Rozlok Ransomware
Posted: January 2, 2018
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 4 |
| First Seen: | March 29, 2023 |
|---|---|
| Last Seen: | March 29, 2023 |
| OS(es) Affected: | Windows |
The Rozlok Ransomware is a variant of the RSA2048Pro Ransomware that customizes its campaign against Russian-speaking victims. These file-locking Trojans can block different formats of data, potentially permanently, and create text messages asking you to pay for their recovery. Secure backups are the most direct protection you can give your files against this threat besides having the anti-malware software capable of removing the Rozlok Ransomware safely.
One Ukrainian's Gift to Russian PCs
Whether the choice of targets is coincidental or a deliberate, political message, malware analysts are observing a new, file-locking campaign attacking Russian PCs from Ukraine. The threat actors are installing the Rozlok Ransomware through Remote Desktop exploits that allow them to run programs manually, which is a likely occurrence after brute-forcing the system's network password. Other infection vectors related to this campaign include compromised websites running themes associated with the Christmas holidays, sporting events, and the automotive industry.
The Rozlok Ransomware conducts file-locking attacks that use AES-256 in SHS mode, instead of the more often utilized CBC. The Rozlok Ransomware generates custom unlocking keys for every file that it encrypts and protects them with an RSA-2048 cipher. The original version of its payload is most likely a minor update of the RSA2048Pro Ransomware, although some sources are reporting this Trojan as being a variant of the Vortex Ransomware. Any victims can search for '.aes' extensions for identifying what content the Trojan is locking.
One significant, recurring discrepancy in its payload is that the Rozlok Ransomware's attack sometimes fails to encode Outlook files. Malware experts are confirming that restoring the original extension tag is the only action required for recovering any message files that are specific to this e-mail client, and no other formats of media.
Paying the Lowest Price for Your Digital Property
Unless significant, unforeseen vulnerabilities in the Rozlok Ransomware's encryption mechanisms arise, malware researchers judge it unlikely that free decryption ever will be possible. Victims also should ignore any ransom demands (which the Rozlok Ransomware generates in Notepad-format TXT messages) by the Trojan's threat actors, who will not respond after taking their payment necessarily. Although the Rozlok Ransomware does attack local backups, backups that the user saves on a secure, secondary storage device or server can provide a foolproof file-recovery solution.
Disabling JavaScript, Flash, and advertising content from within your Web browser reduces the breadth of vulnerabilities that the cybercrooks can use for infecting your computer. Most anti-malware products also include additional support for blocking exploit kits and other threats that install file-locking Trojans traditionally. Secure password maintenance also stops most brute-force attacks, and most anti-malware programs always may uninstall the Rozlok Ransomware safely, regardless of any data loss.
Over the past two years, malware researchers have seen more campaigns using various strategies for long-distance extortion and the extracting or damage of digital media from Russian users. No nation has impenetrable borders from the cyber-crime, even when the aggressor is just another file-locker Trojan like the Rozlok Ransomware.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.