ROGER file extension
.ROGER file extension is a file extension that is used by a malware belonging to the Crysis/Dharma ransomware family to mark files that have been encrypted. Ransomware is a form of malware created by criminals that restricts access to the victim’s files by encrypting them and demands a ransom for a pair of key-decryptor, necessary for decrypting files. Files encrypted with .ROGER extension become useless, their contents cannot be read without the key that the criminals have. Today there are several variants of the ROGER virus, they are distinguished by the email address that victims must use to contact criminals.
Files encrypted with .ROGER extension
ROGER virus
ROGER virus is one of the variants of Dharma/Crysis ransomware. Like other variants, it encrypts all files on the computer and then demands a ransom for decryption. This virus encrypts files using a strong encryption method, which eliminates the possibility of finding a key in any way. For each victim, ROGER ransomware uses a unique key. It has the ability to encrypt files of any type, regardless of what is in them. Thus, the following common file types can be easily encrypted:
.qdf, .blob, .hkdb, .p12, .pem, .sidd, .iwd, .lbf, .zi, .indd, .sum, .db0, .zdc, .csv, .gho, .xwp, .cas, .wm, .crt, .ntl, .bkp, .pkpass, .wpt, .bsa, .psk, .wpl, .dazip, .3dm, .xml, .gdb, .pptm, .ibank, .kf, .webp, .xf, .xmmap, .wmv, .sql, .m4a, wallet, .wsd, .d3dbsp, .z3d, .bik, .xbdoc, .vpk, .litemod, .odm, .ff, .rofl, .bc6, .xlsb, .js, .mrwref, .wire, .bay, .wot, .wsh, .kdb, .epk, .w3x, .iwi, .x3d, .wsc, .wp, .wpd, .der, .wb2, .dcr, .wbk, .wpb, .rw2, .css, .xlgc, .xmind, .ppt, .raf, .crw, .cer, .vdf, .jpg, .svg, .odc, .apk, .odt, .sb, .xlsx, .raw, .xbplate, .wpd, .wpw, .mdf, .slm, .1st, .fsh, .rb, .rgss3a, .t12, .vtf, .dba, .x3f, .das, .pfx, .xar, .rar, .0, .xyp, .ztmp, .docx, .mdb, .flv, .sid, .xy3, .pef, .doc, .odb, .mddata, .sie, .bc7, .re4, .xlsm, .wbc, .xlsm, .map, .m2, .1, .menu, .zif, .asset, .mef, .mov, .jpe, .tor, .xlk, .xlsx, .xls, .mdbackup, .mpqge, .wri, .rtf, .srw, .odp, .wdb, .xll, .pdf, .m3u, .vpp_pc, .mcmeta, .mlx, .jpeg, .wmo, .tax, .rwl, .layout, .ybk, .wp5, .wp7, .yml, .dbf, .7z, .xdl, .hkx, .forge, .wps, .xyw, .ods, .wp6, .zip, .txt, .p7c, .yal, .lrf, .xdb, .wpg, .big, .avi, .xx, .eps, .bkf, .kdc, .y, .wpe, .wn, .ysp, .qic, .upk, .icxs, .ncf, .xxx, .mp4, .wcf, .psd, .dxg, .vcf, .fos, .syncdb, .x, .wma, .xld
Each file that has been encrypted will be renamed. This means the following. If the file was called ‘document.docx’, then after encryption, it will be named ‘document.docx.id-[USER-ID].[EMAIL-ADDRESS].ROGER’. ROGER ransomware can encrypt files located on any disks connected to the computer. Therefore, files located in network attached storage and external devices can also be encrypted. If you change the name of the encrypted file, just delete the appended extension, then nothing will change. The file will remain encrypted, and as before, this file will not be possible to open in the program with which it is associated.
