Hackers have created a new strain of the RotorCrypt virus which encrypts user data with the .AlfaBlock extension. The ongoing attack uses several methods to spread the ransomware and users all around the world are targeted.Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.
|Short Description||The ransomware encrypts sensitive information on your computer system with the .AlfaBlock extension and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by RotorCrypt virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss RotorCrypt virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
RotorCrypt virus – Distribution Ways
RotorCrypt virus samples can be distributed using various techniques. Commonly the hackers behind the active campaign will utilize several different mechanisms at once in order to increase the number of affected files.
A popular technique is the creation and coordination of SPAM email messages containing social engineering elements. They coerce the victims into retrieving and interacting with the malicious files or scripts that lead to the RotorCrypt virus infection.
The other similar method is to design fake web sites that feature hijacked elements and may utilize similar sounding domain names to the legitimate portals. These two methods are among the main tactics for spreading infected payloads. There are two main types which are most commonly used to distribute ransomware:
- Documents — RotorCrypt virus samples can be distributed via scripts that are embedded in document files of various types: spreadsheets, presentations, rich text files or databases. When they are opened by the victim users a notification prompt will appear asking them to enable the built-in content. This will trigger a payload download action that will retrieve the virus sample from a remote server and start its execution.
- Application Installers — The criminals can also embed the dangerous threats in fake installers of popular software. They can range from system utilities to productivity apps and well-known creativity suites. Most commonly they are made by taking the legitimate files from the official vendor download sites and modifying them with the virus code.
Other distribution tactics make use of malicious scripts that may have different forms: pop-ups, banners, redirects, hyperlinks and etc. The RotorCrypt infected files can be spread over file sharing networks as requested. A popular choice is BitTorrent which is a channel for spreading both illegal and pirate content. In many cases when downloading movies, programs or other assets from such trackers virus infections can follow.
Advanced infections can utilize browser hijackers, they represent malicious plugins made for the most popular web browsers. The ready-made samples are uploaded to the relevant plugin repositories using fake developer credentials and user reviews. They are called “hijackers” because of their ability to modify the web browser settings. Their end goal is to redirect the users to a hacker-controlled site by modifying the default home page, search engine and new tabs page. Once this is done the virus file will be downloaded and the infection will be triggered.
RotorCrypt virus – In-Depth Analysis
The RotorCrypt virus and its ransomware family as a whole is well-known for having a modular base. Threats belonging to it can be adapted to each individual attack campaign. We anticipate that the ongoing infiltration attempts will result in the execution of a common behavior pattern.
The infections can begin with a data harvesting component that can hijack information that can be of interest to the operators. One of the groups of data includes user information which can expose the victims identity. This is done by programming the associated engine into retrieving values such as the following: the users name, address, phone number, interests, location and any stored account credentials. The other group of data that can be harvested by the RotorCrypt data harvesting module is related to campaign metrics. This includes user settings, operating system values and a report on the installed hardware components.
Following this the extracted strings can be used to scan for the presence of applications or services that can block the virus or remove it. The stealth protection evades this process by scanning for anti-virus programs, sandbox environments and virtual machine hosts and blocks their engines. In certain cases it can even delete them completely. When this action is complete the RotorCrypt virus will have unlimited access to hook up to any system process, elevate its privileges and conduct other malicious actions.
If configured so the engine can proceed with Windows Registry changes. They can lower overall performance and stop certain functions from working properly. This step is also connected with another malicious action called persistent installation. It installs the RotorCrypt virus in such a way that it will automatically start every time the computer is powered on. During RotorCrypt’s startup other services and applications may be blocked from starting and in most cases this will also make it impossible to enter into the recovery menu. The consequences of this is that the victim users will not be able to follow most manual removal instructions. In these cases the only way to effectively restore the computers is to resort to a professional-grade anti-spyware solution.
Some Rotorcrypt virus samples can be configured into deleting System Restore and Shadow Volume Copies data. Effective restore of the affected files can be done with a specialist utility, refer to our instructions for more information.
Advanced copies can lead to a Trojan module installation — the infected hosts will connect to a hacker-controlled server. By using a secure connection the controllers can take over control of the infected hosts, spy on the users and deploy additional threats.
RotorCrypt virus — Encryption
Like the previous attacks the ongoing RotorCrypt virus campaigns use the classic scheme of processing target data via a built-in list of target file type extensions. An example one can include any of the following:
Once the victim are encrypted with a strong algorithm they will be renamed with the .AlfaBlock extension. The captured samples indicate that a long name extension has been used: “[email protected]#$_(decryp in the EMail)[email protected]____$#@..AlfaBlock”. This shows that the ransomware operators are placing their contact email address in more than one location. Classic ransomware places an elaborate message in the accompanying ransomware note. The fact that this RotorCrypt virus is infecting files with explicit contact email shows that alternative measures can also be taken.
Remove RotorCrypt Ransomware Virus and Restore .AlfaBlock Files
If your computer got infected with the RotorCrypt ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.