The Roshalock Ransomware appears to be an updated version of the ‘All_Your_Documents.rar’ Ransomware, a threat that was first spotted in February 2017. The peculiar thing about the predecessor of the Roshalock Ransomware is that it does not use a complicated encryption routine to lock the files of victims. Instead, all files that the threat locks were put in a password-protected archive named the ‘All_Your_Documents.rar.’ Depending on the number of hard drive partitions found on the victim’s machine, both the ‘All_Your_Documents.rar’ Ransomware and the Roshalock Ransomware may create multiple password-protected ‘.RAR’ archives in the following location – [DRIVE LETTER]\All_Your_Documents\All_Your_Documents.rar.
The Roshalock Ransomware acts in the same way, and it also places files in archives that are protected by a password. The ransomware is programmed to generate a unique password for each victim, and then transmit it to a remote server under the control of the attacker. This makes it nearly impossible to recover the password, and the only ones who can do this are the cyber crooks behind the Roshalock Ransomware. Naturally, they are not willing to do this for free, and this is why all victims of the Roshalock Ransomware will also see a ransom message that provides them with instructions on what they need to do if they want to get the password for their archived files. The ransom message is presented in the file ‘All Your Files in Archive!.txt,’ and it warns users that they must send 0.38 BTC if they want to get their files back. Furthermore, the Roshalock Ransomware threatens that the ransom sum will be increased by 0.05 BTC on a daily basis until the ransom sum is paid. Apparently, the maximum amount that the ransom fee can reach is 1.85 BTC. The message also states that users must download and run the TOR browser, which is required to access the payment page hosted on the Dark Web. We advise users not to do this, since paying the ransom sum that the Roshalock Ransomware requires is not a good idea, and even users who opt to pay the money may end up not getting their files back.
‘#################################################################################
ATTENTION! AUFMERKSAMKEIT! ATTENTION! ATENCION! ATTENZIONE!
TO GET BACK YOUR FILES READ CAREFULLY!
UM IHRE DATEIEN ZURUCK, BITTE SORGFALTIG LESEN!
POUR RECUPERER VOS FICHIERS, S’IL VOUS PLAIT LIRE ATTENTIVEMENT!
PARA OBTENER LOS ARCHIVOS DE NUEVO, POR FAVOR, LEA CON CUIDADO!!
PER OTTENERE IL VOSTRO FILES INDIETRO, SI PREGA DI LEGGERE ATTENTAMENTE!!
#################################################################################
Where did all your files?
Your documents on all drives (photos, videos, docs, etc.)
have been moved to password – protected WinRAR archives.
This archives is located in the root of each disk, in folder
“All_Your_Documents” and file name is “All_Your_Documents.rar”.
Full path on all drives:
Drive:\\All_Your_Documents\All_Your_Documents.rar
Note: all the .rar archives located on different drives, have the same password.
All text notes “All Your Files in Archive! .txt” contain the same
Unfortunately, the passwords that the Roshalock Ransomware uses can’t be recovered for now, and victims of this threat might have to look for an alternative way to get their files back. The best way to recover from a ransomware attack is to restore the data from a backup, but users who don’t back up their files regularly might not be able to get their data back in one piece. Regardless of the file recovery method you intend to use, it goes without saying that your top priority should be to remove the Roshalock Ransomware with the assistance of a reputable anti-malware software suite. As for the restoration of the files, the System Restore or 3rd-party file recovery utilities might proof useful when attempting to reverse the damage caused by the Roshalock Ransomware.
[template:aliases][template:removal][template:technical_title][template:files][template:registry][template:additional]
