.SPG Files Virus (RotorCrypt) – How to Remove + Restore Files

.SPG Files Virus (RotorCrypt) – How to Remove + Restore Files

This article has been created in order to explain how to remove the RotorCrypt ransomware from your computer and how to restore !_____INKOGNITO8000@TUTAMAIL.COM_______.SPG encrypted files.

A new variant of the RotorCrypt ransomware infection has hit the wild and has begun infecting the computers of victims. The malware uses encryption mode in order to render the important files on the victim’s computer no longer able to be opened. Then, the .SPG files virus leaves behind it’s file extension, plus the anonymous e-mail INKGNITO8000@TUTAMAIL.COM. The ransomware’s end goal is for victims to pay a hefty ransom In BitCoins in order to get their encrypted files recovered back to normal. But if you have become a victim of the .SPG variant of RotorCrypt ransomware, we advise that you follow the removal instructions underneath this article. They have been created in order to help you by explaining how to remove this malware and how you can try and recover as many files as possible without actually damaging your PC and without having to pay ransom.

Threat Summary

NameRotorCrypt .SPG Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on your computer and asks you to pay ransom in order to decrypt them.
SymptomsFiles are no longer able to be opened with the file suffix !_____INKOGNITO8000@TUTAMAIL.COM_______.SPG added after their names and extensions.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by RotorCrypt .SPG Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss RotorCrypt .SPG Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

RotorCrypt .SPG Ransomware – Infection

In order to infect computers of the victims, the creators of RotorCrypt may use different pre-obtained lists of e-mail addresses that are used by actual people. This e-mail list is targeted with different templates of e-mails that pretend to originate from big companies, like PayPal, eBay, Amazon, DHL and several others. They often pretend to be seemingly legitimate types of files, like order receipts, confirmation of orders and even scare potential victims that some service they are using is terminated. The end goal is to either click on a malicious URL or open a malicious e-mail attachment. The result of this is the victim becoming infected right away.

In some cases, the cyber-criminals who infect with the RotorCrypt .SPG virus may also use Microsoft Office files in a macros-enabling attack, meaning that they may be legitimate Microsoft Office documents, but once they have been opened, the malicious files may not show what is the content inside them and in order to see it, the user must enable macros, which triggers the infection. The whole process appears somewhat like the following:

But this is not all. RotorCrypt’s .SPG file version may also use another form of a more passive infection. The hackers may upload files online that pretend to be legitimate. These files are silently waiting on suspicious websites for users to download and open them, while they are pretending to be:

  • Fake software setups.
  • Fraudulent patches.
  • Game cracks.
  • Software license activators.
  • Fake portable programs.

.SPG Files Virus – Analysis

The .SPG files virus is the type of ransomware which encrypts files on your computer until you pay the ones behind it to use them again. To reach it’s end goal, the malware uses it’s main infection file, reported at VirusTotal to have the following parameters:

→ Signature SHA-256:0ed58c615e2701e06458e2a4eac9d698584f4197681430fc2ad9924cf57185f7
Size:72.5 KB

Once triggered, the malicious file begins to check your computer for the following information:

  • If it’s running in a virtual environment.
  • Your IP address.
  • Your location and language.
  • Windows version.
  • Security software that is installed.

Based on this data, the virus may download or drop different types of infection modules, the primary purpose of which is to make sure that the malware remains silent and undetectable on your computer. The main payload files that are dropped are believed to be in the following locations:

→ %TEMP%\.exe
%LOCALAPPDATA%\Microsoft Help\{random}.exe
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\{random}.lnk

Once the files have been dropped, RotorCrypt ransomware may begin to perform different infection activities on the infected PC. These possibly include running a script that triggers Windows Command Prompt as an administrator. This activity results in Windows Command Prompt running in the background of the user’s computer

→ vssadmin.exe delete shadows /all /Quiet
bcdedit.exe /set {current} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {current} recoveryenabled no

After this has been done, the ransomware virus may start to perform a set of unwanted activities on the victim’s computer, like encrypting the file and modifying them so that they can no longer be opened.

.SPG Files Virus – Encryption Process

In order to encrypt the files on the infected computer, the .SPG ransomware may first scan for the files it wants to encode. These files often include documents, videos, images, audio types of files, archives and the files that are used very often. To best target the files, the virus looks for them based on their file extensions:


After the .SPG variant of RotorCrypt ransowmare detects the files it wants to encrypt, the virus is very careful not to encrypt Windows files, this is why, while scanning it skips scanning system folders. The files are encrypted in a way that their code structure is replaced with the scambled symbols of the encryption cipher being used. This makes their file icon dissapear as Windows can no longer detect the programs it will use in order to get those files to work. The RotorCrypt ransowmare also adds the e-mail of the cyber-crooks as a file suffix, to get the victim to establish communication with the perpetrators of the encryption.

The .SPG encrypted files appear like the following image shows:

Remove .SPG Files Virus and Restore Encrypted Data

In order to remove this version of RotorCrypt ransomware, it may be a good idea to follow the removal instructions underneath as they are divided in manual as well as automatic removal methods and you can choose the appropriate one that suits you best. Either way, be advised that most security analysts and engineers often advise to remove viruses, like RotorCrypt .SPG ransowmare automatically, preferrably by downloading an advanced anti-malware software. It will help you to make sure that this malware is permenantly gone from your computer by scanning for each of it’s malicious objects and also it will make sure to protect your computer in real-time against any future infections that might take place.

In addition to this, if you want to try and restore files that have been encrypted with the .SPG file suffix added to them, you are welcome to try one of the alternative methods for file recovery we have suggested in step “2. Restore files, encrypted by RotorCrypt .SPG Virus”. They may not be fully effective in restoring your files, but with their aid you may succeed in recovering some or most of the encoded files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share