What is RICKROLL LOCKER ransomware? And how does it execute its attack?
RICKROLL LOCKER ransomware is a file-locking malware that was discovered in the third week of January 2019. There’s not much information about the developers of this crypto-malware so it isn’t clear if it came from any popular ransomware groups. It uses the .cryptoid extension in marking the files it encrypts. The instant it execute its attack in the system, it drops the following malicious payload:
Name:tree.exe
SHA256:371827eb6d567202ee8708b46920b165c1d3a8f5c98ca3439dc23912f9d61866
This malicious payload is the one that initiates the attack in the system and will connect it to a remote server managed by the attackers. It is also where RICKROLL LOCKER ransomware will download its components. These components are then placed on some system folders which help the crypto-malware in executing two modules namely, information gathering and stealth protection. The information gathering module is the one that digs out information from the system. The information gathered will then be used for the stealth protection module which uses it to scan the system for digital strings of various programs like sandbox environment, antivirus programs, and security programs. Once the crypto-malware finds these programs, it removes or disables them to prevent them from stopping its attack. It also makes modifications in the Windows Registry, affecting some registry keys and sub-keys and allows RICKROLL LOCKER ransomware to run automatically in every system startup.
RICKROLL LOCKER ransomware uses a sophisticated encryption algorithm in locking its targeted files. After the encryption, it adds the .cryptoid suffix to every affected file and drops the following ransom notes:
- CRYPTOID_BLOCKED.txt
- CRYPTOID_HELP.txt
- CRYPTOID_MESSAGE.txt
The ransom notes contain the following content:
“RICKROLL LOCKER
SORRY! Your files are encrypted.
File contents are encrypted with random key.
Random key is encrypted with RSA public key (2048 bit).
We STRONGLY RECOMMEND you NOT to use any “decryption tools”.
These tools can damage your data, making recover IMPOSSIBLE.
AIso we recommend you not to contact data recovery companies.
They will just contact us, buy the key and sell it to you at a higher price.
If you want to decrypt your files, you have to get RSA private key.
In order to get private key, write here:
[email protected]
===============
ATTENTION!
Attach file is 000000000.key from %appdata% to email message.
Without it we will not be able to decrypt your files
===============
And pay $400 on BTC-wallet Lex6qfkopz5wgbicrxpq4cALF S6yr8gLhx
Bf someone else offers you files restoring, ask him for test decryption.
only we can successfully decrypt your files; knowing this can protect you from fraud.
You will receive instructions of what to do next.
RICKROLL LOCKER”
How does RICKROLL LOCKER ransomware proliferate?
According to security experts, RICKROLL LOCKER ransomware proliferates using a malicious file that pretends to be a legitimate program or a game. And this file may be disseminated using these methods:
- Torrent downloads
- Crack
- Patch
- Key generator
- Portable version of a program
- Some kind of a license activator
As you can see, cyber criminals behind this crypto-malware use several tricks to infect users so you must be careful when you download any kind of file online.
Obliterate RICKROLL LOCKER ransomware using the removal guide provided below.
Step 1: First, close the ransom note of RICKROLL LOCKER ransomware and then tap the Ctrl + Shift + Esc keys in your keyboard to open the Task Manager.
Step 2: Under the Task Manager, go to the Processes tab and look for a process named “tree.exe” as well as any suspicious-looking process that takes up most of your CPU’s resources and is most likely related to RICKROLL LOCKER ransomware.
Step 3: After that, close the Task Manager.
Step 4: Tap Win + R, type in appwiz.cpl and click OK or tap Enter to open Programs and Features under Control Panel.
Step 5: Under the list of installed programs, look for RICKROLL LOCKER ransomware or anything similar and then uninstall it.
Step 6: Next, close Control Panel and tap Win + E keys to launch File Explorer.
Step 7: Navigate to the following locations below and look for RICKROLL LOCKER ransomware’s malicious components such as tree.exe, CRYPTOID_BLOCKED.txt, CRYPTOID_HELP.txt, CRYPTOID_MESSAGE.txt, [random].exe and other suspicious files, then delete all of them.
- %TEMP%
- %WINDIR%\System32\Tasks
- %APPDATA%\Microsoft\Windows\Templates\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 8: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then by all means go on to the next steps.
Step 9: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 10: Navigate to the following path:
- HKEY_CURRENT_USER\Control Panel\Desktop\
- HKEY_USERS\.DEFAULT\Control Panel\Desktop\
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Step 11: Delete the registry keys and sub-keys created by RICKROLL LOCKER ransomware.
Step 12: Close the Registry Editor and empty the Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if RICKROLL LOCKER ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Make sure that you have obliterated RICKROLL LOCKER ransomware from your computer successfully as well as its malicious components by using a trusted and reliable program like [product-name]. Refer to the following guidelines on how to use it.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot it.
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now” button.