ROGER ransom note pop-up
The text presented in this pop-up:
YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email LeeBob78@aol.com YOUR ID 5469E974
If you have not been answered via the link within 12 hours, write to jabber mfrank@xmpp.jp or e-mail:NoahDavis88@protonmail.comAttention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Currently, there are several variants of the ROGER ransomware, which differ in the extension appended to the encrypted files:
- .[decrypt@files.mn].ROGER
- .[mr_shox@protonmail.com].ROGER
- .[FrankMiller888@aol.com].ROGER
- .[NoahDavis88@protonmail.com].ROGER
- .[cryptfiles@protonmail.com].ROGER
- .[cryptfiles@goal.si].ROGER
- .[backdata.company@aol.com].ROGER
- .[recoverysql@protonmail.com].ROGER
- .[anna.kurtz@protonmail.com].ROGER
- .[admin@spacedatas.com].ROGER
- .[wang.chang888@tutanota.com].ROGER
- .[admin@datastex.club].ROGER
- .[LeeBob78@aol.com].ROGER
Perhaps you found on your computer or its desktop a new file called ‘FILES ENCRYPTED.txt’, which for some reason is not encrypted. An example of such a file is given below.
ROGER virus – ransom note
This file is very important, in addition to containing a ransom demand mesage, it also contains information that allows you to contact intruders. According to the message, the victim is invited to contact the attackers using the given email address. In response, the authors of the virus will give a Bitcoin address to which the ransom must be transferred. Of course, you should understand that there is no guarantee that the attackers, after receiving the ransom, will provide you with the key necessary to decrypt your files. In addition, by paying the ransom, you will push attackers to create a new ransomware.
The contents of the FILES ENCRYPTED.txt file:
all your data has been locked us
You want to return?
write email LeeBob78@aol.com or NoahDavis88@protonmail.com
Threat Summary
| Name | ROGER |
| Type | Crypto malware, File locker, Crypto virus, Filecoder, Ransomware |
| Encrypted files extension | .id-[USER-ID].[EMAIL-ADDRESS].ROGER |
| Ransom note | FILES ENCRYPTED.txt |
| Contact (email address) | decrypt@files.mn, FrankMiller888@aol.com, NoahDavis88@protonmail.com, cryptfiles@protonmail.com, cryptfiles@goal.si, backdata.company@aol.com, recoverysql@protonmail.com, anna.kurtz@protonmail.com, admin@spacedatas.com, wang.chang888@tutanota.com, admin@datastex.club, LeeBob78@aol.com, NoahDavis88@protonmail.com |
| Ransom amount | $500-$1500 in Bitcoins |
| Detection Names | Trojan.Ransom.Crysis.E, Trojan.Win32.Crusis.tqMs, Win32:RansomX-gen [Ransom], AI:Packer.D3B9457E1E, W32.RansomeDNZ.Trojan, Win.Trojan.Dharma-6668198-0, TrojWare.Win32.Crysis.D@6sd9xy, Trojan.Encoder.3953, A Variant Of Win32/Filecoder.Crysis.P, W32/Wadhrama.B, W32/Crysis.W!tr.ransom, Win32.Trojan-Ransom.VirusEncoder.A, Trojan.Crypren.ic, Ransom.Crysis, Troj/Criakl-G, Trojan-Ransom.Win32.Crusis.to |
| Symptoms | Documents, photos and music won’t open. Your documents, photos and music have different extension appended at the end of the file name. Your file directories contain a ‘ransom note’ file that is usually a .html, .jpg or .txt file. Ransom note in a pop-up window with cybercriminal’s ransom demand and instructions. |
| Distribution ways | Spam or phishing emails that are designed to get people to open an attachment or click on a link. Drive-by downloading (when a user unknowingly visits an infected web-page and then malicious software is installed without the user’s knowledge). Social media posts (they can be used to mislead users to download malicious software with a built-in ransomware downloader or click a suspicious link). USB flash drive and other removable media. |
| Removal | ROGER virus removal guide |
How to remove ROGER ransomware, Restore .ROGER files
If your files have been encrypted with ‘.ROGER’ extension, then first of all you need to remove ROGER ransomware and be 100% sure that there is no active ransomware on your computer, and then proceed to restore the files. Both the ransomware removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.
