.Rote file extension is an extension that is used by the latest variant of STOP ransomware. ‘Rote’ variant is very similar in its characteristics to other variants of this ransomware. It also encrypts files, and then renames them, giving them a new filename consisting of their old and ‘.rote’ appended at the end. Criminals demand a ransom for a key-decryptor pair, which is necessary to unlock encrypted data. Fortunately, there is a free decryptor. It allows everyone to decrypt files that have been affected with any version of STOP (Djvu) ransomware, including ‘Rote’ variant. Scroll down to find out more about the decryptor, where to download it and how to use it to decrypt .rote files.
Screenshot of files encrypted by Rote virus (‘.rote’ file extension)
Rote is the 187th version of STOP (Djvu) ransomware. The behavior of this variant and the methods of its distribution are similar to other variants of STOP (Djvu). As before, for the spread of this ransomware, criminals use adware, crack, activators and torrents web-sites. Upon execution, Rote virus encrypts all files on the victim’s computer. This means that files on all drives connected to the computer will be encrypted. Files located on external devices, such as files on a flash drive and cloud storage, can also be encrypted.
Each file is encrypted using a strong encryption algorithm and a long key. The key that the virus uses can be of two types: online key and offline key. The security researchers found that if Rote virus could establish a connection to its command-and-control (C&C) server before encrypting the files, then the key obtained from it is used, this key is called ‘online key’. Such a key is unique for each infection, which means that the key for decrypting files from one victim is not suitable for decrypting files from another victim. If Rote could not establish a connection with the C&C server, then it uses an encryption key, which is the same for all cases of infection. This type of key is called ‘offline key’.
The authors of Rote virus created it so that it encrypts as many files as possible. Therefore, the virus does not encrypt the entire file, but only its initial part, in the amount of 154kb. Thanks to this, the contents of some types of files (for example, zip archives) can be restored by simply returning the old filename to them, that is, removing the extension ‘.rote’. In the process of encryption, the virus skips files, that is, leaves them in their original state if:
- files are located in the Windows system directories
- files have the extension .bat, .sys, .dll, .lnk, .ini
- files are named ‘_readme.txt’
All other files will be encrypted. That is, the contents of the following common file types can be encrypted:
.wpl, .xpm, .fsh, .gho, .mddata, .txt, .wm, .das, .wpt, .wp, .zw, .pef, .dba, .upk, .m3u, .wcf, .wpd, .sie, .ai, .odc, .x, .0, .bay, .odb, .bsa, .arch00, .y, .ptx, .wma, .wpg, .gdb, .cas, .psd, .cr2, .desc, .ybk, .z, .kdc, .iwi, .wmv, .dng, .zip, .ibank, .vfs0, .itl, .nrw, .sr2, .zabw, .m2, .xls, .rb, .wps, .eps, .jpe, .srf, .wotreplay, .p7c, .accdb, .wot, .wpe, .py, .css, .rofl, .sidn, .wsd, .xdl, .indd, .webp, .z3d, .wsh, .dxg, .crt, .vtf, .x3f, .rwl, .flv, .bar, .der, .ncf, .ods, .xwp, .raf, .wn, .doc, .rtf, .odt, .wbd, .ntl, .dcr, .kf, .xdb, .jpeg, .wdp, .js, .webdoc, .xmmap, .sql, .lbf, .dmp, .vpp_pc, .p12, .hkx, .asset, .mcmeta, .wpb, .wp5, .wp6, .psk, .icxs, .blob, .big, .sav, .pptm, .zi, .xll, .cer, .hplg, .pak, .xbplate, .mrwref, .bc7, .ws, .map, .wmf, .odp, .xyp, .xf, .wdb, .xlsx, .t12, .wsc, .menu, .rgss3a, .yal, .pkpass, .r3d, .mef, wallet, .mpqge, .sis, .sum, .svg, .docx, .fpk, .rw2, .t13, .srw, .wbm, .wbz, .wpa, .rim, .wmd, .3ds, .wma, .re4, .tax, .iwd, .dbf, .xxx, .ysp, .esm, .wmv, .wav, .pdd, .zdb, .xlsm, .mdf, .p7b, .zif, .sid, .tor, .jpg, .pfx, .itdb, .3fr, .snx, .xlgc, .pst, .pem, .mp4, .lvl, .m4a, .qdf, .erf, .apk, .ztmp, .hvpl, .orf, .bc6, .xlsx, .mlx, .wbc, .1, .pdf, .xld, .qic, .wb2, .wps, .wp7, .xlsm, .xml, .xls, .xy3, .yml, .bkf, .cdr, .mov, .wmo, .wbmp, .2bp, .syncdb, .wri, .wgz, .mdbackup, .wpw, .bik, .dwg, .slm, .bkp, .arw, .pptx, .xlsb, .wpd, .xlk, .kdb, .w3x, .litemod, .xyw, .ff, .cfr, .xar, .xx, .sb, .forge, .crw, .vcf, .db0, .zip, .epk, .itm, .png, .x3f, .vdf, .7z, .avi, .3dm, .wire, .hkdb, .zdc, .vpk, .lrf, .xmind, .1st, .layout
After Rote virus encrypts the file, it renames this file. Thus, each encrypted file gets a new filename. For example, the file ‘image.jpg’, after it is encrypted, will be renamed to ‘image.jpg.rote’. In all directories where there is at least one encrypted file, the virus drops a file with the name ‘_readme.txt’. A sample of the contents of this file is shown in the figure below.
Screenshot of the contents of ‘_readme.txt’ file (Rote ransom note).
Criminals use this file to demand ransom from victims of Rote virus. The message said that the victim’s files were encrypted with a strong algorithm and a key. The authors of the virus demand a ransom in exchange for a key and a decryptor. The ransom is $490 and must be paid within 72 hours. If the victim does not pay it during this time, the ransom increases to $980. Attackers offer to decrypt one file for free, but this file should be small in size and not contain any important information. Of course, decryption of one file cannot guarantee that after paying the ransom the victim will be able to recover files affected with the virus.
Threat Summary
| Name | Rote |
| Type | Ransomware, Crypto malware, Filecoder, File locker, Crypto virus |
| Encrypted files extension | .rote |
| Ransom note | _readme.txt |
| Contact | datarestorehelp@firemail.cc, datahelp@iran.ir |
| Ransom amount | $490/$980 in Bitcoins |
| Detection Names | FileRep.Malware, TR.Crypt.Agent, Malware.Win32.Ransom, Trojan.Encoder, Trojan.Ransom.Crypted, UDS.Dangerous.Object.Multi.Generic, Trojan.Win.32.Kryptik |
| Symptoms | Files encrypted with .rote extension. Documents, photos, music and other files fail to open. File directories contain a ‘ransom note’ file that is usually ‘_readme.txt’. New files on your desktop, with name ‘_readme’. |
| Distribution ways | Cracks. Malicious links in emails. Torrent files. Drive-by downloads. Adware. Social media. |
| Removal | Rote virus removal guide |
| Decryption | Free Rote Decryptor |
Security researchers confirm that Rote virus does indeed encrypt files, and also that a decryptor and a key are required to decrypt them. Fortunately for all victims of this virus, as well as other variants of STOP (Djvu) ransomware, EmsiSoft developed a free decryptor. Thus, it is possible to decrypt .rote files. This decryptor has only one limitation, so far it can decrypt files that were encrypted with an offline key. If the victim’s files were encrypted with an online key, then they cannot be decrypted. But even in this case, not everything is lost. Each Rote victim has a chance to restore some or all of the encrypted files to their original state using alternative methods, which are described below.
If your files were encrypted with .rote extension, then we recommend using the following steps. These steps will help you remove the ransomware and decrypt (restore) the encrypted files. Read the entire manual carefully. To make it easier for you to follow the instructions, we recommend that you print it or open it on your smartphone.
Remove Rote ransomware virus
If the computer was attacked by Rote ransomware virus, the first thing you need to do is not to try to decrypt the files right away! First of all, you need to check your computer for malware, find and remove Rote. For this, we recommend using free malware removal tools. It is better to use not one tool, but two or more. Below we provide the best malware removal utilities and brief instructions on their use.
Remove Rote ransomware virus with Zemana Anti-Malware
Zemana Anti-Malware is a malware removal tool that performs a scan of your PC and displays if there are existing ransomware, spyware, trojans, adware,worms and other malware. If malware is detected, Zemana can automatically remove it for free. Zemana Anti Malware (ZAM) does not conflict with other anti-malware and anti-virus software installed on your computer.
- Visit the page linked below to download the latest version of Zemana.
Zemana AntiMalware
164841 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Run the downloaded file and follow the prompts.
- Once installed, click the “Scan” button to perform a system scan for Rote virus and other security threats.
- When the scanning is done, click “Next” button.
Use MalwareBytes to remove Rote virus
MalwareBytes is a malware removal tool. It can be downloaded and used to remove ransomware, adware, trojans, spyware, and other malware from the computer. You can use this utility to detect and remove any security threats even if you have an antivirus, antimalware or any other security software.
- MalwareBytes can be downloaded from the following link..
Malwarebytes Anti-malware
327099 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
- After downloading is finished, close all windows. Double-click on the downloaded file.
- Click Next button and follow the prompts.
- Once setup is complete, click the “Scan Now” button for scanning your system for Rote virus, other malware, worms and trojans.
- When MalwareBytes is done scanning your machine, it will display a list of found malware. Click “Quarantine Selected”.
To learn more about How to use MalwareBytes to remove Rote virus, we recommend that you read the following guide: How to use MalwareBytes.
Remove Rote with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is a free malware removal tool that is based on the Kaspersky Anti-Virus core. It can check your computer for a wide range of security threats. KVRT will perform a deep scan of your personal computer including hard drives and Microsoft Windows registry. When the ransomware is detected, it will help you to remove the found malware from your PC with a simple click.
