Roger ransomware belongs to the CrySIS/Dharma family. It got its name out of the .ROGER extension it usually adds to the encrypted files. There are many variations of this virus in the wild which are appending different extensions to the encrypted files. However, their functionality is very similar.
History of Roger Ransomware
Dharma has been observed for the first time in 2016. It is one of the most profitable Ransomwares as a Service (RaaS) and it is still active even today. The ransomware is very flexible and efficient. It targets businesses and provides an attacker with the option to choose the amount of ransom according to business size. Therefore, larger businesses get to pay more for the decryption.
It was for sale for $2000 in 2019, which made the researchers worried that someone may upload its source code and make it publicly available. Such an action would pose an interesting opportunity for less-skilled attackers to try it out which could result in a massive Dharma outbreak.
Means of spreading
Roger ransomware usually spreads via:
- Targeted e-mails containing a malicious payload
The use of double extensions is typical for Dharma and Roger ransomware. Windows sometimes hides the extension and these files may appear as non-executable even though it’s not so.
- Compromised legitimate software
This way of infection includes offers to install a legitimate-looking antivirus solution, which in reality contains Roger ransomware. Such offers may be delivered through phishing campaigns.
- Abuse of RDP protocol
Roger often misuses leaked or weak RDP credentials and is delivered manually.
Execution of Roger Ransomware
Roger ransomware uses a command-line interface and launches itself through a Windows API. It starts an app for background execution and gets executed as a Windows service and escalate its privileges. To maintain its persistence, it changes an autorun value in the registry and writes to a start menu file. It tries to steal credentials for further spreading. Finally, it utilizes vssadmin.exe to delete shadow copies and encrypts the files. It uses rather strong encryption – it combines AES-256 with RSA-1024.