RotorCrypt is a file locking virus which was recently spotted using with .!@#$%^&-()_+.1C file extension

RotorCrypt is a cryptovirus that was first spotted in 2016 and since then is known as ransomware[1] that uses obnoxious file extensions and ransom notes. Unsurprisingly, the malware is closely related to Rotor virus, as the name suggests. Since its initial release, cybercriminals have presented countless versions of the virus, using spam email campaigns, exploits, weak passwords and similar means for distribution. The latest variant of RotorCrypt ransomware was discovered by the independent researcher on 10th of October. It uses .!@#$%^&-()_+.1C file extension and drops a ransom note INFO.txt, which is written in the Russian and only information stated is two contact email addresses: inkognitoman@tutamail.com and inkognitoman@firemail.cc.
| Name | RotorCrypt |
| Type | Ransomware |
| Alternatively known as | Rotor virus, Ransom.FileCryptor, Trojan-Ransom.Win32.Rotor.b, Win32/DH{gVIDgQ5+gUaBDw?} |
| Extensions used to mark encrypted files | Encrypted files can be found by looking at these extensions: .SPG, .PGP, .tar, .c400, .c300, .crypto, .mail, .psd, .RAR, . !@!@!@_contact mail___boroznsalyuda@gmail.com___!@!@.psd and !@#$_____ISKANDER@TUTAMAIL.COM_____$#@!.RAR; .!@$#-unlock-email_______zepro190@gmail.com________#$!…ES_HELPs, .!@#$%^&-()_+.1C |
| Ransom size | 7 BTC in early versions; 1-3 BTC in later versions |
| Detection and elimination | Use security software to get rid of malicious files. We recommend FortectIntego and SpyHunterCombo Cleaner |
| Decryptable | No. At the moment, files encrypted by this ransomware can be recovered only with the help of third-party programs or from back up |
RotorCrypt ransomware spreads via malicious spam emails as an obfuscated “dead rdp.exe” file. However, different versions of the virus might have differently named payloads. Furthermore, malware mainly targets Russian-speaking users[2], and once it gets into their computers, it starts data encryption process. It is known to target the following file types:
.1cd, .avi, .bak, .bmp, .cf, .cfu, .csv, .db, .dbf, .djvu, .doc, .docx, .dt, .elf, .epf, .erf, .exe, .flv, .geo, .gif, .grs, .jpeg, .jpg, .lgf, .lgp, .log, .mb, .mdb, .mdf, .mxl, .net, .odt, .pdf, .png, .pps, .ppt, .pptm, .pptx, .psd, .px, .rar, .raw, .st, .sql, .tif, .txt, .vob, .vrp, .xls, .xlsb, .xlsx, .xml, .zip
Different versions of RotorCrypt virus seems to be using RSA encryption[3] and can append one of the file extensions listed below. Cyber criminals design long and complicated suffixed that include contact email address:
- .-.DIRECTORAT1C8@GMAIL.COM.roto>
- .-.DIRECTORAT1C@GMAIL.COM.roto>
- .-.directorat1c@gmail.com.roto
- .-.CRYPTSb@GMAIL.COM.roto>
- !-==kronstar21@gmail.com=–.crypt>
- !==helpsend369@gmail.com==.crypt>
- !__crypthelp12@gmail.com_.crypt
- !___prosschiff@gmail.com_.crypt>
- !____moskali1993@mail.ru___.crypt>
- !______sufnex331@gmail.com______.crypt
- !______bigromintol971@gmail.com______.crypt
- !_______GASWAGEN123@GMAIL.COM____.crypt
- !_________pkigxdaq@bk.ru_______.crypt
- !______________DESKRYPTEDN81@GMAIL.COM.crypt
- !____GLOK9200@GMAIL.COM____.tar
- !____cocoslim98@gmail.com____.tar
- !_____GEKSOGEN911@GMAIL.COM____.c300
- !_____DILINGER7900@GMAIL.COM_____.GRANIT
- !____hamil8642@gmail.com___.GRANIT
- .edgar4000@protonmail.com____.granit
- !______DILIGATMAIL7@tutanota.com______.OTR
- !______PIFAGORMAIL@tutanota.com______.SPG
- _______PIFAGORMAIL@tutanota.com_____.rar
- !_____INKASATOR@TUTAMAIL.COM____.ANTIDOT
- !-=solve a problem=-=grandums@gmail.com=-.PRIVAT66
- !==solve a problem==stritinge@gmail.com===.SENRUS17
- !_____FIDEL4000@TUTAMAIL.COM______.biz
- !____________DESKRYPT@TUTAMAIL.COM________.rar
- !____________ENIGMAPRO@TUTAMAIL.COM_______.PGP
- !___________ANCABLCITADEL@TUTAMAIL.COM__________.PGP
- !==SOLUTION OF THE PROBLEM==blacknord@tutanota.com==.Black_OFFserve!
- !decrfile@tutanota.com.crypo
- ! ,–, Revert Access ,–, starbax@tutanota.com ,–,.BlockBax_v3.2
- !________INKOGNITO8000@TUTAMAIL.COM_________.SPG
- !_______INKOGNITO7000@TUTAMAIL.COM_______.SPG
- !@#$%___________ PANAMA1@TUTAMAIL.com%$#@.mail
- !@!@!@_contact mail___boroznsalyuda@gmail.com___!@!@.psd
- !@#$_____ISKANDER@TUTAMAIL.COM_____$#@!.RAR

