Roger ransomware (Virus Removal Instructions) - Free Guide

by Jake Doevan - - | Type: Ransomware

Roger virus Removal Guide

What is Roger ransomware?

Roger ransomware – Dharma variant that is sometimes spreads via known set of exploits

Roger file virusRoger ransomware is a malicious program that encrypts your files and holds them hostage until ransom is paid

Roger ransomware is a file-encrypting virus that originally stems from Dharma/Crysis. Just as its predecessors, this malware specializes in encrypting all personal files on the system and then demanding a ransom of various amounts to be paid in Bitcoin cryptocurrency. It uses AES, DES, or RSA algorithms to lock data, which then appends each file with victim ID, an email address, and a .ROGER extension. Ransomware also drops two ransom notes: Info.hta and FILES ENCRYPTED.txt, which state cybercriminals' demands.

Roger virus first showed up in November 2019, with multiple variants showing up since then. The latest variants use support@zimbabwe.su, decoding@tuta.io, and pexdatax@gmail.com email addresses for communication, as well as an appendix within the encrypted files. Also, attackers provide Telegram username @pexdata, which can be used to contact them.

Unfortunately, when it comes to data decryption, most newer Dharma versions, including .roger virus files, can not be decrypted, as a working decryptor only exists for its earlier versions (released in around 2016). Despite this, victims are not advised to pay the ransom, as it would only increase criminals' profits from illegal activities. If you were unlucky enough and your files are appended with .roger extension, you should check out alternative methods below that might be able to help you.

Most malware versions can be detected by security solutions, according to VirusTotal data.[1] Thus, employing powerful anti-malware solutions is mandatory for each of the computer users. Besides, Roger ransomware was seen being spread via a set of known exploits[2] along with LockBit ransomware, so users might see double extensions, such as .roger.lockbit, appended to their files. So don't forget to patch all the installed programs with the latest security updates.

Name Roger ransomware / Roger virus / .roger file
Category Cryptovirus, file locking malware
Family Dharma/Crysis family
Danger level This malware is highly dangerous. Once it penetrates targeted Windows computers, it starts encrypting all files, preventing access until ransom is paid
Appendix .ROGER. Additionally, malware appends email address and a unique ID to each of the affected files. Example of an encrypted file: picture.jpg.id-2M487V00.[btcdecoding@foxmail.com].ROGER
Ransom note FILES ENCRYPTED.txt and Info.hta
Spreading While ransomware makers can use various methods for distribution, it was observed being spread along other ransomware via vulnerabilities and exploits
Main goal Encrypt all personal files on the targeted Windows machines and then extort ransom from users, to be paid in Bitcoin cryptocurrency
Elimination tip You should take immediate action towards the malware removal process once you find the ransomware on your computer system. Employ reliable antivirus software to complete the task
Repair process If the ransomware virus has damaged some system components, you can try repairing them by employing specific system repair software. We recommend trying FortectIntego as this software might appear helpful

Roger ransomware virus can make multiple changes to your Windows computer system and run malicious process in the background. If it would not be for the new extensions and displayed ransom note, you might not even recognize that something has gone wrong until you try to load some type of file and it does not open properly.

However, Roger ransomware wants to make sure that it has been spotted by the victims in order to collect income. In this case, the criminals urge to follow some type of rogue link which can be entered only via the Tor browser:

YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link:zombietry4o3nzeh.onion/?ticket=Rt31ws32vJLxvwudeH_1E857D00
Use Tor Browser to access this address.
If you have not been answered via the link within 12 hours, write to us by e-mail:backdata.company@aol.com
Attention!
Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

You should never trust Roger ransomware authors and avoid its demands. We do not recommend proceeding with the suspicious link as you cannot know where it might take you to. You might be lured into some type of scam, convince to provide a big sum of money, get your identity stolen. Anything can happen on the dark web.

Roger virusOnce Roger ransomware locks files, there is little chance of resorting them successfully without backups

A wiser option would be to remove Roger ransomware from your Windows machine and try other data recovery possibilities. At the end of this article, you will be provided with some data restoring techniques some of which might be very helpful if properly used. Even though there is no 100% guarantee that the software will work, almost any type of option is better than risking to pay the criminals huge sums of money and losing them for nothing.

Roger file virus might be able to launch PowerShell commands that delete or destroy Shadow Copies[3] of encrypted data. This is used to harden the decryption process for the victims. Also, the malware might be able to permanently damage the Windows hosts file to prevent access to security-related forums and websites.

Once you are completing the Roger ransomware removal process, do not forget to eliminate the hosts file, otherwise, you might still be forbidden from visiting some pages online. In addition, the malware might inject certain processes and entries that would allow the parasite to boot up every time the system is turned on or avoid antivirus detection.

Moreover, Roger ransomware might carry other malicious infections such as trojans, cryptocurrency miners, and other parasites to the Windows computer system. If you do not get rid of the ransomware fast, you might end up with multiple severe cyber threats on the machine and experience unrepairable system damage.

