Cocoslim98 is a newly emerged cryptovirus, which is called like that, because of the email that it leaves for contacting the criminals behind it. Malware researchers say that its real name is “Rotor”. The virus will encrypt files on a compromised machine and add the .tar extension to them and after that it will ask for 7 Bitcoins to be paid to the firstname.lastname@example.org address. To see how to remove this virus and how you can try to restore your encrypted files, read the full article carefully.
|Short Description||The virus will encrypt files and demand a ransom as payment for decrypting them.|
|Symptoms||The ransomware puts the .tar extension appended to each file that is locked and asks for 7 Bitcoins and to contact the address email@example.com|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Rotor Virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Rotor Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Rotor Virus (cocoslim98) – Update February 2018
Rotor Virus (cocoslim98) – Infection
The Rotor virus a.k.a. Cocoslim98 ransomware can infect your computer machine using different ways. The payload file could be distributed with spam email campaigns. Through the emails the file can be attached and introduced as important. The whole email will look legitimate and will try to convince you that you need to download the attachment, because the full data could not be conveyed in the body of the email. If you open the file, however, deem your computer infected. That file can be obfuscated, but it is an executable in most cases.
You can see from the analysis report, shown above, of the VirusTotal site that the file is called GbMxybQN.exe and already being detected by many Antivirus vendors. The creators of the ransomware could be spreading that file with targeted attacks or via sharing services and social media platforms. Refrain from opening executables from suspicious emails and links, especially if they are with an unknown origin. Scan such files with a security program and check their signatures and size first. You should have a look at the ransomware prevention tips in our forum.
Rotor Virus (cocoslim98) – Analysis
Malware researchers have discovered that what many infected users call the Cocoslim98 ransomware is actually a previously known cryptovirus named “Rotor”. You can see that in the platform Payload Security, the detection for the malicious executable file is Trojan-Ransom.Win32.Rotor:
When the payload file of the Rotor virus is on a computer, it can wait up to two whole minutes before executing, according to malware researchers of Payload Security. The virus seems to primarily target servers, although basic Windows machines have been infected as well.
After execution Rotor could set up values in the Windows Registry for perseverance. These values are set in entries of the registry and make the ransomware start automatically with each boot of the Windows operating system. After files are encrypted a small note with instructions for paying the ransom is created. You can view that ransom note in the snapshot below:
The ransom message reads the following:
Your files were encrypted/locked
As evidence can decrypt file 1 to 3 1-30MB
The price of the transcripts of all the files on the server: 7 Bitcoin
Recommend to solve the problem quickly and not to delay
Also give advice on how to protect Your server against threats from the network
(Files sql mdf backup decryption strictly after payment)!
The Rotor ransomware does not give you a particular deadline for paying the cybercriminals to decrypt your data. It also offers free decryption of a few files for testing purposes. However, its demands are rather high with the amount of money that is asked and that the decryption of some files being only available after payment. The ransom price is 7 Bitcoins which amounts to a little more than 4400 US dollars.
You shouldn’t be thinking of paying the extortionists, as no one can give you a guarantee that you will get your files back after payment. The crooks will most probably use the money to make another ransomware or do other criminal acts. Besides, you should decrypt as many files as possible using their test decryption service and wait for a possible solution.
A full and official list of extensions being encrypted by the ransomware is not yet available, but the following file types have been reported to be encrypted by the Rotor virus:
→.csv, .doc, .ppt, .xls, .avi, .bak, .bmp, .dbf, .djvu, .docx, .exe, .flv, .gif, .jpeg, .jpg, .mdb, .sql, .mdf, .odt, .pdf, .png, .pps, .pptm, .pptx, .psd, .rar, .raw, .tif, .txt, .vob, .xlsb, .xlsx, .zip
All of the encrypted files will have the extension !firstname.lastname@example.org____.tar appended to them. That is where the contact email is stated and why the ransomware is known by that name among infected users. Although, there are also a few reports of files having the extension !____GLOK9200@gmail.com____.tar. The used encryption algorithm is unknown, but the .tar archive files do not seem regular. On top of that, usually, the MAC operating system has such files.
The Rotor ransomware is highly likely to delete the Shadow Volume Copies of the Windows operating system with the following command:
→vssadmin.exe delete shadows /all /Quiet
Continue to read and see in what ways you can try to restore some of your files. Kaspersky may have a possible solution in the form of a decryptor tool.
Remove Rotor Virus (cocoslim98) and Restore .tar Files
If your computer got infected with the Rotor ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Rotor Virus.