Home Malware Programs Ransomware RotorCrypt Ransomware

RotorCrypt Ransomware

Posted: November 3, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 23
First Seen: November 3, 2016
Last Seen: July 23, 2019
OS(es) Affected: Windows

The RotorCrypt Ransomware is a Trojan that uses RSA encryption to encode and 'lock' your files so that they can't open. Most threat actors use similar attacks for collecting ransoms in return for a possible decryption feature, although paying isn't a definitive data recovery solution. Most symptoms appear after the infliction of damage to your files, and preventative security steps, such as allowing anti-malware programs to remove the RotorCrypt Ransomware infections immediately, are recommended.

One Piece of a File-Locking Machine

While English-based Trojans are, by far, the most common detection entries within most threat databases, individual nations with other languages are hardly immune to similar attacks. One relatively recent phenomenon demonstrating this fact is Russia's gradual transition into being a regular target of file-locking Trojans' campaigns, usually due to ill-minded admins without much interest or experience in working with other languages. These Trojans, such as the RotorCrypt Ransomware, often have less standardized payloads and may use data-locking methods that are difficult to crack.

Despite most campaigns of this type focusing on extorting money with the help of bundled text or HTML messages, the RotorCrypt Ransomware doesn't appear to be dropping any ransom notes for the victims of its attacks. The RotorCrypt Ransomware infections do use common, asymptomatic encryption features to block media on the infected PC, but use RSA instead of the more typical AES or XOR algorithms. It edits the name of all blocked data by inserting a '.rar' extension and the e-mail of its threat actor, which may be a Tutamail, Protonmail or Gmail address.

Malware researchers most often see payloads like the RotorCrypt Ransomware's attacks related to expectations that the user will contact the provided email for 'help' with unlocking their files automatically. Con artists are especially likely to ask for payment for their assistance through transactions without safe refund policies, including cryptocurrencies or prepaid vouchers.

Breaking the Trojan Machinery Operating against Your Interests

While the RotorCrypt Ransomware has undergone various updates, associated with rotating its contact addresses primarily, its fundamental features of locking files with RSA encoding remains consistent between versions. Secure backup strategies, such as copying files to detachable devices, always give potential victims of these attacks the optimal data recovery solutions without any need to contact security researchers for decryption help. Users should refrain from paying or acknowledging other demands from the RotorCrypt Ransomware's threat actors, if possible since con artists-endorsed decryptors are unreliable or fraudulent frequently.

While the RotorCrypt Ransomware is likely to undergo changes to its distribution strategies over the coming weeks, malware analysts relate it to fake RDP software downloads currently. Over two-thirds of most brands of anti-malware products are identifying this Trojan as a threat without requiring any further updates for accuracy. Decoding an RSA cipher isn't always possible, and blocking and deleting the RotorCrypt Ransomware as soon as possible with appropriate security software is the only way of guaranteeing that it can't damage files permanently.

Highly regionally-specific campaigns like the RotorCrypt Ransomware's attacks are more likely than not to use equally localized infection exploits. Russian Web surfers should stay alert to possible hoaxes that might install file-locking threats before they have to deal with the consequences.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to RotorCrypt Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.