- Home
Detectable Ransomware RotorCrypt
Ransomware Research
RotorCrypt Ransomware
RotorCrypt is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on September 1, 2016, this ransomware has been actively targeting systems worldwide. Security researchers also track this malware under the aliases: RotoCrypt, Tar.
Quick Facts
- Ransomware Family
- RotorCrypt
- First Seen
- September 1, 2016
- Known Aliases
- RotoCryptTar
How RotorCrypt Ransomware Works
Targeted Files
http://www.bleepingcomputer.com/forums/f/239/ransomware-help-tech-support/ Full extension -> !_____ELIZABETH7@PROTONMAIL.COM____.tar https://app.any.run/tasks/ecb424b7-3067-418a-ae97-b624f84297dd/# https://app.any.run/tasks/dd1cba54-c306-444d-a148-d58364dcfc03/# https://app.any.run/tasks/3cd04eb6-4036-43b0-be5e-4e2c16e60d2a/ https://app.any.run/tasks/d8b59eab-2a24-46ca-ba27-31d54f2eb739/# https://app.any.run/tasks/a84e466d-aa99-4338-89e8-2a7ebfe49bb0/# https://app.any.run/tasks/05ecde5f-4758-4ab3-9b94-be221f10a248/
File Encryption Patterns
RotorCrypt modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..tar
.___tar
..v8
..adamant
..pgp
..rar
..Black_OFFserve!
..crypo
..SPG
..mail
..psd
..ES_HELPs
..1C
..1-C
..cryptotes
..PAYMAN
..a800
..prus
..bak
..RT4BLOCK
..ANTIDOT
..PRIVAT66
..SENRUS17
..BlockBax_v3.2
..biz
..c400
..c300
Ransom Note and Payment Demands
After encrypting files, RotorCrypt displays ransom notes demanding payment for file recovery:
INFO.txt
Ransom message:
notes/INFO.txt
Note locations:
EveryFolder
prontos_chek_base.txt
Ransom message:
notes/prontos_chek_base.txt
Note locations:
EveryFolder
Help.txt
Ransom message:
notes/Help.txt
Note locations:
EveryFolder
readme.txt
Ransom message:
notes/readme.txt
Note locations:
EveryFolder
open_payman.txt
recovery.instruction.txt
Ransom message:
notes/recovery.instruction.txt
Note locations:
EveryFolder
DOCTOR
Ransom message:
notes/DOCTOR
Note locations:
EveryFolder
informprus.txt
Ransom message:
notes/informprus.txt
Note locations:
EveryFolder
NEWS_INGiBiToR.txt
Ransom message:
notes/NEWS_INGiBiToR.txt
Note locations:
EveryFolder
Technical Indicators
Associated Executable Files
The following executable files are associated with RotorCrypt ransomware:
jMdmXUlS.exe
GbMxybQN.exe
sys.exe
GWWABPFL_Unpack.EXE
UQjiGhLH.exe
Ransom.RotoCrypt.exe
iuy.exe
87675384___.exe
RSzENyXs.exe
ZGXAJWHs.exe
eDIRirAR.exe
RotoCrypt
OvotKbIF.exe
68433461.exe
SvYZSTMJ.exe
UhevENmH.exe
3.ex
ins.exe
dead rdp.exe
RarYBiHI.exe
RotorCrypt.exe
fcBCjQRq.exe
INazYNWb.exe
SJGZYXKH.EXE
ItSTMxWX.exe
qLsZCjAl.exe
WbshKnkR.exe
SYSTEM22.exe
f0106768.exe
rotor2.exe
$RSXX5QC.exe
winlogox.exe111
svalwzmz.exe
win_pro.exe
myfile.exe
hixonwzo.exe
wdedwzwl.exe
rgbcnczg.exe
winIogon.exe
kvqvadmz.exe
lelmfoxy.exe
kdehynij.exe
config.exe
qxslydwx.exe
qpqlktqz.exe
wlnIogon.exe
232323.t
wlnlogon n.exe
<random>.exe
Elastio Can Help You
Don't let RotorCrypt ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This RotorCrypt ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like RotorCrypt.
Last updated: July 30, 2025