Roger Ransomware

Roger ransomware is part of the Crysis/ Dharma family. Its name derives from the.ROGER extension that it often adds to encrypted files. Many variants of this virus exist in the wild, each adding different extensions to encrypted files. Their functionality is however very similar.

Roger Ransomware’s History

Dharma was first observed in 2016. It is one of the most lucrative Ransomware As a Service (RaaS) and is still in operation today. It is flexible and highly efficient. The ransomware targets businesses and allows the attacker to select the ransom amount based on the business’s size. Larger businesses will pay more for decryption.

The device was on sale at $2000 in 2019, making researchers concerned that someone might upload the source code to make it public. This would be a great opportunity for less-skilled attackers, which could lead to a huge Dharma outbreak.

Spreading means

Roger ransomware is usually distributed via:

Targeted e-mails containing a malicious payload
Double extensions are common in Dharma ransomware and Roger ransomware. Windows may hide the extension, so these files might appear to be non-executable.
Compromised legitimate software
Roger ransomware is a common way to infect your computer. These offers could be sent via a phishing campaign.
RDP protocol is being misused
Roger frequently misuses weak RDP credentials or leaked credentials, and is therefore delivered manually.

Execution Roger Ransomware

Roger ransomware uses an interface from the command line and launches itself via a Windows API. It launches an app for background execution and then executes as a Windows service. This allows it to escalate its privileges. It modifies an autorun value in the Windows registry to maintain persistence and writes to a start-menu file. It attempts to steal credentials to spread more. It uses vssadmin.exe for encrypting the files and to delete shadow copies. It employs strong encryption – it combines AES256 with RSA-1024.