- How to remove ROGER ransomware
- How to decrypt .ROGER files
- How to restore .ROGER files
- How to protect your computer from ROGER crypto malware
How to remove ROGER ransomware
First you need to remove the ROGER ransomware autostart entries before decrypting and recovering encrypted files. Another option is to perform a full scan of the computer using antivirus software capable of detecting and removing ransomware infection.
It is very important to scan the computer for malware, as security researchers found that spyware could be installed on the infected computer along with the ROGER ransomware. Spyware is a very dangerous security threat as it is designed to steal the user’s personal information such as passwords, logins, contact details, etc. If you have any difficulty removing the ransomware, then let us know in the comments, we will try to help you.
To remove ROGER ransomware, use the steps listed below:
Kill ROGER ransomware
Press CTRL, ALT, DEL keys together.
Click Task Manager. Select the “Processes” tab, look for something suspicious that is the ROGER ransomware then right-click it and select “End Task” or “End Process” option.
A process is particularly suspicious: it is taking up a lot of memory (despite the fact that you closed all of your programs, its name is not familiar to you (if you are in doubt, you can always check the program by doing a search for its name in Google, Yahoo or Bing).
Disable ROGER ransomware Start-Up
Select the “Start-Up” tab, look for something similar to the one shown in the example below, right click to it and select Disable.
Close Task Manager.
Scan computer for malware
Zemana Anti-Malware highly recommended, because it can detect security threats such ransomware, other malicious software and trojans which most ‘classic’ antivirus software fail to pick up on. Moreover, if you have any ROGER removal problems which cannot be fixed by this utility automatically, then Zemana provides 24X7 online assistance from the highly experienced support staff.
- First, please go to the following link, then click the ‘Download’ button in order to download the latest version of Zemana.
Zemana AntiMalware
158958 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- At the download page, click on the Download button. Your browser will open the “Save as” dialog box. Please save it onto your Windows desktop.
- Once the downloading process is complete, please close all applications and open windows on your computer. Next, run a file named Zemana.AntiMalware.Setup.
- This will start the “Setup wizard” of Zemana onto your system. Follow the prompts and don’t make any changes to default settings.
- When the Setup wizard has finished installing, the Zemana Free will launch and display the main window.
- Further, click the “Scan” button to perform a system scan for the ROGER ransomware, other kinds of potential threats like malicious software and trojans. This process can take some time, so please be patient. While the Zemana utility is checking, you may see count of objects it has identified as being affected by malware.
- When Zemana is done scanning your computer, Zemana Anti Malware (ZAM) will show a screen that contains a list of malware that has been found.
- Next, you need to press the “Next” button. The tool will remove ROGER crypto malware and other security threats and add threats to the Quarantine. Once the task is finished, you may be prompted to reboot the personal computer.
- Close the Zemana Anti-Malware (ZAM) and continue with the next step.
If you’re having problems with the ROGER ransomware virus removal, then download MalwareBytes Anti-Malware (MBAM). It is free for home use, and searches for and deletes various malicious software that attacks your machine or degrades personal computer performance. MalwareBytes Free can remove spyware, adware, worms as well as other malware, including ransomware and trojans.
Visit the page linked below to download the latest version of MalwareBytes Anti-Malware for MS Windows. Save it on your Microsoft Windows desktop or in any other place.
316605 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the download is done, close all software and windows on your PC. Double-click the install file named mb3-setup. If the “User Account Control” dialog box pops up as displayed in the following example, click the “Yes” button.
It will open the “Setup wizard” which will help you install MalwareBytes Anti Malware (MBAM) on your personal computer. Follow the prompts and do not make any changes to default settings.
Once install is done successfully, click Finish button. MalwareBytes AntiMalware will automatically start and you can see its main screen as shown below.
Now press the “Scan Now” button to perform a system scan with this utility for the ROGER ransomware virus related folders,files and registry keys. A system scan can take anywhere from 5 to 30 minutes, depending on your personal computer. While the MalwareBytes Anti-Malware is checking, you can see count of objects it has identified either as being malicious software.
