Home Malware Programs Ransomware Roga Ransomware

Roga Ransomware

Posted: December 23, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 93
First Seen: December 23, 2016
OS(es) Affected: Windows

The Roga Ransomware is a Trojan that pretends to encrypt your files and may sell a decryption key or service to its victims for recovering the blocked data. These attacks are most remediable by restoring the content from an unaffected backup, although other methods of restoration also may be possible. Since this threat may hinder your accessibility to other software or security features, you should use dedicated anti-malware products to remove the Roga Ransomware before addressing any concerns about its damage to your files.

When It's Worth Disbelieving Threats from File Lockers

Re-branding is a rampant problem in the threat industry, with updates and re-releases of old threats making it difficult to identify the real origin of a threat. If traced successfully, however, that ancestry can provide invaluable information, as malware experts are finding with the Roga Ransomware, the new version of the Free-Freedom Ransomware. Although both Trojans try to pass off their attacks as being file-encrypting lock-downs, their actual payloads involve modifying with file permissions settings.

When it executes, the Roga Ransomware may change the permissions of data formats, such as documents, or specific directories, to forbid the logged-in user from opening or modifying them. The Roga Ransomware also includes an updated HTA pop-up alert that, like the Free-Freedom Ransomware, misrepresents its attack as being a file-encrypting one. The Web infrastructure the Roga Ransomware provides for 'decrypting' the victim's content is down currently, leading malware experts to estimate that the Trojan's campaign still is in development.

The Roga Ransomware also has a new feature that may help identify any affected content: it appends the '.madebyadam' extension to the fake-encrypted filenames. Since they can be useful for sorting content that the Trojan attacks from other data, malware experts don't recommend removing these extensions before taking other, more relevant data recovery steps.

A Password to Escape from Adam

Surprisingly, the Roga Ransomware's author hasn't covered the most obvious vulnerability of the Free-Freedom Ransomware: the use of a hard-coded password. Entering 'adamdude9' will remove the pop-up window and launch the 'decryption' process, which fails. Since this threat doesn't use legitimate encrypting features in the first place, PC users should attempt other data recovery options, such as recovering from a backup or reversing any permissions changes to their individual files.

The Roga Ransomware continues seeing high rates of avoiding major brands of AV solutions successfully. Always keep your anti-malware products updated to help them identify newly-released threats. Its campaign is targeting English speakers and may be focusing on Britain, based on the ransom payment preferences of the previous Trojan in its line of ancestry. Ideally, active anti-malware protection can detect and delete the Roga Ransomware before it finishes installing itself and locking your files.

Although the faces and names of threat campaigns change even more quickly than the weather, the threat actors responsible for them may be consistent. The Roga Ransomware and the Free-Freedom Ransomware both use the fear of data encryption to solicit the same ransom-based profits as real file-enciphering Trojans, making them problems for anyone who believes what pop-ups say without question.

Related Posts

Loading...