Once you are eliminating the cyber threat, you should check the entire system for all possibly-damaged locations that might have been infected by Roger ransomware. If you find some corrupted components, you can try repairing them with the help of FortectIntego software or any other tool from your own likings.

Roger ransomware virus has been seen using the following contact emails:

backdata.company@aol.com
decoding@zimbabwe.su
covid-123@tutanota.com
leebob78@aol.com
btc3301@messageden.com
filecrypts@protonmail.com
b1tcoin2020@protonmail.com
supp0rtdecrypti0n@aol.com
bossi_tosi@protonmail.com
helpdecoder@firemail.cc
backdata@qbmail.biz
decoding@qbmail.biz
dinanit@protonmail.com
cryptfiles@protonmail.com
telegram_@spacedatax		 johnlibber@tuta.io
sjen6293@gmail.com
recoverysql@protonmail.com
anna.kurtz@protonmail.com
admin@spacedatas.com
wang.chang888@tutanota.com
admin@datastex.club
style777@keemail.me
dlt0181309@protonmail.com
anna_adm1n@aol.com
teamdecrypt@disroot.org
johncastle@zimbabwe.su
johncastle@msgsafe.io
crypt@zimbabwe.su
telegram_spacedatax		 easybackup@protonmail.com
johnsmith@zimbabwe.su
05t@tuta.io
1o5t@protonmail.com
richardkeyd@aol.com
richardkeyd@tutanota.com
support@zimbabwe.su
decoding@tuta.io
pexdatax@gmail.com
btcdecoding@foxmail.com
easybackup@aol.com
decrypt@files.mn
viginare@aol.com
@pexdata

Roger ransomwareRoger ransomware virus leaves two ransom notes with contact information and other details

Ransomware delivery techniques

According to security experts from NoVirus.uk,[4] ransomware infections are intensively spread by using deceptive and social engineering techniques. The criminals often target computer systems that hold weak protection and are easy to compromise. Lacking antivirus software might be an indicating factor for hackers to attack you.

However, these people use email spam as a way to reach the victim. They send official-looking messages that supposedly come from reliable shipping firms such as FedEx, DHL, banking organizations, healthcare, etc. The crooks insert the malicious payload in a hyperlink and leave it in the message itself or attach an infected file/document to the email.

A tip from us would be to always identify the sender and check in case the message is coming from an unrecognizable email address. Also, verify the entire text and look for grammar/style mistakes that usually would be spottable. Last but not least, do not open any clipped attachments before scanning them with reliable antimalware software.

Furthermore, ransomware viruses might be distributed via third-party sources such as p2p networks through indirect downloading links of software cracks. Also, RDPs that include weak password protection or are left unprotected at all, are also the main targets of cybercriminals that can enter the targeted systems via the hacked RDP.

Roger ransomware virusRoger ransomware - a dangerous file-encrypting malware that comes from the Dharma/Crysis family

It is advisable to use only antimalware for Roger ransomware removal

We want to warn all users that Roger ransomware is a dangerous cyber threat that can scatter malicious products all over the Windows computer system. Regarding this fact, automatic elimination would be the best option.

To remove Roger ransomware from the infected system, you need strong system software. Also, you should try to find infected components on your machine by employing a program such as SpyHunter 5Combo Cleaner or Malwarebytes. Afterward, try fixing all damaged objects by using FortectIntego as it might be helpful in some cases.

After Roger ransomware removal, you should go to the end of this article where you will be able to find some data recovery tips. Even though there is no 100% guarantee that this software will be helpful, giving a try to these products is still a way better decision than paying the criminals and taking risks of getting scammed.

Offer
do it now!
Download
Fortect Happiness
Guarantee Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Fortect review | Terms of Use | Privacy policy | Refund Policy | Uninstall guide
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Download SpyHunter 5 Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Malwarebytes
Download | Review | Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.
Download Combo Cleaner Review »
Privacy policy | Terms of Use | Product Refund Policy | Uninstall Instructions

Getting rid of Roger virus. Follow these steps

Manual removal using Safe Mode

To stop malicious processes on your Windows computer, boot the machine in Safe Mode with Network. Below you will find the instructions needed for this task.

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove Roger using System Restore

To diminish harmful activities on the machine, you should activate the System Restore feature. Achieve such goal by applying the following steps.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Roger. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Roger removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Roger from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Roger, you can use several methods to restore them:

Recover your data
Recover your data

Activate Data Recovery Pro for file restoring tasks.

Use this software to recover some of your data files and documents that have been touched by the ransomware virus.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Roger ransomware;
  • Restore them.

Employ Windows Previous Versions feature for data recovery.

Try using this feature for recovering some components that have been touched by the malware.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Using Shadow Explorer might help with file restoring.

This tool might be helpful for file recovery if the ransomware virus did not destroy Shadow Copies of the encrypted documents.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Cybersecurity specialists are currently working on the official decryption tool.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Roger and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.

 

Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References