This week, cyber threat analysts has received reports of yet another ransomware named ‘Roland ransomware‘. This ransomware spreads via spam emails and malware files and appends the .roland file extension to encrypted files. This blog post will provide you with all the things you need to know about ransomware, how to remove .Roland ransomware virus from your computer and how to restore (decrypt) encrypted photos, documents and music for free.
What is ‘.Roland ransomware’? Roland ransomware is a new variant of the “firstname.lastname@example.org” crypto virus. It encrypts photos, documents and music using a hybrid encryption mode, preventing access to them. It will encrypt almost all types of files, including common as:
.dmp, .bik, .xls, .ncf, .ybk, .wbd, .jpg, .yml, .xlk, .hkx, .crw, .js, .zip, .odm, .cer, .xld, .xpm, .x3d, .rb, .xll, .wbm, .srw, .d3dbsp, .itdb, .odp, .3fr, .zdb, .wav, .map, .ntl, .1, .fos, .xlsx, .ai, .sum, .qdf, .kdb, .syncdb, .xx, .gdb, .dbf, .menu, .psk, .rtf, .upk, .bsa, .slm, .sid, .blob, .wdp, .der, .ltx, .vtf, .mef, .xlsm, .xyw, .wp, .avi, .p7b, .db0, .rim, .xmind, .wma, .iwi, .zw, .wbz, .wp6, .sis, .cfr, .wb2, .mdf, .wpl, .psd, .odc, .x3f, .lrf, .arch00, .ptx, .pef, .kdc, .wbc, .3dm, .z3d, .2bp, .wpb, .svg, .vfs0, .m4a, .ods, .fsh, .wps, .wpt, .1st, .sidn, .qic, .raf, .dwg, .jpe, .pptx, .re4, .arw, .accdb, .wm, .odt, .dazip, .desc, .sie, .xar, .ws, .orf, .wotreplay, .hkdb, .wdb, .mp4, .cas, .jpeg, .sql, .rofl, .mcmeta, .mlx, .cdr, .wsh, .big, .wbk, .ppt, .iwd, .x3f, .wp4, .wn, .wma, .bkp, .pptm, .mov, .m2, .zi, .doc, .sb, .xmmap, .xwp, .rar, .yal, .lbf, .asset, .docx, .indd, .wpg, .zip, .layout, .wire, .pdf, .wot, .pdd, .mddata, .bar, .xdl, .bkf, .tax, .bc7, .webdoc, .vpk, .p12, .sr2, .hvpl, .wp7, .eps, .dng, .vpp_pc, .z, .x, .wmo, .xlsm, .bc6, .mdbackup, .nrw, .wpe, .wpw, .sav, .raw, .vcf, .icxs, .odb, .t12, .ysp, .wpa, .7z, .wp5, .xml, .m3u, wallet, .vdf, .wgz, .wpd, .xyp, .srf, .crt, .dcr, .litemod, .webp, .gho, .mrwref, .0, .mpqge, .t13, .dba, .tor, .fpk, .lvl, .zabw, .sidd, .wmv, .itm, .esm, .cr2, .epk, .zif, .y, .pfx, .xdb, .css, .wsc, .xbplate, .flv, .forge, .w3x, .wpd, .kf, .pkpass, .wmv, .3ds, .wsd, .erf
Once a file is encrypted, its extension replaced to .roland. Next, the ransomware drops a file named ‘_readme.txt’. This file contain a instructions on how to decrypt all encrypted documents, photos and music. You can see an one of the variants of the ransom instructions below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-vpovVceDWN Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: email@example.com Reserve e-mail address to contact us: firstname.lastname@example.org Your personal ID:
Instructions which is shown below, will help you to remove .Roland ransomware as well as restore (decrypt) encrypted personal files stored on your PC drives.
Table of contents
- How to remove .Roland ransomware
- How to decrypt .roland files
- Use STOPDecrypter to decrypt .roland files
- How to restore .roland files
- How to protect your computer from .Roland ransomware?
- To sum up
How to remove .Roland ransomware
The following instructions will allow you to get rid of .Roland ransomware and other malicious software. Before doing it, you need to know that starting to remove ransomware virus, you may block the ability to decrypt documents, photos and music by paying authors of the ransomware virus requested ransom. Zemana Anti-malware, KVRT and Malwarebytes Anti-malware can detect different types of active ransomware infections and easily remove it from your computer, but they can not restore encrypted documents, photos and music.
Use Zemana Anti-malware to remove .Roland ransomware
Thinking about remove .Roland ransomware virus from your personal computer? Then pay attention to Zemana. This is a well-known tool, originally created just to locate and delete malware, adware software and PUPs. But by now it has seriously changed and can not only rid you of malware, but also protect your computer from ransomware, malicious software and adware, as well as identify and get rid of common viruses and trojans.
Zemana AntiMalware (ZAM) can be downloaded from the following link. Save it on your Microsoft Windows desktop.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is finished, start it and follow the prompts. Once installed, the Zemana Anti Malware (ZAM) will try to update itself and when this procedure is finished, click the “Scan” button to begin checking your PC system for the .Roland ransomware and other malware and PUPs.
