Crypto viruses have been around for years but their sophistication is continuously increasing as ransomware operators add new techniques to their extortion ammo. The latest sample called Rokku, for instance, leverages an encryption approach that has never been used by its counterparts before. Having attacked a Windows computer, it encodes the victim’s data with Salsa20, a cipher featuring higher encryption speed than other widespread algorithms. This allows the hackers to deploy the whole assault cycle in a matter of minutes regardless of the data volume. Another characteristic is that a unique key is generated for every file, therefore the infected person will definitely have more trouble trying to recover data on their own. Each one of these keys is also ciphered through the use of asymmetric RSA standard. Furthermore, the ransomware appends a .rokku extension to the locked files.
Every folder containing encrypted objects also gets complemented with two documents, namely Readme_How_To_Unlock.txt and Readme_How_To_Unlock.html. Both of these provide the victim with a link to a Tor page titled the “Unlock Service”. However, before the infected person can even access this server, they need to submit a random encoded file – this event essentially works as a logon transaction. The Tor gateway notifies the user about the size of the ransom, or the cost of the decryption key. This amount is currently set to 0.2407 BTC, which roughly equals to 100 USD. Compared to other ransom trojan strains circulating over the Internet, that’s a moderate sum. But it’s still not too comforting for those attacked, to put it mildly.
A kind of promising fact about the Rokku ransomware is that although the secret Salsa20 keys are encrypted with RSA, the entropy of the latter crypto isn’t too strong – it’s 512 bits. This fact might facilitate the retrieval of the key, although security experts haven’t succeeded in that yet. By the way, cyber gangs distributing ransom viruses tend to patch potential flaws of their code as new ransomware editions go live. At this point, victims can only recover one file of choice for free by uploading it on the aforementioned Unlock Service page. To restore the rest, they have to cough up some Bitcoins and get the decryptor along with the so-called root key after the payment verification process completes.
Removal of the .rokku file extension malware isn’t much of a challenge – basically, any reliable security suite can do the trick. The data restoration part, however, is a pain because the ransomware disables the Volume Shadow Copy Service. If there is an information backup readily available, the user is a lucky one. All in all, learn a few methods to get around the Rokku virus and rescue some of the encrypted files.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
It has been mentioned that the Rokku ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that the infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.\
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by this ransomware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.