Security experts discovered a new variant of cryptovirus, which named ‘Roldat ransomware‘. It appends the .roldat file extension to encrypted file names. Read below a brief summary of information related to this ransomware and how to restore or decrypt .roldat files for free.
Files encrypted by Roldat ransomware
The .Roldat ransomware is a malicious software that created in order to encrypt files. It hijack a whole PC or its data and demand a ransom in order to unlock (decrypt) them. The developers of the .Roldat ransomware have a strong financial motive to infect as many computers as possible. The files that will be encrypted include the following file extensions:
.syncdb, .icxs, .bay, .wbc, .wb2, .3dm, .wmo, .wbz, .rw2, .db0, .rtf, .rim, .itm, .x, .mdf, .zif, .layout, .xdl, .wav, .xlsm, .raw, .dwg, .snx, .vpp_pc, .xx, .xxx, .itdb, .bkf, .wmv, .ptx, .wpg, .iwi, .cdr, .t12, .wma, .zdb, .odc, .desc, .csv, .pem, .mpqge, .ztmp, .sql, .cer, .wp, .mcmeta, .yml, .accdb, .arch00, .menu, .wp6, .mdbackup, .0, .rofl, .indd, .xar, .xlgc, .wcf, .rgss3a, .xls, .apk, .vdf, .flv, .srw, .re4, .epk, .slm, .kdc, .bar, .lrf, .sie, .xmind, .doc, .x3d, .yal, .sidd, .dcr, .2bp, .pdd, .ff, .iwd, .gho, .crt, .png, .y, .jpeg, .sum, .eps, .wot, .esm, .mlx, .cas, .zip, .sid, .d3dbsp, .avi, .hplg, .wp5, .m4a, .qdf, .xyw, .xyp, .ntl, .docm, .gdb, .xlsb, .xf, .pef, .wbmp, .ncf, .wbm, .forge, .tax, .mdb, .ltx, .ibank, .odp, .hkdb, .blob, .wps, .x3f, .p12, .m3u, .xy3, .odm, .vcf, .xll, .mov, .py, .wgz, .wmf, .wpe, .wma, .wdp, .cr2, .bkp, .big, .x3f, .das, .wdb, .lvl, .3fr, .rar, .ods, .lbf, .psd, .z3d, .der, .vtf, .xld, .wpd, .webdoc, .css, .xbdoc, .txt, .bsa, .wm, .kf, .pst, .xml, .docx, .z, .dng, .wpd, .xlsx, .jpe, .itl, wallet, .webp, .mp4, .wbd, .ws, .pptx, .sr2, .wpb, .pfx, .dbf, .zabw, .asset, .erf, .wbk, .wpt, .xlsm, .rwl, .xlk, .rb, .raf, .wp4, .w3x, .wps, .litemod, .ai, .xmmap, .wpw, .t13, .bik, .wpl, .odt, .wsd, .psk, .map, .7z, .crw, .tor, .odb, .wsh, .kdb, .wn, .dazip, .1st, .fsh, .wpa, .wri, .xlsx, .js, .ybk, .xls, .cfr, .ppt, .arw, .fos, .wmv, .xwp, .sav, .srf, .wsc
Upon successful encryption, it appends the .roldat extension to the file name of its encrypted file. The ransomware also creates a text file named “_readme.txt” in each folder. This file is a ransom note. The ransomnote asks for money in the form of bitcoins. The content of the ransomnote is below:
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-WNIGhROCrH Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: vengisto@firemail.cc Reserve e-mail address to contact us: gorentos@bitmessage.ch Our Telegram account: @datarestore Your personal ID:
Threat Summary
| Name | .Roldat ransomware |
| Type | Ransomware, Filecoder, Crypto virus, File locker |
| Contact | vengisto@firemail.cc, gorentos@bitmessage.ch, Telegram account: @datarestore |
| Ransom note | _readme.txt |
| Symptoms |
|
| Removal | To remove .Roldat ransomware use the removal guide |
| Decryption | To decrypt .Roldat ransomware use the steps |
We suggest you to remove .Roldat ransomware virus as quickly as possible, until the presence of the ransomware virus has not led to even worse consequences. You need to follow the step-by-step tutorial below that will allow you to completely remove .Roldat ransomware from your PC as well as restore encrypted photos, documents and music, using only few free tools.
Quick links
- How to remove .Roldat ransomware virus
- How to decrypt .roldat files
- Use STOPDecrypter to decrypt .roldat files
- How to restore .roldat files
- How to protect your machine from .Roldat ransomware virus?
- Finish words
How to remove .Roldat ransomware virus
There are a few methods that can be used to remove .Roldat ransomware. But, not all ransomware like this ransomware can be completely uninstalled utilizing only manual ways. Most often you are not able to remove any ransomware virus using standard MS Windows options. In order to get rid of .Roldat ransomware you need use reliable removal tools. Most IT security researchers states that Zemana Anti-malware, Malwarebytes or KVRT tools are a right choice. These free programs are able to scan for and remove .Roldat ransomware virus from your PC system for free.
Run Zemana Anti-malware to remove .Roldat ransomware
Zemana AntiMalware (ZAM) can detect all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the .Roldat ransomware virus, you can easily and quickly delete it.
Zemana Free can be downloaded from the following link. Save it on your Windows desktop.
164032 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
When the download is done, close all apps and windows on your personal computer. Double-click the install file called Zemana.AntiMalware.Setup. If the “User Account Control” prompt pops up as shown in the following example, click the “Yes” button.
