ROGER Ransomware

Posted by Sarah Stewart on January 28, 2020

What is ROGER Ransomware?

Once ROGER Ransomware finds a vulnerable Windows operating system and slithers in – which it usually does with the help of spam emails or unprotected RDP backdoors – it immediately encrypts files. When files are encrypted, the data is scrambled to ensure that no one can read it without the private key. Normally, this method acts as a file lock, but cybercriminals use it to lock out the owners of the files. This is done to force them to act a certain way, and if you continue reading this report, we will explain what the whole deal is. Anti-Spyware-101.com researchers have thoroughly inspected the malicious threat, and it is now clear that it belongs to the Crysis/Dharma Ransomware family, just like Devil Ransomware, Dever Ransomware, and hundreds of other threats whose removal we discussed in previous reports. In this report, of course, we show how to delete ROGER Ransomware. If you come up with any questions for our research team after you are done reading, add them to the comments area.testtest

How does ROGER Ransomware work?

When ROGER Ransomware slithers in, you are not supposed to notice it, and the attackers usually use clever spam email messages, inconspicuous-looking downloaders, and exposed vulnerabilities to drop the infection without you realizing it. After encryption, the “.id-{ID}.[admin@datastex.club].ROGER” extension is appended to the names of the “locked” files, but you might not notice that right away. First, you are likely to face the window launched by ROGER Ransomware. When we analyzed the threat, it launched a window entitled “6aWH6i3Gxp3cXPpqzl,” but it looks like this name could be random in every case. The message inside informs that files were encrypted and instructs to follow the presented link using the Tor Browser. You will not be able to open the link with a normal browser. Alternatively, you could email the attackers at admin@datastex.club directly to get more information. In both cases, you will be instructed to pay a ransom, and we do not recommend doing that because there are zero guarantees that you would get your files decrypted by giving your money away.

ROGER Ransomware drops a file named “FILES ENCRYPTED.txt,” which also instructs to email the attackers. Do you understand the risks of communicating with them? They could easily respond to you with malicious links, malware files, and scams. Initially, of course, they would make you pay for an alleged decryptor. If you are sure you want to contact cybercriminals, create a new email account so that your real email address could not be included in other cyber attacks. Also, make sure you do NOT click any links or open any files that could be sent to you. If you decide to take the risk and pay the requested sum, understand that you are most likely to waste your money for nothing in return. You have to make peace with such a risk before taking it. Obviously, you do NOT want to contact the attackers behind ROGER Ransomware under any circumstances if you can use free Dharma and Crysis decryptors to restore your files, or if you have backups that can be used to replace the encrypted files.

How to delete ROGER Ransomware

ROGER Ransomware is a dangerous infection, and if you cannot employ a legitimate free decryptor, or if you do not have backups to replace the encrypted files, you might end up losing your personal files. Note that that is likely to happen even if you follow all of the instructions presented by cybercriminals, which is why we do not recommend doing that. If you own backups or copies of personal files, replace the corrupted files AFTER you remove ROGER Ransomware. How will you do that? Will you choose to follow the manual removal instructions below? If you choose this option, you will need to find the .exe file that launched the threat, and we cannot know where it is on your computer. The option we advise taking is installing anti-malware software. Not only will it automatically erase all active threats but also secure your system to prevent new infections from slithering in. Keep your system protected and your files backed up safely, and you will not need to fear ransomware in the future.

Removal Instructions

  1. If you can find the {random name}.exe file that launched the threat, right-click and Delete it.
  2. Launch Explorer (tap Win+E keys) and then enter the following paths into the field at the top to find and Delete files named Info.hta and {random name}.exe:
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup\
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %APPDATA%
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
    • %WINDIR%\System32\
  3. Launch Run (tap Win+R keys) and enter regedit into the Open box to access Registry Editor.
  4. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
  5. Right-click and Delete {random name} values linked to Info.hta and {random name}.exe files.
  6. Exit Registry Editor and then Empty Recycle Bin.
  7. Install a malware scanner you trust and use it to run a thorough system scan. 100% FREE spyware scan and
    tested removal of ROGER Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *