[email protected]’ Ransomware Removal Tutorial For Your PC

'Cocoslim98@gmail.com' Ransomware

Complete Details on '[email protected]' Ransomware

'[email protected]' Ransomware is a newly emerged cryptovirus, which is named like that, because of the email address that it leaves for contacting the cyber hackers behind it. The system security analysts says that its real name is the “Rotor”. This ransomware virus will encrypt the files stored on the compromised PC and add “.tar extension” onto them and after that it will ask for the 7 Bitcoins to be paid to [email protected] email address. In order to see how to delete this virus and how you can try to recover your encrypted files, read the article carefully.

How '[email protected]' Ransomware Infects Your PC?

The Rotor virus also known as '[email protected]' Ransomware can infect your PC by several ways. The payload file could be spread with the junk email campaigns. Through the emails the malicious file can be attached and introduced as an important one. The entire email will look legit and will try to convince you that you need to open and download the attachment, because the full data of the attached file could not be conveyed in the body of email. If you open the file, your machine gets infected with this ransomware immediately. That harmful file can be obfuscated, but it is an executable in the most cases.

'Cocoslim98@gmail.com' Ransomware

Although, you can see from '[email protected]' Ransomware analysis report, shown above, of the VirusTotal website that the file is called as a GbMxybQN.exe and already being detected by several Antivirus vendors. The developers of this ransomware threat could be spreading that file with the targeted attacks or through sharing services and also social media portals. Refrain from opening the executables from suspicious mails and links, especially if they're with an unknown or unfamiliar origin. Scan such files with the security tool and check then their signatures and size first.

Depth Analysis on '[email protected]' Ransomware

The security experts have discovered that what many infected PC users call the '[email protected]' Ransomware virus is actually a previously known cryptovirus named as a “Rotor”. You can see that in the website Payload Security, the detection for the harmful executable file is Trojan-Ransom.Win32.Rotor:

'Cocoslim98@gmail.com' Ransomware

When the payload file of Rotor virus is on the system, it can wait up to 2 minutes before executing, according to the malware researchers of the Payload Security. The threat seems to primarily target servers, although the basic Windows system have been infected as well. After execution '[email protected]' Ransomware could set up the values in Windows Registry for perseverance. These malicious values are set in the entries of registry and make Rotor ransomware start automatically with each boot of Windows OS. After the files are encrypted, a small note with the instructions for paying ransom money is created. You can view this ransom note in the below snapshot:

'Cocoslim98@gmail.com' Ransomware

Ransom Note Displayed by '[email protected]' Ransomware

'Cocoslim98@gmail.com' Ransomware

Besides, all of the encrypted PC files will have the extension [email protected]____.tar which appended to them. That is where the contact email address is stated and why '[email protected]' Ransomware is known by that name among the infected machine users. Although, there are also few reports of the files having the extension like [email protected]____.tar. The encryption algorithm used by Rotor virus is unknown, but the .tar archive files don't seem regular. On top of that, generally, the MAC OS has such files.

The '[email protected]' Ransomware virus is highly likely to delete Shadow Volume Copies of Windows OS with the following command:

  • vssadmin.exe delete shadows /all /Quiet

Continue to read the article and see in what ways you can remove '[email protected]' Ransomware or Rotor ransomware virus and try to retrieve some of your system files.

Free Scan your Windows PC to detect ‘[email protected]’ Ransomware


Free Scan your Windows PC to detect ‘[email protected]’ Ransomware

A: How To Remove ‘[email protected]’ Ransomware From Your PC

Step: 1 How to Reboot Windows in Safe Mode with Networking.

  • Click on Restart button to restart your computer
  • Press and hold down the F8 key during the restart process.

Step 1 Safe Mode

  • From the boot menu, select Safe Mode with Networking using the arrow keys.

Safe mode

Step: 2 How to Kill ‘[email protected]’ Ransomware Related Process From Task Manager

  • Press Ctrl+Alt+Del together on your keyboard

TM 1

  • It will Open Task manager on Windows
  • Go to Process tab, find the ‘[email protected]’ Ransomware related Process.


  • Now click on on End Process button to close that task.

Step: 3 Uninstall ‘[email protected]’ Ransomware From Windows Control Panel

  • Visit the Start menu to open the Control Panel.

Win 7 CP 1

  • Select Uninstall a Program option from Program category.

Win 7 CP 2

Win 7 CP 3

B: How to Restore ‘[email protected]’ Ransomware Encrypted Files

Method: 1 By Using ShadowExplorer

After removing ‘[email protected]’ Ransomware from PC, it is important that users should restore encrypted files. Since, ransomware encrypts almost all the stored files except the shadow copies, one should attempt to restore original files and folders using shadow copies. This is where ShadowExplorer can prove to be handy.

Download ShadowExplorer Now


  • Once downloaded, install ShadowExplorer in your PC
  • Double Click to open it and now select C: drive from left panel


  • In the date filed, users are recommended to select time frame of atleast a month ago
  • Select and browse to the folder having encrypted data
  • Right Click on the encrypted data and files
  • Choose Export option and select a specific destination for restoring the original files

Method:2 Restore Windows PC to Default Factory Settings

Following the above mentioned steps will help in removing ‘[email protected]’ Ransomware from PC. However, if still infection persists, users are advised to restore their Windows PC to its Default Factory Settings.

System Restore in Windows XP

  • Log on to Windows as Administrator.
  • Click Start > All Programs > Accessories.


  • Find System Tools and click System Restore


  • Select Restore my computer to an earlier time and click Next.


  • Choose a restore point when system was not infected and click Next.

System Restore Windows 7/Vista

  • Go to Start menu and find Restore in the Search box.

system restore


  • Now select the System Restore option from search results
  • From the System Restore window, click the Next button.

  • Now select a restore points when your PC was not infected.

  • Click Next and follow the instructions.

System Restore Windows 8

  • Go to the search box and type Control Panel

  • Select Control Panel and open Recovery Option.

  • Now Select Open System Restore option

  • Find out any recent restore point when your PC was not infected.

  • Click Next and follow the instructions.

System Restore Windows 10

  • Right click the Start menu and select Control Panel.

  • Open Control Panel and Find out the Recovery option.

  • Select Recovery > Open System Restore > Next.

  • Choose a restore point before infection Next > Finish.

Method:3 Using Data Recovery Software

Restore your files encrypted by ‘[email protected]’ Ransomware with help of Data Recovery Software

We understand how important is data for you. Incase the encrypted data cannot be restored using the above methods, users are advised to restore and recover original data using data recovery software.

Download Data Recovery Software