Remove RotorCrypt Virus – Restore .!@#$%^&-()_+.1C Files

Remove RotorCrypt Virus – Restore .!@#$%^&-()_+.1C Files

This article will aid you remove RotorCrypt Ransomware effectively. Follow the removal instructions at the end.

Security reports indicate a new release of the RotorCrypt ransomware family encrypting target data with the .!@#$%^&-()_+.1C extension. Like previous versions it has an extensive list of modules that are launched, they impact every single area of the operating system. Depending on their configuration they can also lead to the installation of other threats — viruses, ransomware, miners and Trojans. Our guide explains how computer users can spot the infections and attempt to remove them.

Threat Summary

NameRotorCrypt Virus
Short DescriptionThe ransomware encrypts files on your computer and displays a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put the extension !@#$%^&-()_+.1C to them after it finishes its encryption process.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by RotorCrypt Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss RotorCrypt Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

RotorCrypt Ransomware – Distribution

The RotorCrypt ransomware can be distributed using the most common methods used by hackers to distribute malware threats to victims. One of the common mechanisms is the coordination of email phishing campaigns. They are sent in bulk and modeled after legitimate messages sent by real-world Internet services or sites. The virus files may be directly attached or linked in the body contents or embedded as multimedia content.

A related method is the creation of download sites that are modeled after well-known vendor sites and Internet portals. Both the fake emails and sites are also among the main methods for spreading infected payloads of which there are two popular types:

  • Infected Documents — The hackers can embed malicious scripts into files of all popular types types: presentations, spreadsheets, databases and text documents. Whenever they are opened a script may be run or permissions requested to execute them. When this is done the virus installation will commence.
  • Software Bundles — The criminals can embed the RotorCrypt ransomware installation code in application setup files. The hackers typically choose popular applcations that are frequently installed by end users. The list includes software such as productivity applications, creativity suites and system utilities. Whenever they are installed the Rotorcrypt ransomware will also be implanted onto the victim machines. provide

Virus code like this one in all of its forms can also be spread via file sharing networks such as BitTorrent. They are a very popular method for distributing both stand-alone files and pirate content. The fact that they spread such copies of software makes it a very prominent source of infected payloads, especially malware setup files.

In certain cases the criminals behind the active RotorCrypt ransomware campaign can also spread the virus instances via malicious web browser plugins. They are made to resemble useful extensions, the versions are made compatible with the most popular web browsers. The associated descriptions usually includes fake user reviews and developer credentials. Whenever they are installed the built-in behavior patterns will be started. Usually this includes changes to the software such as modifications to the default home page, new tabs page and search engine. The virus infection will follow when these processes are complete.

RotorCrypt Ransomware – Information

The RotorCrypt ransomware family is a popular hacking tool which may be offered to interested parties. The collected samples have undergone an initial security analysis. When the virus is implanted in the system it will start its built-in commands which can vary according to the hacker instructions. As it is based on a modular framework the attacks can change at any time.

The RotorCrypt files appear to be test versions as not all functionality of the RotorCrypt ransomware family is exhibited.

The analysis shows that the engine is run as a standalone process which is assigned to run the following actions:

  • System Files Removal — The associated engine has been found to delete the Shadow Volume Copies, System Restore points and other data that is used to restore the normal functioning of the operating system.
  • Boot Options Modification — The test samples of this RotorCrypt ransomware have been found to alter the boot options by disabling access to the recovery boot menu. The virus will modify the options in a way which makes it impossible to use several manual recovery guides.

These two actions are undertaken in order to make recovery more difficult and allow the virus engine to start other modules as well.

Some of the common tactics enforced by this type of ransomware include a series of actions data harvesting commands. The hijacked information can help the operators expose the identity of the victims. This is done by targeting strings such as their name, address, phone number, location data and any stored account credentials. The engine can access both the operating system and any installed applications which makes infections with the RotorCRypt ransomware very dangerous. The other group of data includes a report on the installed hardware parts, user settings and operating system environment values.

What may follow in the typical case is a stealth infiltration which will bypass the security software installed on the target computer. This is done by scanning for the signatures of engines such as those belonging to anti-virus programs and sandbox environments. Many ransomware versions can also detect if they are running inside a virtual machine hosts and terminate the process.

Infections with such threats can be very dangerous as they can be used to plant other malware. Examples include other ransomware, viruses or Trojans. The Trojan installations are one of the most dangerous consequences as they can establish a secure connection to a hacker-controlled server. This allows the hackers to take over control of the hosts, spy on the users and hijack their files both before and after the encryption has taken place.

RotorCrypt Ransomware – Encryption Process

When these modules have completed execution the encryption module will be started. A strong cipher is used to process sensitive user data:

  • Archives
  • Documents
  • Databases
  • Backups
  • Images
  • Videos
  • Music

All victim files will be renamed with the .!@#$%^&-()_+.1C extension. Such renaming schemes are typical of this malware family. The associated ransomware note is created in a file called INFO.txt. It includes the following content:

Для связи с нами используйте почту

A translation of the note from Russian reads the following:

To contact us use the following email addresses

Remove RotorCrypt Ransomware and Restore !@#$%^&-()_+.1C Files

If your computer got infected with the RotorCrypt Ransomware ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share