Victims are supposed to contact crooks via provided email and wait for their instructions what should they do next. There's no secret that users are suggested to purchase the specific data recovery tool.[2] Victims can purchase the tool or, in other words, pay the ransom. The first version of RotorCrypt virus urged to transfer 7 Bitcoins, which is now equal to more than 61 000 USD. Newer versions reduced the ransom, which now ranges from 1 to 3 Bitcoins.
RotorCrypt ransomware might be related to Rotor virus. Indeed, their names are familiar, but they also use the same data encryption strategy and do not leave a clear explanation about file decryption possibilities.
Usually, the creators of ransomware provide detailed instructions how to purchase Bitcoins and transfer money using anonymous Tor browser. However, initially criminals did not find this activity necessary, which is why victims are not presented with a ransom note left by Roto Crypt virus that would explain what happened to your files. Newer versions are known for providing more, but still not sufficient, information:
Good day
Your files were encrypted/locked
As evidence can decrypt file 1 to 3 1-30MB
The price of the transcripts of all the files on the server: 7 Bitcoin
Recommend to solve the problem quickly and not to delay
Also give advice on how to protect Your server against threats from the network
(Files sql mdf backup decryption strictly after payment)!
If you have encountered this malware, do not waste your time and initiate RotorCrypt removal. Virus elimination will not bring back your files, but you will be able to try additional data recovery options.

After the attack, victims have to realize to contact criminals by an email address appended to the corrupted filename. There’s no doubt that they will tell that paying the ransom is the only solution to get back access to the files. But we do not recommend contacting criminals and wasting your money because you might end up with both data and money loss.
Remove RotorCrypt from the computer with the help of a strong anti-malware program, such as FortectIntego, SpyHunterCombo Cleaner. or any other reputable security software. Keep in mind that virus might block access to the program and prevent it from scanning the system. In this case, follow our step-by-step guide presented at the end of the article. Different security programs detect this computer infection under different names, for instance, Ransom.FileCryptor, Trojan-Ransom.Win32.Rotor.b, Win32/DH{gVIDgQ5+gUaBDw?}, etc.
Latest RotorCrypt variants
Several versions of RotorCrypt ransomware, detected in the beginning of 2018, are known for appending the .!==SOLUTION OF THE PROBLEM==blacknord@tutanota.com==.Black_OFFserve or !decrfile@tutanota.com.crypo file extension to the locked files. However, at the beginning of March 2018, significant changes in RotorCrypt virus coding scheme has been noticed – the new variant appends a ! ,–, Revert Access ,–, starbax@tutanota.com ,–,.BlockBax_v3.2 extension, which contains an atypical number of spaces.
In June and July 2018, researchers have reported about four new versions of the virus that append the following extensions to the targeted data:
- !@#$%___________PANAMA1@TUTAMAIL.com%$#@.mail
- !@!@!@_contact mail___boroznsalyuda@gmail.com___!@!@.psd
- !@#$_____ISKANDER@TUTAMAIL.COM_____$#@!.RAR
- !@$#-unlock-email_______zepro190@gmail.com________#$!…ES_HELPs

However, the following scheme does not change much. Victims can contact cybercriminals using one of the provided email addresses (panama1@tutamail.com, boroznsalyuda@gmail.com or iskander@tutamail.com) and find out the ransom size. So far 53 out of 65 AV engines detect[4] the malicious payload of this RotorCrypt version.
RotorCrypt ransomware showed up again in October 2018, after few months of break. The latest variant yet again uses an obnoxious file extension – .!@#$%^&-()_+.1C. A brief ransom note INFO.txt, written in Russian, only mentions two email addresses to contact malware authors. There are no mentions about the size of ransom or any other information provided. As usual, we recommend not to contact cybercrooks and remove RotorCrypt ransomware instead, using security tools like FortectIntego or SpyHunterCombo Cleaner.
Ransomware payload is being spread via malicious spam emails
RotoCrypt virus is distributed via malicious email attachments. It’s the most popular way to spread malware. Unfortunately, many computer users are too curious and open suspicious spam emails. However, opening an email is not the worst part. Usually, emails are not dangerous, but links and documents attached to them might be infected. Once users open Word or PDF file, the malicious GWWABPFL.EXE file, ins.exe, dead rdp.exe or other obfuscated files might be dropped on the system.
However, malicious email attachments are not the only one distribution technique, security specialists from Bedynet.ru[5] says. Malware might get inside when victims install bogus software or fake updates. Some variants of ransomware also use exploit kits[6] and look for flaws in computer’s security.
If you want to avoid RotorCrypt or other file-encrypting viruses, you have to be careful online and doubt every single message you receive in your inbox.[7] Before opening any email attachment, you have to double check the information about the sender. Crooks might pretend to be from reputable or governmental institutions; therefore, you should contact the organization directly and ask about the issue.
Moreover, you should protect your computer by installing a reputable antivirus program and don’t forget to update it regularly. It's important to keep all your programs updated. The easiest way to keep software updates is to let applications download updates automatically. Lastly, you should not browse in high-risk websites, click on clickbait ads or suspicious links.
RotorCrypt elimination guide
Ransomware is hard to remove, so you should not consider eliminating the virus manually. In order to remove RotorCrypt safely, you should rely on a professional malware removal program. Keep in mind that free tools are weak and cannot effectively remove this computer infection. Thus, you should install in professional computer's security and choose FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes.
After successful RotorCrypt removal, you can restore corrupted files from data backups. However, if you do not have them, try our additional data recovery methods presented at the end of the article. Though, we want to warn that you should not have high expectations, as chances to restore files are not high.
Was this guide helpful?
3 comments