Threat Database Ransomware RozaLocker Ransomware

RozaLocker Ransomware

By GoldSparrow in Ransomware

The RozaLocker Ransomware is a Trojan that targets computer users in Asia primarily. The RozaLocker Ransomware is designed to target computers using Windows, and its first victims were located in Russia. These initial infections seem to have been contracted after computer users installed a free 'game' credited to Alexander Render (Саши Рендера). This corrupted game, delivered in an executable file named 'Setup.exe' contains no information about the game itself. The RozaLocker Ransomware is carried out by 'trainer.exe' that is installed by the setup file. In many cases, a UAC (User Account Control) alert will pop up, which can help some computer users prevent the installation of the RozaLocker Ransomware on their computers. This is typical of less sophisticated threats that cannot bypass UAC. The RozaLocker Ransomware attacks have surfaced in various parts of Asia, including China, Russia, Iran, Kyrgyzstan, Uzbekistan, and various Russian-speaking countries. It is not unlikely that the RozaLocker Ransomware attacks will spread to other parts of the world or that the people responsible for the attack will modify it to reach a wider array of targets.

The RozaLocker Ransomware Uses the Yoda Crypter for Obfuscation

The RozaLocker Ransomware receives its name because various samples of the RozaLocker Ransomware include the string 'ROZALOCK' in their code. The analysis of the RozaLocker Ransomware can be difficult because the RozaLocker Ransomware is obfuscated with the Yoda's Crypter. Apart from this, the RozaLocker Ransomware has various features that are designed to detect virtual environments and prevent PC security researchers from studying it. The RozaLocker Ransomware will host its attack using a bogus instance of svchost.exe, which will appear on the infected computer's Task Manager. The RozaLocker Ransomware will encrypt files on all local drives, storage located on a network, and removable memory devices connected to the infected computer. The following are some of the files targeted in the RozaLocker Ransomware attack:

.a3d, .blend, .dds, .djv, .doc, .docm, .docx, .fb2, .fb3, .jpeg, .jpg, .lwp, .max, .obj, .ods, .odt, .otf, .pdf, .pdn, .pfa, .pfb, .png, .qpf2, .rft, .svg, .sxc, .sxw, .ttc, .ttf, .unity, .xls, .xlsm, .xlsx.

The RozaLocker Ransomware Claims Some Features that are Unusual in Ransomware

The RozaLocker Ransomware claims that it can collect passwords for online banking websites and social media accounts. However, the RozaLocker Ransomware does not have this capability. The reason why the RozaLocker Ransomware claims this is to scare computer users into paying the ransom since they will be afraid that their accounts will be compromised. However, the RozaLocker Ransomware does encrypt the victim's files. The RozaLocker Ransomware changes the encrypted files' extension to '.enc' and delivers a ransom note in the form of a text note that is dropped on the infected computer's Desktop. The RozaLocker Ransomware ransom note is in Russian and translated into English reads as follows:

'YOUR FILES are encrypted (EVEN WITHOUT CHECKING THAT THEY ARE PARTIALLY OPENED). WE HAVE YOUR LOGIN AND PASSWORD FROM VKONTAKTE, ODNOKLASSINKOV, ONLINE-BANKS AND OTHERS.
YOU HAVE 6 HOURS TO PURCHACE THEM, OTHERWISE WE WILL POST THEM ONLINE FOR OPEN ACCESS!
INSTRUCTION:
1) Find 10 000 (10 thousand) rubles, not less. Suitable for the following -
(Qiwi, Sberbank, Yandex.Money, Tinkoff Bank, VTB, but better Qiwi (faster)
2) In the browser, open the site h[tt]ps://x-pay.cc/ - through this site you will transfer money
3) In the column I DELETE where you will transfer (according to #1) enter the amount - 10,000 rubles.
4) In the RIGHT select Bitcoin and on top the amount should automatically be exchanged to btc
5) In the column DATA ENTRY, fill in your requisites from where you will pay and where to transfer (Bitcoin wallet)
ATTENTION-ATTENTION, CORRECTLY copy this number to wallet address (yes, it's so strange)
[RANDOM CHARACTERS]
After inserting, carefully, again check whether it is copied correctly.
6) Click on GO TO PAY and follow the instructions on the site.
In a couple of hours we'll write you on the desktop and return everything to you.
If there are difficulties, then write on the mailbox – aoneder@mail.ru'

SpyHunter Detects & Remove RozaLocker Ransomware

File System Details

RozaLocker Ransomware may create the following file(s):
# File Name MD5 Detections
1. file.exe 8ea7224f71b5d248e9ec1b9cc56b33d4 0

Trending

Most Viewed

Loading...