It will open the “Setup wizard” which will help you install Zemana AntiMalware (ZAM) on your computer. Follow the prompts and do not make any changes to default settings.
Once installation is done successfully, Zemana Anti-Malware (ZAM) will automatically start and you can see its main screen as shown on the screen below.
Now click the “Scan” button for checking your machine for the .Roldat ransomware and other malicious software. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your machine and the speed of your computer.
Once Zemana has finished scanning, Zemana AntiMalware (ZAM) will open a scan report. Review the scan results and then press “Next” button. The Zemana Anti-Malware (ZAM) will remove .Roldat ransomware and other malware and add threats to the Quarantine. After disinfection is finished, you may be prompted to restart the PC.
Remove Roldat ransomware with MalwareBytes
If you’re having problems with the Roldat ransomware removal, then download MalwareBytes Free. It is free for home use, and scans for and removes various unwanted software that attacks your personal computer or degrades machine performance. MalwareBytes Anti-Malware can get rid of adware, worms as well as malware, including ransomware and trojans.
Please go to the link below to download MalwareBytes Anti Malware. Save it on your Windows desktop.
326385 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
Once the downloading process is finished, close all apps and windows on your machine. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup as shown in the figure below.
When the install starts, you’ll see the “Setup wizard” that will help you set up Malwarebytes on your personal computer.
Once install is finished, you will see window as shown in the following example.
Now click the “Scan Now” button to find the Roldat ransomware virus related files, folders and registry keys. Depending on your personal computer, the scan can take anywhere from a few minutes to close to an hour. While the MalwareBytes is checking, you can see how many objects it has identified either as being malicious software.
As the scanning ends, you may check all threats found on your machine. All found threats will be marked. You can delete them all by simply press “Quarantine Selected” button.
The Malwarebytes will now delete Roldat ransomware virus and other malicious software and move threats to the program’s quarantine. When that process is finished, you may be prompted to restart your PC system.
The following video explains tutorial on how to remove hijacker, adware software and other malware with MalwareBytes AntiMalware (MBAM).
Remove .Roldat ransomware virus with KVRT
If MalwareBytes anti malware or Zemana anti-malware cannot remove this ransomware, then we recommends to run the KVRT. KVRT is a free removal tool for ransomwares, adware, potentially unwanted programs and toolbars.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the link below.
129056 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is finished, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you’ll see the KVRT screen as shown on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to perform a system scan with this utility for the .Roldat ransomware virus and other known infections. This procedure can take some time, so please be patient. While the Kaspersky virus removal tool utility is scanning, you can see number of objects it has identified as being infected by malware.
Once the scan get completed, KVRT will show a screen which contains a list of malware that has been detected as on the image below.
Make sure all threats have ‘checkmark’ and press on Continue to begin a cleaning procedure.
How to decrypt .roldat files
The encryption algorithm is so strong that it is practically impossible to decrypt .roldat files without the actual encryption key. The bad news is that the only way to get your files back is to pay ($490-$980 in Bitcoins) creators of the .Roldat ransomware virus for a copy of the private (encryption) key.
Should you pay the ransom? A majority of security professionals will reply immediately that you should never pay a ransom if infected by ransomware! If you choose to pay the ransom, there is no 100% guarantee that you can decrypt all personal files!
Files encrypted by Roldat ransomware
With some variants of Roldat ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .roldat files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.roldat).
Please check the twitter post for more info.
How to restore .roldat files
In some cases, you can recover files encrypted by .Roldat ransomware. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted personal files.
Run ShadowExplorer to restore .roldat files
In some cases, you have a chance to restore your documents, photos and music which were encrypted by the .Roldat ransomware virus. This is possible due to the use of the tool named ShadowExplorer. It is a free program which made to obtain ‘shadow copies’ of files.
ShadowExplorer can be downloaded from the following link. Save it on your Microsoft Windows desktop or in any other place.
438668 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as displayed in the following example.
Double click ShadowExplorerPortable to run it. You will see the a window as shown in the following example.
In top left corner, choose a Drive where encrypted files are stored and a latest restore point like below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to restore, right click to it and select Export like below.
Run PhotoRec to recover .roldat files
Before a file is encrypted, the .Roldat ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file recover software such as PhotoRec.
Download PhotoRec on your Windows Desktop from the link below.
Once the download is done, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed in the figure below.
Double click on qphotorec_win to run PhotoRec for Windows. It’ll show a screen like below.
Choose a drive to recover as on the image below.
You will see a list of available partitions. Select a partition that holds encrypted files as shown in the figure below.
Click File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is done, press OK button.
Next, press Browse button to choose where recovered personal files should be written, then press Search.
Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as shown in the figure below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your machine from .Roldat ransomware virus?
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your machine does not have an antivirus program, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your PC from .Roldat ransomware virus
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
Installing the HitmanPro.Alert is simple. First you’ll need to download HitmanPro Alert on your MS Windows Desktop by clicking on the link below.
Once the downloading process is complete, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. After the utility is started, you will be displayed a window where you can select a level of protection, as shown on the image below.
Now click the Install button to activate the protection.
Finish words
Once you have finished the tutorial above, your computer should be free from .Roldat ransomware virus and other malware. Your PC will no longer encrypt your personal files. Unfortunately, if the step-by-step tutorial does not help you, then you have caught a new ransomware, and then the best way – ask for help here.
