Malware may reinstall itself multiple times if you don't delete its core files. This may require tracking down dozens of files in different locations.
We recommend downloading Restoro to eradicate Malware for you (it should cut down the time to about 15 minutes).
What is RotorCrypt ransomware? And how does it implement its attack?
RotorCrypt ransomware previously known as Rotor ransomware is a file-encrypting threat making a comeback which first emerged in 2016. This ransomware threat has been updated several times. Security experts were able to notice this new variant in the second part of January 2018. This latest threat appends the .!==SOLUTION OF THE PROBLEMemail@example.com==.Black_OFFserve extension on its targeted data, which according to security experts are as follows:
.csv, .doc, .ppt, .xls, .avi, .bak, .bmp, .dbf, .djvu, .docx, .exe, .flv, .gif, .jpeg, .jpg, .mdb, .sql, .mdf, .odt, .pdf, .png, .pps, .pptm, .pptx, .psd, .rar, .raw, .tif, .txt, .vob, .xlsb, .xlsx, .zip
Different versions of this ransomware seems to be using the RSA encryption algorithm and aside from the extension pointed out earlier, it also appends different long and complicated extensions that includes email addresses such as:
- !-=solve a firstname.lastname@example.org=-.PRIVAT66
- !==solve a email@example.com===.SENRUS17
- !==SOLUTION OF THE PROBLEMfirstname.lastname@example.org==.Black_OFFserve!
After the encryption process, RotorCrypt ransomware creates a tiny note which contains its ransom note that reads:
Your files were encrypted/locked
As evidence can decrypt file 1 to 3 1-30MB
The price of the transcripts of all the files on the server: 7 Bitcoin
Recommend to solve the problem quickly and not to delay
Also give advice on how to protect Your server against threats from the network
(Files sql mdf backup decryption strictly after payment)!”
Victims are supposed to contact the cyber criminals through the email address provided in the extension appended to the encrypted files since the ransom note does not contain such information. Nevertheless, contacting these crooks is definitely not advised as they could only trick you into paying the ransom but they still won’t give you the decryption key so it would be totally a waste of money. The best way to deal with this ransomware threat is by deleting it from your system first before it can cause further damage to your files and then try to recover the affected files through the files’ shadow volume copies.
How does RotorCrypt ransomware spread its malicious payload?
RotorCrypt ransomware spreads as a malicious executable file named “dead rdp.exe” which is sent through spam emails as an obfuscated file. Note that the file name might differ but it would still be an executable file so as soon as you see any suspicious-looking emails, you have to delete them right away no matter how interesting it may seem as it could be an email containing the malicious payload of RotorCrypt ransomware.
Follow the removal instructions laid out below to delete RotorCrypt ransomware from your PC and recover the encrypted files.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for suspicious processes that can be related to the RotorCrypt Ransomware.
Right-click on the processes then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Step 3: Look for RotorCrypt ransomware or any malicious program and then Uninstall it.
Step 4: Hold down Windows + E keys simultaneously to open File Explorer.
Step 5: Go to the directories listed below and then look for the corrupted files created by RotorCrypt ransomware such as its malicious payload named “dead rdp.exe” as well as other suspicious files you can find and delete all of them.
- C:\Users\(your pcname)\AppData\Roaming
Step8. Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use PC Cleaner Pro, this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step9. Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step10. Navigate to the following path:
Step11. Delete the registry keys and sub-keys created by RotorCrypt ransomware.
Step12. Close the Registry Editor and empty your Recycle Bin.
Try to recover your encrypted files using the Shadow Volume copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if RotorCrypt ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
It is important to make sure that nothing is left behind and that RotorCrypt ransomware is completely removed use the following antivirus program. To use it, refer to the instructions below.
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option ue the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading the program. The installation will start automatically once a download is done.
- Click OK to launch it.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register the program to protect your computer from future threats.