RotorCrypt Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 100 % (High) |
Infected Computers: | 10 |
First Seen: | November 3, 2016 |
Last Seen: | July 23, 2019 |
OS(es) Affected: | Windows |
The RotorCrypt Ransomware, which is also known as RotoCrypt, is a threat infection designed to take the victims' data hostage. The RotorCrypt Ransomware was first observed on October 17, 2017, and it carries out an effective version of a well-known attack. The RotorCrypt Ransomware has multiple versions that have all been used simultaneously. Studies from PC security researchers seem to indicate that almost a dozen different versions of the RotorCrypt Ransomware were employed in the initial attacks detected involving the RotorCrypt Ransomware. The RotorCrypt Ransomware, like many other ransomware Trojans, is being delivered to victims as a file attachment in spam email messages. The RotorCrypt Ransomware is designed to infect computers running the Windows operating system. The RotorCrypt Ransomware is capable of infecting the latest versions of the Windows operating system and has been observed with the following file names on the infected computers:
dead rdp.exe
ins.exe
GWWABPFL.EXE
Why You should Prevent a RotorCrypt Ransomware Infection
There is very little to differentiate the RotorCrypt Ransomware from the numerous other encryption ransomware Trojans that have been observed carrying out similar attacks. The RotorCrypt Ransomware is designed to encrypt the victim's files and target the user-generated files, which can range from media files to documents, or configuration files, databases, and archives. Threats like the RotorCrypt Ransomware strive to infect as much of the victim's data as possible while avoiding system files and other files that Windows needs to function (since, if Windows stop working, then the RotorCrypt Ransomware would not be able to demand a ransom payment from the victim). Some examples of the file types that may be compromised by ransomware attacks such as the RotorCrypt Ransomware include:
.aif, .apk, .arj, .asp, .bat, .bin, .cab, .cda, .cer, .cfg, .cfm, .cpl, .css, .csv, .cur, .dat, .deb, .dmg, .dmp, .doc, .docx, .drv, .gif, .htm, .html, .icns, .iso, .jar, .jpeg, .jpg, .jsp, .log, .mid, .mp3, .mp4, .mpa, .odp, .ods, .odt, .ogg,.part, .pdf, .php, .pkg, .png, .ppt, .pptx, .psd, .rar, .rpm, .rss, .rtf, .sql, .svg, .tar.gz, .tex, .tif, .tiff, .toast, .txt, .vcd, .wav, .wks, .wma, .wpd, .wpl, .wps, .wsf, .xlr, .xls, .xlsx, .zip.
Trojans like the RotorCrypt Ransomware will mark the files encrypted by the attack by adding a custom file extension to the affected files. Since there are multiple versions of the RotorCrypt Ransomware being used in attacks on computer users, there also are multiple file extensions that have been associated with the RotorCrypt Ransomware attack (as well as multiple contact emails used by the crooks to communicate with the victim's of the attack). The file extensions that have been observed in different the RotorCrypt Ransomware variants are:
!-=solve a problem=-=grandums@gmail.com=-.PRIVAT66
!___ELIZABETH7@PROTONMAIL.COM____.c400
!_____DILIGATMAIL7@tutanota.com_____.OTR
!_____FIDEL4000@TUTAMAIL.COM______.biz
!_____GEKSOGEN911@GMAIL.COM____.c300
!_____INKASATOR@TUTAMAIL.COM____.ANTIDOT
!_____LIKBEZ77777@GMAIL.COM____.c400
PATAGONIA5000@PROTONMAIL.COM
Computer users should refrain from communicating with the people responsible for the RotorCrypt Ransomware attack. Instead, they should take precautions to ensure that their data is protected from the RotorCrypt Ransomware and similar infections. File backups are the most effective protection against threats like the RotorCrypt Ransomware.
Do not Trust the People Responsible for the RotorCrypt Ransomware
Some variants of the RotorCrypt Ransomware will offer to restore some files for free. However, do not trust that it will be true. Generally, once the payment is carried out, these people will ignore the victim or demand additional amounts of money. Even if they agree to restore the victim's files, the victim may be targeted for additional attacks (having once shown a willingness to pay). One important reason why it is important to refrain from paying the RotorCrypt Ransomware ransom or interacting with these crooks is that paying the RotorCrypt Ransomware ransom allows them to continue creating and releasing these threats.