Roshalock Ransomware

Posted: March 13, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	8/10
Infected PCs:	47

First Seen:	March 13, 2017
Last Seen:	February 28, 2021
OS(es) Affected:	Windows

The Roshalock Ransomware is an updated version of the 'All_Your_Documents.rar' Ransomware and continues extorting money after it locks your files in a password-protected archive. The Roshalock Ransomware generates its password through dynamic and secure methods that are unlikely to be ever compromised and may attack over two thousand file formats across multiple drives. Quarantine or delete the Roshalock Ransomware with your anti-malware programs and keep backups for when you're forced to recover from an infection.

Trojans All Too Happy to File Your Data Away in an Archive

The threat actors leveraging the 'All_Your_Documents.rar' Ransomware have re-labeled their Trojan, to avoid, possibly, the reputation of that previous threat. The replacement, the Roshalock Ransomware, bears no significant changes to its core attacks and still will bundle all of the victim's files into a WinRAR file. The Roshalock Ransomware blocks this archive with a password and ransoms it to you through a Web interface.

At least two versions of the Roshalock Ransomware have been circulating in the past few weeks of March 2017, with their infection vectors disguising themselves as being Excel file-restoration apps. The Trojan may target as many as 2,634 separate formats while enumerating any drives and creates a new archive for each one. The 'All_Your_Documents' storage directory and ransom message see no changes from the old version of the Trojan.

The Roshalock Ransomware generates a password for the archives with a basis on the infected system's GUID, meaning that each infection has a new password. Malware experts also verified the Roshalock Ransomware using the RSA encryption to protect the password, the key to which it uploads to its threat actors' C&C server. This situation places your archived files out of reach with no decryption or recovery solutions that don't involve restoring from a non-compromised backup.

Counteracting the Perfect Archival Process

Although paying the Bitcoin ransom at the Roshalock Ransomware's Tor-protected website may or may not give you your password, this Trojan's campaign has been raising its asking price since its old attacks significantly. Current extortion demands are over one Bitcoin (or over a thousand USD). If extortionists take your money but don't transfer their side of the password, there are no means of canceling the transaction. PC users should try to protect themselves preemptively by such means as monitoring RDP settings, scanning downloads with anti-malware software, and watching for e-mail forgeries.

Having backups not archived by the Roshalock Ransomware is the one guaranteed method of preserving your local data from being encrypted permanently. Password-protected WinRAR content uses the AES-256 algorithms that are essentially unbreakable. Systems with active anti-malware protection also may detect and isolate the Roshalock Ransomware, not allowing it a chance to attack any files.

Even the most commonplace and benign of software can experience subversion for ill-minded purposes. The increasingly high-activity the Roshalock Ransomware campaign is very demonstrative of how con artists 'sub-contract' the work of encryption out to programs like WinRAR, which lets them focus their time and energies on other aspects of their threat projects.

Roshalock Ransomware

Threat Metric

Trojans All Too Happy to File Your Data Away in an Archive

Counteracting the Perfect Archival Process

Leave a Reply