Severity scale:  
  (99/100)

RotorCrypt ransomware virus. How to remove? (Uninstall guide)

removal by Alice Woods - - | Type: Ransomware

RotorCrypt is a ransomware virus that uses .spg file extension to mark encrypted data

RotorCrypt ransomware virus

Questions about RotorCrypt ransomware virus

RotorCrypt is a file-locking ransomware[1] that is closely related to Rotor virus and first appeared in 2016, infecting machines using spam emails. Despite some periods of inactivity, the virus keeps coming back with new versions and keeps attacking people up until now. Most of the traits are very similar to one another, however, the file extension differs each time it comes back. As usual, a complicated encryption algorithm is used to lock up all files and later demand ransom for their release. 

Name RotorCrypt
Type Ransomware
Alternatively known as Rotor virus, Ransom.FileCryptor, Trojan-Ransom.Win32.Rotor.b, Win32/DH{gVIDgQ5+gUaBDw?}
Extensions used to mark encrypted files Encrypted files can be found by looking at these extensions: .SPG, .PGP, .tar, .c400, .c300, .crypto, etc.
Ransom size 7 BTC in early versions; 1-3 BTC in later versions
Detection and elimination Use security software to get rid of malicious files. We recommend Reimage and Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus
Decryptable No. At the moment, files encrypted by this ransomware can be recovered only with the help of third party programs or from back up

Several versions of RotorCrypt ransomware, detected in the beginning of 2018, are known for appending the .!==SOLUTION OF THE PROBLEM==blacknord@tutanota.com==.Black_OFFserve or !decrfile@tutanota.com.crypo file extension to the locked files. However, at the beginning of March 2018, significant changes in RotorCrypt virus coding scheme has been noticed – the new variant appends a ! ,–, Revert Access ,–, starbax@tutanota.com ,–,.BlockBax_v3.2 extension, which contains an atypical number of spaces.

The latest version of malware appeared late May 2018 and is using another extraordinary file extension – !________INKOGNITO8000@TUTAMAIL.COM_________.SPG. It was discovered by security researcher Michael Gillespie, and so far, 44 out of 65 AV engines detect the malicious payload of the RotorCrypt virus.

RotorCrypt ransomware spreads via malicious spam emails as an obfuscated “dead rdp.exe” file. However, different versions of the virus might have differently named payloads. Furthermore, malware mainly targets Russian-speaking users[2], and once it gets into their computers, it starts data encryption process. It is known to target the following file types: 

.1cd, .avi, .bak, .bmp, .cf, .cfu, .csv, .db, .dbf, .djvu, .doc, .docx, .dt, .elf, .epf, .erf, .exe, .flv, .geo, .gif, .grs, .jpeg, .jpg, .lgf, .lgp, .log, .mb, .mdb, .mdf, .mxl, .net, .odt, .pdf, .png, .pps, .ppt, .pptm, .pptx, .psd, .px, .rar, .raw, .st, .sql, .tif, .txt, .vob, .vrp, .xls, .xlsb, .xlsx, .xml, .zip

Different versions of RotorCrypt virus seems to be using RSA encryption[3] and can append one of the file extensions listed below. Cyber criminals design long and complicated suffixed that include contact email address:

  • .-.DIRECTORAT1C8@GMAIL.COM.roto>
  • .-.DIRECTORAT1C@GMAIL.COM.roto>
  • .-.directorat1c@gmail.com.roto
  • .-.CRYPTSb@GMAIL.COM.roto>
  • !-==kronstar21@gmail.com=–.crypt>
  • !==helpsend369@gmail.com==.crypt>
  • !__crypthelp12@gmail.com_.crypt
  • !___prosschiff@gmail.com_.crypt>
  • !____moskali1993@mail.ru___.crypt>
  • !______sufnex331@gmail.com______.crypt
  • !______bigromintol971@gmail.com______.crypt
  • !_______GASWAGEN123@GMAIL.COM____.crypt
  • !_________pkigxdaq@bk.ru_______.crypt
  • !______________DESKRYPTEDN81@GMAIL.COM.crypt
  • !____GLOK9200@GMAIL.COM____.tar
  • !____cocoslim98@gmail.com____.tar
  • !_____GEKSOGEN911@GMAIL.COM____.c300
  • !_____DILINGER7900@GMAIL.COM_____.GRANIT
  • !____hamil8642@gmail.com___.GRANIT
  • .edgar4000@protonmail.com____.granit
  • !______DILIGATMAIL7@tutanota.com______.OTR
  • !______PIFAGORMAIL@tutanota.com______.SPG
  • _______PIFAGORMAIL@tutanota.com_____.rar
  • !_____INKASATOR@TUTAMAIL.COM____.ANTIDOT
  • !-=solve a problem=-=grandums@gmail.com=-.PRIVAT66
  • !==solve a problem==stritinge@gmail.com===.SENRUS17
  • !_____FIDEL4000@TUTAMAIL.COM______.biz
  • !____________DESKRYPT@TUTAMAIL.COM________.rar
  • !____________ENIGMAPRO@TUTAMAIL.COM_______.PGP
  • !___________ANCABLCITADEL@TUTAMAIL.COM__________.PGP
  • !==SOLUTION OF THE PROBLEM==blacknord@tutanota.com==.Black_OFFserve!
  • !decrfile@tutanota.com.crypo
  • ! ,–, Revert Access ,–, starbax@tutanota.com ,–,.BlockBax_v3.2
  • !________INKOGNITO8000@TUTAMAIL.COM_________.SPG

RotorCrypt crypto-virus

Victims are supposed to contact crooks via provided email and wait for their instructions what should they do next. There's no secret that users are suggested to purchase the specific data recovery tool.[2] Victims can purchase the tool or, in other words, pay the ransom. The first version of RotorCrypt virus urged to transfer 7 Bitcoins, which is now equal to more than 61 000 USD. Newer versions reduced the ransom, which now ranges from 1 to 3 Bitcoins. 