When finished, the results are displayed in the scan report. Make sure all threats have ‘checkmark’ and click “Quarantine Selected” button. The MalwareBytes Anti-Malware (MBAM) will delete ROGER crypto malware related folders,files and registry keys and move items to the program’s quarantine. After the process is done, you may be prompted to restart the personal computer.
In order to be 100% sure that the computer no longer has the ROGER crypto malware, we recommend using the Kaspersky virus removal tool (KVRT). It is free and easy to use. It can detect and remove ROGER ransomware and other malware. KVRT is powerful enough to find and uninstall malicious registry entries and files that are hidden on the system.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the link below.
123254 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
Once the download is done, double-click on the KVRT icon. Once initialization process is finished, you’ll see the Kaspersky virus removal tool screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan with this utility for the ROGER crypto malware and other trojans and harmful programs. This process can take quite a while, so please be patient. While the Kaspersky virus removal tool tool is scanning, you can see how many objects it has identified as being infected by malicious software.
After that process is finished, Kaspersky virus removal tool will show a list of detected threats as shown below.
You may delete threats (move to Quarantine) by simply click on Continue to begin a cleaning task.
How to decrypt .ROGER files
All files with the ‘.ROGER’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. Unfortunately, today there is no way to decrypt files encrypted with ROGER virus, because to decrypt them you need a unique key, and this key is in the hands of criminals.
Never pay the ransom! Some users, wishing to recover access to blocked documents, photos and music, pay the ransom amount of money to cyber frauds. However, it is important to remember before performing this action that you are interacting with unscrupulous and dishonest people, and the probability that after transferring money they will not provide you with a decryption key to decrypt the encrypted files or increase the amount of ransom is high enough.
Fortunately, there are several alternative methods that do not require the use of a key and therefore allow you to restore the contents of encrypted files. Try to recover the encrypted files using free tools listed below.
How to restore .ROGER files
As we said above, today you cannot decrypt .ROGER files. Fortunately, there are several simple ways that in some cases can help restore the contents of encrypted files without decryption. Each of these methods does not require a decryptor and a unique key, which is in the hands of criminals. The only thing we strongly recommend that you perform (if you have not already done so) is to perform a full scan of the computer. You must be 100% sure that ROGER virus has been removed. To find and remove ransomware, use the free malware removal tools.
Recover .ROGER files with ShadowExplorer
An alternative is to restore personal files from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that MS Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing photos, documents and music that were encrypted by ROGER ransomware virus. The tutorial below will give you all the details.
Download ShadowExplorer from the link below.
416755 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Run the ShadowExplorer utility and then choose the disk (1) and the date (2) that you want to restore the shadow copy of file(s) encrypted by the ROGER crypto virus as shown in the following example.
Now navigate to the file or folder that you want to recover. When ready right-click on it and click ‘Export’ button as shown on the screen below.
This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.
Run PhotoRec to restore .ROGER files
Before a file is encrypted, the ROGER ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your photos, documents and music using file recover apps like PhotoRec.
Download PhotoRec on your MS Windows Desktop from the following link.
After the download is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for Windows. It will show a screen as shown in the following example.
Choose a drive to recover as shown below.
You will see a list of available partitions. Select a partition that holds encrypted photos, documents and music as on the image below.
Click File Formats button and specify file types to restore. You can to enable or disable the recovery of certain file types. When this is finished, click OK button.
Next, click Browse button to choose where recovered documents, photos and music should be written, then press Search. We strongly recommend that you save the recovered files to an external drive.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is finished, click on Quit button. Next, open the directory where restored documents, photos and music are stored. All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories.
If you are looking for a specific file, then you can to sort your recovered files by extension, size and/or date/time.
This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.
How to protect your computer from ROGER crypto malware?
Most antivirus software already have built-in protection system against the ransomware. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows OS from Microsoft Windows XP to Windows 10.
Click the following link to download HitmanPro.Alert. Save it to your Desktop.
Once the downloading process is complete, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the tool is started, you’ll be shown a window where you can select a level of protection, as shown on the image below.
Now click the Install button to activate the protection.
Finish words
This guide was created to help all victims of ROGER ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to recover .ROGER files. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with ROGER related issues, go to here.
