Rokku targets Windows OS and spreads through a well-written spear-phishing campaign that includes a malicious attachment. Once the victim opens the attachment, Rokku immediately deletes all Shadow Volume Copies to prevent data restoration. It then uses the Salsa20 algorithm to encrypt each targeted data file with its own unique key, stored within the last 252 bytes of the same associated file. This variant can be identified by its .rokku file extension. Unique elements of Rokku include the use of Google Website Translator Plugin to convert ransom notes into the victim’s chosen language as well as the use of a QR code to make it easier for the victim to pay the ransom.
- Bleeping Computer provides more information about Rokku, available here.
- The NJCCIC is not aware of any decryption tools available for Rokku.