TO PURCHACE THEM, OTHERWISE WE WILL POST THEM ONLINE FOR OPEN ACCESS!
INSTRUCTION:
1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following -
(Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)
2) In the browser, open the site h[tt]ps://x-pay.cc/ - through this site you will transfer money
3) In the column I DELETE where you will transfer (according to #1) enter the amount - 10,000 rubles.
4) In the RIGHT select Bitcoin and on top the amount should automatically be exchanged to btc
5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)
ATTENTION-ATTENTION, CORRECTLY copy this number to wallet address (yes, it's so strange)
[RANDOM CHARACTERS]
After inserting, carefully, again check whether it is copied correctly.
6) Click on GO TO PAY and follow the instructions on the site.
In a couple of hours we'll write you on the desktop and return everything to you.
If there are difficulties, then write on the mailbox – aoneder@mail.ru'
SpyHunter Detects & Remove RozaLocker Ransomware
File System Details
# | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|---|
1. | file.exe | 8ea7224f71b5d248e9ec1b9cc56b33d4 | 0 |
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.