RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400,
.c300, .GRANIT - Ransomware Help & Tech Support
By Y2Breeze
Archived: 2026-04-05 23:05:26 UTC
#1 RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #1
Y2Breeze
Avatar image
Members
5 posts
OFFLINE
 
Local time:07:05 PM
Posted 17 October 2016 - 12:06 PM
Hi
 A client of mine got infected by something that looks like the Gomasom ransomware, but the end files are all in
*.tar
 Here are 2 zip files, one with crypted files and the other with the same file from and old offline backup.
 Any idea how to decryp this?
 hxxp://datatest.simonznet.com/RANSOMWARE/
 Thanks
 Olivier
 Back to top
BC AdBot (Login to Remove)
https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/
Page 1 of 10

BleepingComputer.com
Register to remove ads
#2 RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #2
Y2Breeze
Y2Breeze
Topic Starter
Avatar image
Members
5 posts
OFFLINE
 
Local time:07:05 PM
Posted 17 October 2016 - 12:08 PM
There was no instruction for decryp left on the computer. I wrote to the email using a random email and here is
their answer
Good day
Your files were encrypted/locked
As evidence can decrypt file 1 to 3 1-30MB
The price of the transcripts of all the files on the server: 7 Bitcoin
Recommend to solve the problem quickly and not to delay
Also give advice on how to protect Your server against threats from the network
(Files sql mdf backup decryption strictly after payment)!
 Back to top
#3 RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #3
quietman7
quietman7
Bleepin' Gumshoe
https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/
Page 2 of 10

Avatar image
Global Moderator
65,768 posts
OFFLINE
 
Gender:Male
Location:Virginia, USA
Local time:07:05 PM
Posted 17 October 2016 - 12:33 PM
You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification
and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then
attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both
encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. If
ID Ransomware cannot identify the infection, you can post the case SHA1 it gives you for Demonslay335 to
manually inspect the files.
Example screenshot:
2016-07-01_0936.png
 Back to top
#4 RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #4
quietman7
quietman7
Bleepin' Gumshoe
Avatar image
Global Moderator
65,768 posts
OFFLINE
 
Gender:Male
Location:Virginia, USA
Local time:07:05 PM
Posted 17 October 2016 - 12:33 PM
https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/
Page 3 of 10

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments)
that you suspect were involved in causing the infection can be submitted here
(http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will
be helpful with analyzing and investigating by our crypto experts.
 Back to top
#5 RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #5
Y2Breeze
Y2Breeze
Topic Starter
Avatar image
Members
5 posts
OFFLINE
 
Local time:07:05 PM
Posted 17 October 2016 - 12:39 PM
ID Ransomware cannot identify the ransomware.
SHA1 is fd65d1e0b248c8ec254ab3086f5877ff2065d72a
Sending the files to your second link right now.
 Back to top
#6 RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #6
quietman7
quietman7
Bleepin' Gumshoe
Avatar image
Global Moderator
65,768 posts
OFFLINE
https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/
Page 4 of 10

Gender:Male
Location:Virginia, USA
Local time:07:05 PM
Posted 17 October 2016 - 02:58 PM
Ok.
After our experts examine the files, they will post in this topic if they can assist or need further information.
 Back to top
#7 RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #7
mike 1
mike 1
Avatar image
Members
210 posts
OFFLINE
 
Gender:Male
Location:Russia, Moscow
Local time:03:05 AM
Posted 17 October 2016 - 03:21 PM
Мы разные, но идея одна! 
 Back to top
#8 RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #8
SamsonFromTheBible
SamsonFromTheBible
Avatar image
Members
11 posts
OFFLINE
https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/
Page 5 of 10

Gender:Male
Local time:01:05 AM
Posted 18 October 2016 - 05:09 AM
 Is the virus on Mac by any chance?
 Back to top
#9 RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #9
Y2Breeze
Y2Breeze
Topic Starter
Avatar image
Members
5 posts
OFFLINE
 
Local time:07:05 PM
Posted 18 October 2016 - 10:03 AM
No, Windows 7
 Back to top
#10
RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #10
Demonslay335
Demonslay335
Ransomware Hunter
Avatar image
https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/
Page 6 of 10

Security Colleague
4,770 posts
OFFLINE
 
Gender:Male
Location:USA
Local time:05:05 PM
Posted 18 October 2016 - 06:54 PM
Interesting, I have not seen a ransomware use ".tar". It isn't a valid Tar archive either. Can you also upload the
ransom note to ID Ransomware so I can archive it?
Thanks for the sample mike1. Has any further analysis been done on it already? It crashed on my VM. I see
RakhniDecryptor lists it, but it stated unsupported when I selected this user's files.
Edited by Demonslay335, 18 October 2016 - 06:55 PM.
 Back to top
#11
RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #11
Y2Breeze
Y2Breeze
Topic Starter
Avatar image
Members
5 posts
OFFLINE
 
Local time:07:05 PM
Posted 20 October 2016 - 11:56 AM
There is no ransom note anywhere. All we figure out was to try to write to the email Embedded in encrypted files
filename.
 Back to top
https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/
Page 7 of 10

#12
RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #12
mike 1
mike 1
Avatar image
Members
210 posts
OFFLINE
 
Gender:Male
Location:Russia, Moscow
Local time:03:05 AM
Posted 21 October 2016 - 05:10 AM
Quote
Thanks for the sample mike1. Has any further analysis been done on it already? It crashed on my VM. I
see RakhniDecryptor lists it, but it stated unsupported when I selected this user's files.
Tech support at Kaspersky Lab said that can not decrypted.
Мы разные, но идея одна! 
 Back to top
#13
RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #13
mike 1
mike 1
Avatar image
Members
210 posts
OFFLINE
 
Gender:Male
https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/
Page 8 of 10

Location:Russia, Moscow
Local time:03:05 AM
Posted 31 October 2016 - 10:23 AM
Мы разные, но идея одна! 
 Back to top
#14
RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #14
jumpline
jumpline
Avatar image
Members
4 posts
OFFLINE
 
Gender:Male
Location:Russia, Moscow
Local time:02:05 AM
Posted 03 November 2016 - 05:02 AM
Hello, can someone help with a decoder? It encrypts all files !_____LIKBEZ77777@GMAIL.COM____.c400
Below are links to a virus and a link to the encrypted file.
http://www.filedropper.com/viruspass123 (password 123)
http://www.filedropper.com/perenosdannyhxmllikbez77777gmailcom
 Back to top
#15
RotorCrypt (RotoCrypt) Ransomware Support Topic - .tar, .c400, .c300, .GRANIT: post #15
quietman7
quietman7
Bleepin' Gumshoe
https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/
Page 9 of 10

Avatar image
Global Moderator
65,768 posts
OFFLINE
 
Gender:Male
Location:Virginia, USA
Local time:07:05 PM
Posted 03 November 2016 - 05:50 AM
You can submit samples of encrypted files and ransom notes to ID Ransomware for assistance with identification
and confirmation. This is a service that helps identify what ransomware may have encrypted your files and then
attempts to direct you to an appropriate support topic where you can seek further assistance. Uploading both
encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.
 Back to top
Source: https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/
https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/
Page 10 of 10