Severity scale:  
  (99/100)

RotorCrypt ransomware virus. How to remove? (Uninstall guide)

removal by Alice Woods - - | Type: Ransomware
12

RotorCrypt ransomware uses new extensions to mark encrypted files

RotorCrypt ransomware (alternatively known as RotoCrypt) is a file-encrypting virus which is aimed at Russian-speaking users.[1] The virus uses different file extensions to mark affected files. They appear right after the file encryption with the RSA cryptography[2] is finished. Additionally, victims of RotorCrypt ransomware are required to use  ENIGMAPRO@TUTAMAIL.COM email address to contact its developers and pay the ransom.

The recent version of RotorCrypt malware continues the malicious job of its predecessors. The virus travels via malspam which include an obfuscated executable. When a user opens it, a harmful “dead rdp.exe” file is downloaded and run on the system. Thus, malware starts encryption processes and prevent users from accessing their data.

As we have mentioned, cybercriminals created several variants of RotorCrypt virus that can be noticed by the appended file extension that includes a special email address. Currently known emails and extensions used by RotoCrypt are these:

  • !____________ENIGMAPRO@TUTAMAIL.COM_______.PGP
  • !___ELIZABETH7@PROTONMAIL.COM____.c400;
  • !____DILIGATMAIL7@tutanota.com____.OTR;
  • !_____LIKBEZ77777@GMAIL.COM____.c400;
  • !_____GEKSOGEN911@GMAIL.COM____.c300;
  • PATAGONIA5000@PROTONMAIL.COM;
  • !_____INKASATOR@TUTAMAIL.COM____.ANTIDOT;
  • !-=solve a problem=-=grandums@gmail.com=-.PRIVAT66;
  • !____________DESKRYPT@TUTAMAIL.COM________.rar.

Victims are supposed to contact crooks via provided email and wait for their instructions what should they do next. There's no secret that users are suggested to purchase the specific data recovery tool.[3] RotorCrypt ransomware might be related to Rotor virus. Indeed, their names are familiar, but they also use the same data encryption strategy and do not leave a clear explanation about file decryption possibilities.

Usually, the creators of ransomware provide detailed instructions how to purchase Bitcoins and transfer money using anonymous Tor browser. However, this time criminals do not find this activity necessary. There is no ransom note left by Roto Crypt virus that would explain what happened to your files.

If you have encountered this malware, do not waste your time and initiate RotorCrypt removal. Virus elimination will not bring back your files, but you will be able to try additional data recovery options.

After the attack, victims have to realize to contact criminals by an email address appended to the corrupted filename. There’s no doubt that they will tell that paying the ransom is the only solution to get back access to the files. But we do not recommend contacting criminals and wasting your money because you might end up with both data and money loss.

Remove RotorCrypt from the computer with the help of a strong anti-malware program, such as Reimage. Keep in mind that virus might block access to the program and prevent it from scanning the system. In this case, follow our step-by-step guide presented at the end of the article. Different security programs detect this computer infection under different names, for instance, Ransom.FileCryptor, Trojan-Ransom.Win32.Rotor.b, Win32/DH{gVIDgQ5+gUaBDw?}, etc.

Malicious email messages are still considered to be the main distribution channel

RotoCrypt virus is distributed via malicious email attachments. It’s the most popular way to spread malware. Unfortunately, many computer users are too curious and open suspicious spam emails. However, opening an email is not the worst part. Usually, emails are not dangerous, but links and documents attached to them might be infected. Once users open Word or PDF file, the malicious GWWABPFL.EXE file, ins.exe, dead rdp.exe or other obfuscated files might be dropped on the system.

However, malicious email attachments are not the only one distribution technique. Malware might get inside when victims install bogus software or fake updates. Some variants of ransomware also use exploit kits[4] and look for flaws in computer’s security.

If you want to avoid RotorCrypt or other file-encrypting viruses, you have to be careful online and doubt every single message you receive in your inbox.[5] Before opening any email attachment, you have to double check the information about the sender. Crooks might pretend to be from reputable or governmental institutions; therefore, you should contact the organization directly and ask about the issue.

Moreover, you should protect your computer by installing a reputable antivirus program and don’t forget to update it regularly. It's important to keep all your programs updated. The easiest way to keep software updates is to let applications download updates automatically. Lastly, you should not browse in high-risk websites, click on clickbait ads or suspicious links.

Instructions for RotorCrypt ransomware removal guide

Ransomware is hard to remove, so you should not consider eliminating the virus manually. In order to remove RotorCrypt safely, you should rely on a professional malware removal program. Keep in mind that free tools are weak and cannot effectively remove this computer infection. Thus, you should install in professional computer's security and choose Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

After successful RotorCrypt removal, you can restore corrupted files from data backups. However, if you do not have them, try our additional data recovery methods presented at the end of the article. Though, we want to warn that yo should not have high expectations. Chances to restore files are not high.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove RotorCrypt ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall RotorCrypt ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual RotorCrypt virus Removal Guide:

Remove RotorCrypt using Safe Mode with Networking

If you cannot install a preferred removal tool, reboot your computer to Safe Mode with Networking forst. For that, you should follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove RotorCrypt

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete RotorCrypt removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove RotorCrypt using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of RotorCrypt. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that RotorCrypt removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove RotorCrypt from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your computer is infected with RotoCrypt, do not consider contacting the crooks and paying the ransom. After virus elimination, recover your files from backups or use alternative methods provided below.

If your files are encrypted by RotorCrypt, you can use several methods to restore them:

Using Data Recovery Pro to recover encrypted files

Data Recovery Pro might be a helpful tool to recover files encrypted by RotoCrypt ransomware. We cannot assure that this method will be effective and decrypt all of your files, but you should give it a try.

Recover files using Windows Previous Versions feature

This method allows restoring individual files after ransomware attack. In order to use this method, follow the instructions below.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Taking advantage of a ShadowExplorer

If ransomware hasn't deleted Volume Shadow Copies, you can try using this method and recover at least some of your files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

RotoCrypt decryptor is not available yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from RotorCrypt and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions

References


  • William

    It is too many ransomware viruses out there…

  • James

    You have just convinced me to make backups.

  • Emma

    I receive too many spam emails, and I am afraid of catching a virus. Which antivirus program offers the best protection from spam?