Rocklee (.rocklee) ransomware virus - removal and decryption options
Written by Tomas Meskauskas on (updated)
What kind of malware is Rocklee?
While assessing malware samples uploaded to VirusTotal, we discovered a ransomware variant from the Makop family dubbed Rocklee. This ransomware encrypts data, changes filenames of all encrypted files, and drops a ransom note ("+README-WARNING+.txt").
Rocklee appends the victim's ID, the attacker's email address, and the ".rocklee" extension to filenames. For example, it replaces "1.jpg" with "1.jpg.[2AF20FA3].[cyberrestore2024@onionmail.org].rocklee", "2.png" with "2.png.[2AF20FA3].[cyberrestore2024@onionmail.org].rocklee", and so forth.
Screenshot of files encrypted by this ransomware:
Rocklee ransom note overview
The note explains that the victim's files have been encrypted without damaging the file structure. It states that the victim must pay the perpetrators to recover the files. There's a section about guarantees, asserting that the perpetrators are only concerned with their benefits and have no regard for the victim's situation.
Threat actors offer a method to test their ability to decrypt files by sending two small files with simple extensions. Contact information is provided, offering an email address (cyberrestore2024@onionmail.org), a TOX ID, and a link to download the TOX client for communication.
The decryption process after payment is explained, promising to provide a scanner-decoder program and detailed instructions for use. Finally, the note addresses potential resistance, warning that not cooperating will result in losing time and data, as only the perpetrators possess the private key needed for decryption.
A cautionary note emphasizes not to attempt to alter encrypted files without risking further damage.
More details about ransomware
Paying a ransom is strongly discouraged due to the risk involved. There is no assurance that the attackers will fulfill their promises of file restoration upon payment. Instead, victims are urged to utilize any available backups or explore alternative options, such as looking for third-party decryption tools online.
Furthermore, it is imperative to promptly remove ransomware from compromised systems to mitigate the potential for further harm, including additional file encryptions.
Ransomware in general
Ransomware encrypts files or restricts access to computer systems, coercing victims into paying a ransom for their release. Its dissemination occurs through diverse channels. Typically, victims are extorted to remit a ransom, frequently in cryptocurrency, to retrieve their data or system access. Variants such as ZENEX, Water, and Lkfr illustrate the diversity of ransomware variants.
Preventive measures encompass maintaining up-to-date software, deploying antivirus software, and imparting awareness of phishing tactics. Moreover, robust backup systems play a pivotal role in facilitating recovery in the event of an attack.
How did ransomware infect my computer?
Ransomware can infiltrate computers through multiple avenues, frequently exploiting the unwitting actions of users. One prevalent tactic involves deceptive emails harboring malicious attachments or links. Opening them can lead to the execution of ransomware on systems.
Exploit kits represent another method, capitalizing on software or operating system vulnerabilities. Attackers exploit these weaknesses to introduce ransomware surreptitiously.
Moreover, ransomware can propagate through malicious advertisements, pirated software, cracking tools, downloads from untrustworthy sources such as P2P networks and third-party downloaders, infected USB drives, and compromised websites. Each of these vectors poses a risk of ransomware infection to unsuspecting users.
Name | Rocklee virus |
Threat Type | Ransomware, Crypto Virus, Files locker |
Encrypted Files Extension | .Rocklee |
Ransom Demanding Message | +README-WARNING+.txt |
Free Decryptor Available? | No |
Cyber Criminal Contact | cyberrestore2024@onionmail.org, intelrestore@onionmail.com, intelrestore2022@onionmail.org, Tox chat |
Detection Names | Avast (Win32:Evo-gen [Trj]), Combo Cleaner (Gen:Variant.Ransom.Makop.149), ESET-NOD32 (A Variant Of Win32/Filecoder.Phobos.E), Kaspersky (HEUR:Trojan-Ransom.Win32.Generic), Microsoft (Ransom:Win32/Phobos.PB!MTB), Full List Of Detections (VirusTotal) |
Symptoms | Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files. |
Additional Information | Rocklee is part of the Makop family |
Distribution methods | Infected email attachments (macros), torrent websites, malicious ads. |
Damage | All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection. |
Malware Removal (Windows) | To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
How to protect yourself from ransomware infections?
Regularly update your software and operating system to patch known vulnerabilities, reducing the likelihood of exploitation by ransomware. Employ trusted antivirus and antimalware software to detect and neutralize ransomware threats before they can compromise your system. Exercise discretion when clicking links or downloading attachments from unfamiliar or suspicious emails and websites.
Refrain from visiting potentially hazardous websites, particularly those offering pirated software or illicit content. Exercise skepticism towards advertisements and pop-ups on dubious web pages, as they may be vectors for ransomware infiltration.
If your computer is already infected with Rocklee, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate this ransomware.
Rocklee's text file, "+README-WARNING+.txt" (GIF):
Text in the ransom note:
::: Greetings :::
Little FAQ:
.1.
Q: Whats Happen?
A: Your files have been encrypted. The file structure was not damaged, we did everything possible so that this could not happen..2.
Q: How to recover files?
A: If you wish to decrypt your files you will need to pay us..3.
Q: What about guarantees?
A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests.
To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee..4.
Q: How to contact with you?
A: You can write us to our mailbox: cyberrestore2024@onionmail.org
Or you can contact us via TOX: 2045F43C36CF86051CC7129C1FF74E84BCDC7A527C059676E546F58A1D8DF94B3C47F17F2E54
You can download TOX client here: hxxps://qtox.github.io/.5.
Q: How will the decryption process proceed after payment?
A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files..6.
Q: If I don t want to pay bad people like you?
A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money.:::BEWARE:::
DON'T try to change encrypted files by yourself!
If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files!
Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Video showing how to remove Rocklee ransomware using Combo Cleaner:
Rocklee ransomware removal:
Instant automatic malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
{loadposition position31
Frequently Asked Questions (FAQ)
How was my computer hacked and how did hackers encrypt my files?
Computer infections often stem from users being deceived by phishing emails containing harmful links or attachments. Also, compromised websites, pirated software, cracking tools, and malicious advertisements present significant risks. Additionally, infections can arise from downloading files and programs from unofficial sources and utilizing outdated software.
How to open ".rocklee" files?
Restoring access to your files necessitates decryption, as they have been encrypted in a ransomware attack.
Where should I look for free decryption tools for Rocklee ransomware?
In case of a ransomware attack you should check the No More Ransom project website (more information above).
I can pay you a lot of money, can you decrypt files for me?
Our team does not offer decryption services. Generally, data encrypted by ransomware is exceptionally difficult to decrypt without direct involvement from the developer or distributor unless the ransomware has exploitable vulnerabilities. Therefore, any third party claiming to provide paid decryption services is likely acting as an intermediary or engaging in fraudulent activities.
Will Combo Cleaner help me remove Rocklee ransomware?
Combo Cleaner is designed to conduct thorough scans of your computer and eliminate active ransomware infections. Utilizing an antivirus program like Combo Cleaner constitutes a vital first measure in addressing ransomware threats. It's important to understand, however, that while security software can remove ransomware from your system, it does not possess the ability to decrypt files that have already been encrypted.
▼ Show Discussion