This procedure may take some time, so please be patient. During the scan Zemana AntiMalware will detect threats present on your system. Review the results once the utility has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.
The Zemana AntiMalware (ZAM) will remove .Roland ransomware and other kinds of potential threats such as malicious software and potentially unwanted programs and add threats to the Quarantine.
Remove Roland ransomware virus with MalwareBytes Free
Manual Roland ransomware removal requires some computer skills. Some files and registry entries that created by the ransomware can be not completely removed. We recommend that run the MalwareBytes Anti Malware (MBAM) that are fully clean your machine of ransomware virus. Moreover, this free application will help you to remove malicious software, potentially unwanted programs, adware and toolbars that your computer may be infected too.
Please go to the following link to download the latest version of MalwareBytes Free for Microsoft Windows. Save it on your MS Windows desktop.
Category: Security tools
Update: April 15, 2020
When downloading is complete, close all software and windows on your computer. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup as displayed in the figure below.
When the installation begins, you’ll see the “Setup wizard” that will help you setup Malwarebytes on your computer.
Once installation is finished, you’ll see window as shown in the following example.
Now click the “Scan Now” button to start checking your computer for the Roland ransomware and other malicious software. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your PC system and the speed of your personal computer. During the scan MalwareBytes Free will locate threats exist on your system.
When the scan get completed, MalwareBytes Free will produce a list of malicious software. You may remove items (move to Quarantine) by simply click “Quarantine Selected” button.
The Malwarebytes will now remove Roland ransomware virus related files, folders and registry keys. When that process is done, you may be prompted to restart your PC.
The following video explains guidance on how to remove malicious software with MalwareBytes AntiMalware (MBAM).
Remove .Roland ransomware from PC system with KVRT
KVRT is a free removal tool which can check your computer for a wide range of security threats such as the .Roland ransomware virus, adware, trojans as well as other malware. It will perform a deep scan of your PC system including hard drives and Windows registry. When a malicious software is detected, it will help you to remove all detected threats from your computer with a simple click.
Download Kaspersky virus removal tool (KVRT) from the link below.
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once downloading is finished, double-click on the KVRT icon. Once initialization procedure is complete, you will see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT utility will begin scanning the whole computer to find out the .Roland ransomware and other known infections. Depending on your computer, the scan may take anywhere from a few minutes to close to an hour. When a malicious software, adware or PUPs are found, the number of the security threats will change accordingly. Wait until the the scanning is done.
When the scan is finished, Kaspersky virus removal tool will display a scan report as shown below.
Once you have selected what you want to delete from your machine click on Continue to start a cleaning procedure.
How to decrypt .roland files
The .Roland ransomware encourages victim to contact it’s makers in order to decrypt all files. These persons will require to pay a ransom (usually demand for $490 or $980 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the authors of the .Roland ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
Use STOPDecrypter to decrypt .roland files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.roland).
Please check the twitter post for more info.
How to restore .roland files
In some cases, you can recover files encrypted by .Roland ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Restore .roland encrypted files using Shadow Explorer
The Windows has a feature named ‘Shadow Volume Copies’ that can allow you to restore .roland files encrypted by the .Roland ransomware. The method described below is only to restore encrypted personal files to previous versions from the Shadow Volume Copies using a free tool named the ShadowExplorer.
Download ShadowExplorer on your machine by clicking on the following link.
Category: Security tools
Update: September 15, 2019
Once downloading is finished, extract the saved file to a directory on your machine. This will create the necessary files as displayed on the screen below.
Launch the ShadowExplorerPortable application. Now choose the date (2) that you wish to recover from and the drive (1) you wish to recover files (folders) from as displayed on the image below.
On right panel navigate to the file (folder) you wish to recover. Right-click to the file or folder and press the Export button as displayed below.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and click ‘OK’ button.
Run PhotoRec to restore .roland files
Before a file is encrypted, the .Roland ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file restore applications such as PhotoRec.
Download PhotoRec from the link below.
Category: Security tools
Update: March 1, 2018
When downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll show a screen as displayed on the image below.
Select a drive to recover as shown on the screen below.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as displayed in the figure below.
Click File Formats button and select file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, press Browse button to select where restored files should be written, then click Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is complete, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as shown in the figure below.
All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Roland ransomware?
Most antivirus software already have built-in protection system against the ransomware virus. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Use HitmanPro.Alert to protect your machine from .Roland ransomware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your personal computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows operating system from Windows XP to Windows 10.
Click the link below to download HitmanPro Alert. Save it to your Desktop so that you can access the file easily.
Category: Security tools
Update: March 6, 2019
Once the download is complete, open the file location. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. Once the utility is opened, you’ll be displayed a window where you can choose a level of protection, as displayed below.
Now click the Install button to activate the protection.
To sum up
Now your system should be free of the .Roland ransomware virus. Uninstall MalwareBytes and KVRT. We recommend that you keep Zemana (to periodically scan your computer for new malware). Make sure that you have all the Critical Updates recommended for Microsoft Windows operating system. Without regular updates you WILL NOT be protected when new ransomware, malicious apps and adware are released.
If you are still having problems while trying to remove .Roland ransomware virus from your personal computer, then ask for help here.