RotorCrypt ransomware might be related to Rotor virus. Indeed, their names are familiar, but they also use the same data encryption strategy and do not leave a clear explanation about file decryption possibilities.

Usually, the creators of ransomware provide detailed instructions how to purchase Bitcoins and transfer money using anonymous Tor browser. However, initially criminals did not find this activity necessary, which is why victims are not presented with a ransom note left by Roto Crypt virus that would explain what happened to your files. Newer versions are known for providing more, but still not sufficient, information:

Good day
Your files were encrypted/locked
As evidence can decrypt file 1 to 3 1-30MB
The price of the transcripts of all the files on the server: 7 Bitcoin
Recommend to solve the problem quickly and not to delay
Also give advice on how to protect Your server against threats from the network
(Files sql mdf backup decryption strictly after payment)!

If you have encountered this malware, do not waste your time and initiate RotorCrypt removal. Virus elimination will not bring back your files, but you will be able to try additional data recovery options.

After the attack, victims have to realize to contact criminals by an email address appended to the corrupted filename. There’s no doubt that they will tell that paying the ransom is the only solution to get back access to the files. But we do not recommend contacting criminals and wasting your money because you might end up with both data and money loss.

Remove RotorCrypt from the computer with the help of a strong anti-malware program, such as Reimage. Keep in mind that virus might block access to the program and prevent it from scanning the system. In this case, follow our step-by-step guide presented at the end of the article. Different security programs detect this computer infection under different names, for instance, Ransom.FileCryptor, Trojan-Ransom.Win32.Rotor.b, Win32/DH{gVIDgQ5+gUaBDw?}, etc.

Spam emails are used for ransomware distribution

RotoCrypt virus is distributed via malicious email attachments. It’s the most popular way to spread malware. Unfortunately, many computer users are too curious and open suspicious spam emails. However, opening an email is not the worst part. Usually, emails are not dangerous, but links and documents attached to them might be infected. Once users open Word or PDF file, the malicious GWWABPFL.EXE file, ins.exe, dead rdp.exe or other obfuscated files might be dropped on the system.

However, malicious email attachments are not the only one distribution technique, security specialists from Bedynet.ru[4] says. Malware might get inside when victims install bogus software or fake updates. Some variants of ransomware also use exploit kits[5] and look for flaws in computer’s security.

If you want to avoid RotorCrypt or other file-encrypting viruses, you have to be careful online and doubt every single message you receive in your inbox.[6] Before opening any email attachment, you have to double check the information about the sender. Crooks might pretend to be from reputable or governmental institutions; therefore, you should contact the organization directly and ask about the issue.

Moreover, you should protect your computer by installing a reputable antivirus program and don’t forget to update it regularly. It's important to keep all your programs updated. The easiest way to keep software updates is to let applications download updates automatically. Lastly, you should not browse in high-risk websites, click on clickbait ads or suspicious links.

RotorCrypt file-locker

Delete RotorCrypt ransomware and restore your files from backups

Ransomware is hard to remove, so you should not consider eliminating the virus manually. In order to remove RotorCrypt safely, you should rely on a professional malware removal program. Keep in mind that free tools are weak and cannot effectively remove this computer infection. Thus, you should install in professional computer's security and choose Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

After successful RotorCrypt removal, you can restore corrupted files from data backups. However, if you do not have them, try our additional data recovery methods presented at the end of the article. Though, we want to warn that you should not have high expectations, as chances to restore files are not high.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove RotorCrypt ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall RotorCrypt ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual RotorCrypt virus Removal Guide:

Remove RotorCrypt using Safe Mode with Networking

If you cannot install a preferred removal tool, reboot your computer to Safe Mode with Networking first. For that, you should follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove RotorCrypt

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete RotorCrypt removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove RotorCrypt using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of RotorCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that RotorCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove RotorCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your computer is infected with RotoCrypt, do not consider contacting the crooks and paying the ransom. After virus elimination, recover your files from backups or use alternative methods provided below.

If your files are encrypted by RotorCrypt, you can use several methods to restore them:

Using Data Recovery Pro to recover encrypted files

Data Recovery Pro might be a helpful tool to recover files encrypted by RotoCrypt ransomware. We cannot assure that this method will be effective and decrypt all of your files, but you should give it a try.

Recover files using Windows Previous Versions feature

This method allows restoring individual files after ransomware attack. In order to use this method, follow the instructions below.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Taking advantage of a ShadowExplorer

If ransomware hasn't deleted Volume Shadow Copies, you can try using this method and recover at least some of your files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

RotoCrypt decryptor is not available yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from RotorCrypt and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

References