I wrote this article to help you remove Roshalock Ransomware. This Roshalock Ransomware removal guide works for all Windows versions.

Roshalock ransomware is the second version of All_Your_Documents ransomware, a win-locker we covered yesterday. The creators of the infection did not waste time to make an upgrade, as the first build was discovered just a month ago. The second version of the win-locker has been appropriately named Roshalock ransomware 2.00, indicating that it succeeds another build. The insidious program follows the same pattern. It uses a combination of RSA-2048 and AES-256 ciphers to lock files. The technology has been slightly altered, going for a later variant of the latter cryptosystem. Roshalock ransomware targets 2634 file types. The sinister program merges all encrypted objects into a single archive, titled All_Your_Documents.rar. Thus, the encrypted files do not receive a custom extension. The archive is placed on the desktop, together with the ransom note.

Roshalock ransomware titles the ransom note All Your Files in Archive!.txt. The message the note conveys is short and straight to the point. The statement begins with an introduction, written in five languages: English, German, French, Spanish, and Italian. The renegade developers have apparently used a translator to make the general information comprehensible for more people. When the victim gets acquainted with the program, he can use a translator himself to understand the rest. The ransom note contains a link, leading to the payment website.

The site is hosted on the Tor network. This web browser provides enhanced security. It conceals the geographic location and email address of the cyber criminals. This prevents people from tracing the data stream to their computer. The means of payment is just as safe. The developers of Roshalock ransomware require users to pay in bitcoins. This is a cryptocurrency which has gained momentum with the growing number of online transactions. Bitcoin trading platforms allow people to operate anonymously. They do not ask for personal information. The transferal from the bitcoin wallet to a bank account does not get traced. The double measures eliminate all risks of tracking.

The creators of Roshalock ransomware have set the ransom at 0.35 BTC. However, the sum is only fixated for the first day. For every day after the win-locker has been contacted, the amount grows by 0.05 BTC. This goes on for 30 days. After a month, you would have to pay 1.85 BTC to have your personal files unlocked. This will be your last chance, as the decryption key is set to be deleted after this time period. To put things into perspective, the initial sum converts to $440.12 USD, as per the current exchange rate. The final amount corresponds to $2326.34 USD. In short, the cyber criminals require victims to pay a high amount to get the access back to their private files.

When hosting the payment website on the Tor network, hackers store the private key on a command and control (C&C) server. The key is stored for a limited amount of time. The deletion is preset. It happens automatically. Having a deadline per default gives the opportunity to pressure people. The creators of Roshalock ransomware have not missed this chance. They elaborate the situation in the message. When presented with an ultimatum, the victim is more likely to give in. Do not let thieves manipulate your better judgment. Be advised that paying the ransom is not a definite guarantee. The renegade developers may not provide the decryption key. Even if they do, performing a decryption does not mean uninstalling the program. The hackers may reactivate it and encrypt your files again.

The best way to deal with viruses is prevention. You need to get an understanding of the propagation vector of Roshalock ransomware. This can help you avert an attack. The win-locker travels in spam emails. Spammers often present bogus letters as legitimate notifications from reputable entities. The secluded program will be hidden behind an attachment. The distributor can use a macro or a script to automatize the transfer. To avoid obtaining an infection this way, check the contacts from the email before opening the file. If the message has been sent on behalf of a certain company or organization, visit its official website and consult the contacts page.

Roshalock Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Roshalock Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Roshalock Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete