Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Rotor Virus (cocoslim98) and Restore .tar Files

stf-rotor-ransomware-cocoslim98-gmail-com-virus-ransom-message-small

Cocoslim98 is a newly emerged cryptovirus, which is called like that, because of the email that it leaves for contacting the criminals behind it. Malware researchers say that its real name is “Rotor”. The virus will encrypt files on a compromised machine and add the .tar extension to them and after that it will ask for 7 Bitcoins to be paid to the [email protected] address. To see how to remove this virus and how you can try to restore your encrypted files, read the full article carefully.

Threat Summary

NameRotor Virus
TypeRansomware, Cryptovirus
Short DescriptionThe virus will encrypt files and demand a ransom as payment for decrypting them.
SymptomsThe ransomware puts the .tar extension appended to each file that is locked and asks for 7 Bitcoins and to contact the address [email protected]
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Rotor Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Rotor Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Rotor Virus (cocoslim98) – Infection

The Rotor virus a.k.a. Cocoslim98 ransomware can infect your computer machine using different ways. The payload file could be distributed with spam email campaigns. Through the emails the file can be attached and introduced as important. The whole email will look legitimate and will try to convince you that you need to download the attachment, because the full data could not be conveyed in the body of the email. If you open the file, however, deem your computer infected. That file can be obfuscated, but it is an executable in most cases.

stf-rotor-ransomware-cocoslim98-gmail-com-virus-total-analysis-trojan-ransom-win32-rotor

You can see from the analysis report, shown above, of the VirusTotal site that the file is called GbMxybQN.exe and already being detected by many Antivirus vendors. The creators of the ransomware could be spreading that file with targeted attacks or via sharing services and social media platforms. Refrain from opening executables from suspicious emails and links, especially if they are with an unknown origin. Scan such files with a security program and check their signatures and size first. You should have a look at the ransomware prevention tips in our forum.

Rotor Virus (cocoslim98) – Analysis

Malware researchers have discovered that what many infected users call the Cocoslim98 ransomware is actually a previously known cryptovirus named “Rotor”. You can see that in the platform Payload Security, the detection for the malicious executable file is Trojan-Ransom.Win32.Rotor:

stf-rotor-ransomware-cocoslim98-gmail-com-virus-payload-security-report-trojan-ransom-win32-rotor

When the payload file of the Rotor virus is on a computer, it can wait up to two whole minutes before executing, according to malware researchers of Payload Security. The virus seems to primarily target servers, although basic Windows machines have been infected as well.

After execution Rotor could set up values in the Windows Registry for perseverance. These values are set in entries of the registry and make the ransomware start automatically with each boot of the Windows operating system. After files are encrypted a small note with instructions for paying the ransom is created. You can view that ransom note in the snapshot below:

stf-rotor-ransomware-cocoslim98-gmail-com-virus-ransom-message

The ransom message reads the following:

Good day

Your files were encrypted/locked
As evidence can decrypt file 1 to 3 1-30MB
The price of the transcripts of all the files on the server: 7 Bitcoin

Recommend to solve the problem quickly and not to delay

Also give advice on how to protect Your server against threats from the network

(Files sql mdf backup decryption strictly after payment)!

The Rotor ransomware does not give you a particular deadline for paying the cybercriminals to decrypt your data. It also offers free decryption of a few files for testing purposes. However, its demands are rather high with the amount of money that is asked and that the decryption of some files being only available after payment. The ransom price is 7 Bitcoins which amounts to a little more than 4400 US dollars.

You shouldn’t be thinking of paying the extortionists, as no one can give you a guarantee that you will get your files back after payment. The crooks will most probably use the money to make another ransomware or do other criminal acts. Besides, you should decrypt as many files as possible using their test decryption service and wait for a possible solution.

A full and official list of extensions being encrypted by the ransomware is not yet available, but the following file types have been reported to be encrypted by the Rotor virus:

→.csv, .doc, .ppt, .xls, .avi, .bak, .bmp, .dbf, .djvu, .docx, .exe, .flv, .gif, .jpeg, .jpg, .mdb, .sql, .mdf, .odt, .pdf, .png, .pps, .pptm, .pptx, .psd, .rar, .raw, .tif, .txt, .vob, .xlsb, .xlsx, .zip

All of the encrypted files will have the extension [email protected]____.tar appended to them. That is where the contact email is stated and why the ransomware is known by that name among infected users. Although, there are also a few reports of files having the extension [email protected]____.tar. The used encryption algorithm is unknown, but the .tar archive files do not seem regular. On top of that, usually, the MAC operating system has such files.

The Rotor ransomware is highly likely to delete the Shadow Volume Copies of the Windows operating system with the following command:

→vssadmin.exe delete shadows /all /Quiet

Continue to read and see in what ways you can try to restore some of your files. Kaspersky may have a possible solution in the form of a decryptor tool.

Remove Rotor Virus (cocoslim98) and Restore .tar Files

If your computer got infected with the Rotor ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Rotor Virus.

Manually delete Rotor Virus from your computer

Note! Substantial notification about the Rotor Virus threat: Manual removal of Rotor Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Rotor Virus files and objects
2.Find malicious files created by Rotor Virus on your PC

Automatically remove Rotor Virus by downloading an advanced anti-malware program

1. Remove Rotor Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Rotor Virus
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.