Home Malware Programs Ransomware RotorCrypt Ransomware

RotorCrypt Ransomware

Posted: November 3, 2016

Threat Metric

Threat Level: 10/10
Infected PCs: 23
First Seen: November 3, 2016
Last Seen: July 23, 2019
OS(es) Affected: Windows


The RotorCrypt Ransomware is a Trojan that uses RSA encryption to encode and 'lock' your files so that they can't open. Most threat actors use similar attacks for collecting ransoms in return for a possible decryption feature, although paying isn't a definitive data recovery solution. Most symptoms appear after the infliction of damage to your files, and preventative security steps, such as allowing anti-malware programs to remove the RotorCrypt Ransomware infections immediately, are recommended.

One Piece of a File-Locking Machine

While English-based Trojans are, by far, the most common detection entries within most threat databases, individual nations with other languages are hardly immune to similar attacks. One relatively recent phenomenon demonstrating this fact is Russia's gradual transition into being a regular target of file-locking Trojans' campaigns, usually due to ill-minded admins without much interest or experience in working with other languages. These Trojans, such as the RotorCrypt Ransomware, often have less standardized payloads and may use data-locking methods that are difficult to crack.

Despite most campaigns of this type focusing on extorting money with the help of bundled text or HTML messages, the RotorCrypt Ransomware doesn't appear to be dropping any ransom notes for the victims of its attacks. The RotorCrypt Ransomware infections do use common, asymptomatic encryption features to block media on the infected PC, but use RSA instead of the more typical AES or XOR algorithms. It edits the name of all blocked data by inserting a '.rar' extension and the e-mail of its threat actor, which may be a Tutamail, Protonmail or Gmail address.

Malware researchers most often see payloads like the RotorCrypt Ransomware's attacks related to expectations that the user will contact the provided email for 'help' with unlocking their files automatically. Con artists are especially likely to ask for payment for their assistance through transactions without safe refund policies, including cryptocurrencies or prepaid vouchers.

Breaking the Trojan Machinery Operating against Your Interests

While the RotorCrypt Ransomware has undergone various updates, associated with rotating its contact addresses primarily, its fundamental features of locking files with RSA encoding remains consistent between versions. Secure backup strategies, such as copying files to detachable devices, always give potential victims of these attacks the optimal data recovery solutions without any need to contact security researchers for decryption help. Users should refrain from paying or acknowledging other demands from the RotorCrypt Ransomware's threat actors, if possible since con artists-endorsed decryptors are unreliable or fraudulent frequently.

While the RotorCrypt Ransomware is likely to undergo changes to its distribution strategies over the coming weeks, malware analysts relate it to fake RDP software downloads currently. Over two-thirds of most brands of anti-malware products are identifying this Trojan as a threat without requiring any further updates for accuracy. Decoding an RSA cipher isn't always possible, and blocking and deleting the RotorCrypt Ransomware as soon as possible with appropriate security software is the only way of guaranteeing that it can't damage files permanently.

Highly regionally-specific campaigns like the RotorCrypt Ransomware's attacks are more likely than not to use equally localized infection exploits. Russian Web surfers should stay alert to possible hoaxes that might install file-locking threats before they have to deal with the consequences.

Loading...