Remove Rotor Virus (cocoslim98) and Restore .tar Files - How to, Technology and PC Security Forum |

Remove Rotor Virus (cocoslim98) and Restore .tar Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


Cocoslim98 is a newly emerged cryptovirus, which is called like that, because of the email that it leaves for contacting the criminals behind it. Malware researchers say that its real name is “Rotor”. The virus will encrypt files on a compromised machine and add the .tar extension to them and after that it will ask for 7 Bitcoins to be paid to the address. To see how to remove this virus and how you can try to restore your encrypted files, read the full article carefully.

Threat Summary

NameRotor Virus
TypeRansomware, Cryptovirus
Short DescriptionThe virus will encrypt files and demand a ransom as payment for decrypting them.
SymptomsThe ransomware puts the .tar extension appended to each file that is locked and asks for 7 Bitcoins and to contact the address
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Rotor Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Rotor Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Rotor Virus (cocoslim98) – Update February 2018

Update! A decryption tool is now available for the Rotor Ransomware Virus (RotorCrypt)! The tool was created by malware researchers from Kaspersky and can be downloaded from the following link, wrapped inside a .zip archive: Rakhni Decryption Tool.

Rotor Virus (cocoslim98) – Infection

The Rotor virus a.k.a. Cocoslim98 ransomware can infect your computer machine using different ways. The payload file could be distributed with spam email campaigns. Through the emails the file can be attached and introduced as important. The whole email will look legitimate and will try to convince you that you need to download the attachment, because the full data could not be conveyed in the body of the email. If you open the file, however, deem your computer infected. That file can be obfuscated, but it is an executable in most cases.


You can see from the analysis report, shown above, of the VirusTotal site that the file is called GbMxybQN.exe and already being detected by many Antivirus vendors. The creators of the ransomware could be spreading that file with targeted attacks or via sharing services and social media platforms. Refrain from opening executables from suspicious emails and links, especially if they are with an unknown origin. Scan such files with a security program and check their signatures and size first. You should have a look at the ransomware prevention tips in our forum.

Rotor Virus (cocoslim98) – Analysis

Malware researchers have discovered that what many infected users call the Cocoslim98 ransomware is actually a previously known cryptovirus named “Rotor”. You can see that in the platform Payload Security, the detection for the malicious executable file is Trojan-Ransom.Win32.Rotor:


When the payload file of the Rotor virus is on a computer, it can wait up to two whole minutes before executing, according to malware researchers of Payload Security. The virus seems to primarily target servers, although basic Windows machines have been infected as well.

After execution Rotor could set up values in the Windows Registry for perseverance. These values are set in entries of the registry and make the ransomware start automatically with each boot of the Windows operating system. After files are encrypted a small note with instructions for paying the ransom is created. You can view that ransom note in the snapshot below:


The ransom message reads the following:

Good day

Your files were encrypted/locked
As evidence can decrypt file 1 to 3 1-30MB
The price of the transcripts of all the files on the server: 7 Bitcoin

Recommend to solve the problem quickly and not to delay

Also give advice on how to protect Your server against threats from the network

(Files sql mdf backup decryption strictly after payment)!

The Rotor ransomware does not give you a particular deadline for paying the cybercriminals to decrypt your data. It also offers free decryption of a few files for testing purposes. However, its demands are rather high with the amount of money that is asked and that the decryption of some files being only available after payment. The ransom price is 7 Bitcoins which amounts to a little more than 4400 US dollars.

You shouldn’t be thinking of paying the extortionists, as no one can give you a guarantee that you will get your files back after payment. The crooks will most probably use the money to make another ransomware or do other criminal acts. Besides, you should decrypt as many files as possible using their test decryption service and wait for a possible solution.

A full and official list of extensions being encrypted by the ransomware is not yet available, but the following file types have been reported to be encrypted by the Rotor virus:

→.csv, .doc, .ppt, .xls, .avi, .bak, .bmp, .dbf, .djvu, .docx, .exe, .flv, .gif, .jpeg, .jpg, .mdb, .sql, .mdf, .odt, .pdf, .png, .pps, .pptm, .pptx, .psd, .rar, .raw, .tif, .txt, .vob, .xlsb, .xlsx, .zip

All of the encrypted files will have the extension !____cocoslim98@gmail.com____.tar appended to them. That is where the contact email is stated and why the ransomware is known by that name among infected users. Although, there are also a few reports of files having the extension !____GLOK9200@gmail.com____.tar. The used encryption algorithm is unknown, but the .tar archive files do not seem regular. On top of that, usually, the MAC operating system has such files.

The Rotor ransomware is highly likely to delete the Shadow Volume Copies of the Windows operating system with the following command:

→vssadmin.exe delete shadows /all /Quiet

Continue to read and see in what ways you can try to restore some of your files. Kaspersky may have a possible solution in the form of a decryptor tool.

Remove Rotor Virus (cocoslim98) and Restore .tar Files

If your computer got infected with the Rotor ransomware virus, you should have some experience in removing malware. You should get rid of this ransomware as fast as possible before it can have the chance to spread further and infect more computers. You should remove the ransomware and follow the step-by-step instructions guide given below. To see ways that you can try to recover your data, see the step titled 2. Restore files encrypted by Rotor Virus.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share