RozaLocker Ransomware

Posted: March 13, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	99

First Seen:	March 13, 2017
OS(es) Affected:	Windows

The RozaLocker Ransomware is a Trojan with file-encrypting features for locking your data so that it can force you to make ransom payments. Protecting your files with both anti-malware solutions and non-local backups is recommended since threat actors sometimes accept pay without giving back any decryption services. Although this Trojan's campaign is targeting Russian PC users predominantly, PCs of any region are vulnerable and should remove the RozaLocker Ransomware with appropriate anti-malware tools.

Trojans Checking Every Drive to Pull Off a Russian Ransoming

The RozaLocker Ransomware is part of a newer trend in file-encrypting threats for attacking PC users in Russia, which previously has been a country that enjoyed some degree of immunity from ransom-based cyber warfare. Although its basic attacks and tactic both are simple techniques that malware experts see in hundreds of similar threats, the RozaLocker Ransomware also displays some other attributes that could enhance its ability to cause damage. It gets access to your PC, in the first place, by hiding as a fake trainer or other, illegal utility for gaming software.

The RozaLocker Ransomware encrypts just over thirty types of data, with documents, spreadsheets, images, and, most notably, 3D models for multiple brands of software all being targets. The Trojan also adds the same '.enc' extension that malware experts sometimes see within other Trojans' campaigns, including the attacks of the EncryptoJJS Ransomware and the TrueCrypt Ransomware. Some of the RozaLocker Ransomware's other features include:

The RozaLocker Ransomware locks the PC's wallpaper to a Bitmap picture that it provides.
The RozaLocker Ransomware enumerates additional drive letters besides C, which may allow it to encrypt content on other devices and network shares.
The Trojan also uses multiple methods of identifying anti-virus or virtualization utilities that could protect your computer or help analyze its payload.
It also collects basic system information like the language in use and the IP address. The RozaLocker Ransomware may upload this data to another server for further monitoring and analysis by its threat actors.

The RozaLocker Ransomware elaborates on the motivation for its attacks in its 'ReadMe.txt' file, which explains how to pay a Bitcoin ransom (with the value given in Russian rubles) to decrypt your data.

Unwinding Your Files from the Chains of the RozaLocker Ransomware

As malware experts already can confirm them, the RozaLocker Ransomware's attacks are dangerous to the only copies of any files that you save on the compromised PC significantly. However, the RozaLocker Ransomware also includes additional warnings that it may collect passwords and other information to upload for public access from any victims who don't pay its fee. On their part, malware experts have yet to verify any such features in this Trojan's payload, and it most likely is a pure bluff.

The RozaLocker Ransomware includes some techniques relatively advanced but also is one of the few threats of its category that includes an initial installation prompt. Since the RozaLocker Ransomware doesn't bypass the Windows UAC prompt, victims can choose not to install it and save their files. Its authors most likely ignored this impediment as a result of them disguising the RozaLocker Ransomware as a form of illicit software that the user would install by choice. Some infection vectors also may be subverting the Remote Desktop features.

No public decryptors are yet available for download to recover your data from this threat. Back up your files, when appropriate, and use anti-malware products to remove the RozaLocker Ransomware before it can endanger your computer.

Sometimes, the cost of 'hacking' software with the help of a third party can come in Bitcoins. Those who don't analyze and vet their downloads properly soon may experience remorse after threats like the RozaLocker Ransomware turn their PCs into nothing more than links in a chain of cash extortion.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 3.97 MB (3975680 bytes)
MD5: 8ea7224f71b5d248e9ec1b9cc56b33d4
Detection count: 80
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 13, 2017