- Download Kaspersky virus removal tool (KVRT) from the link below.
Kaspersky virus removal tool
129243 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
- Run the downloaded file.
- Click Start scan button to scan the computer for Rote ransomware virus.
- When Kaspersky virus removal tool has finished scanning your machine, click on Continue button.
To learn more about How to use Kaspersky virus removal tool to remove Rote virus, we recommend that you read the following guide: How to use Kaspersky virus removal tool.
Decrypt .rote files
Files with the extension ‘.rote’ are encrypted files. In other words, the contents of these files are locked. Their contents cannot be read even if you rename files or change their extension. As we reported above, there is a free decryptor, which was created by Emsisoft. This decryptor allows everyone to decrypt .rote files.
STOP Djvu decryptor
To decrypt .rote files, use free STOP (Rote) decryptor
- Download STOP (Djvu) decryptor from the following link.
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
If STOP (Rote) decryptor skips encrypted files, saying that they cannot be decrypted, then these files are encrypted with an online key. Unfortunately, at the moment, this decryptor can only decrypt files encrypted with an offline key.
How to find out which key was used to encrypt files
Since STOP (Rote) decryptor only decrypts files encrypted with the offline key, each Rote’s victim needs to know which of the two types of keys (online key or offline key), was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
First of all, you can look at the personal ID that is given in the ‘_readme.txt’ file (ransom note).
Personal ID is highlighted here
Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Rote virus stores the Personal IDs used for encryption.
The ‘Perosnal ID’ is not a key, it is a set of characters by which everyone can find out which key was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, then Rote used an online key. If you could not understand which key was used to encrypt the files, then we can help you. Just write a request in the comments below.
What to do if STOP (Rote) decryptor says “Error: Unable to decrypt file with ID”
If during decryption of .rote files the decryptor reports ‘Error: Unable to decrypt file with ID’, skips files without decrypting them, then two cases are possible why this happens:
Restore .rote files
If all your files are encrypted with an online key, or STOP (Rote) decryptor cannot decrypt the encrypted files, then you only have one thing left, use alternative methods to restore the contents of the encrypted files. There are several alternative methods that may allow you to restore the contents of encrypted files. However, if you have not tried the free decryptor, then try it first by following step 2 of this instruction, and then return here.
Alternative methods of file recovery do not use decryption, so there is no need for a key and decryptor. Before you begin, you must be 100% sure that the computer does not have active ransomware. Therefore, if you have not yet checked your computer for ransomware, do it right now, use free malware removal tools or return to step 1 above.
Use ShadowExplorer to restore .rote files
A free tool named ShadowExplorer is a simple solution to use the ‘Previous Versions’ feature of MS Windows 10 (8, 7 , Vista). You can recover your documents, photos, and music encrypted by Rote ransomware from Shadow Copies for free. Unfortunately, this method does not always work due to the fact that the ransomware almost always deletes all Shadow copies.
Download ShadowExplorer from the following link.
439490 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the download is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.
Double click ShadowExplorerPortable to run it. You will see the a window as shown below.
In top left corner, choose a Drive where encrypted documents, photos and music are stored and a latest restore point as displayed in the figure below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to recover, right click to it and select Export as on the image below.
Use PhotoRec to recover .rote files
There is another, unfortunately the last, way to recover the contents of encrypted files. This method is based on using data recovery tools. We recommend using a tool called PhotoRec. It has all the necessary functions and is completely free.
Download PhotoRec on your system from the link below.
When the download is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as on the image below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will open a screen as displayed on the screen below.
Select a drive to recover as shown in the following example.
You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as displayed in the following example.
Press File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is complete, click OK button.
Next, click Browse button to select where restored files should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the restore is done, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as shown in the figure below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
To sum up
This guide was created to help all victims of Rote ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .rote files; how to recover files, if STOP (Rote) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Rote related issues, go to here.
Hi all
I am pathmanaban working as a civil engineer.I have one problem regarding rote virus….pls help me to restore my documents,,,
Your personal ID:
0187Asd374y5iuhld2LJ8jbjaAqwNLbGx5AFAMg4YvyHQadcSnQNIX6lT
I can’t decrypt rote… How to decrypt. Rote online key? Please help me…
0187Asd374y5iuhld2LJ8jbjaAqwNLbGx5AFAMg4YvyHQadcSnQNIX6lTThis ID is related to an online key, so files cannot be decrypted. Try to restore the contents of encrypted files using the guide linked below:
How to recover ransomware encrypted files
Hello. I’m also a victim of STOPdjvu with .rote extension. I reinstalled the operating system but was late and my credit card was drained. I kept the encrypted files in the hope that a solution would be found to decrypt them. the only ID I was able to find was this:
0187Asd374y5iuhldxi0qD1PGccssXnqzumth2yVBsQA1hOuBq4nNjnU9
I hope it helps to understand if it has an online key or an offline key. Thanks.
The “0187Asd374y5iuhldxi0qD1PGccssXnqzumth2yVBsQA1hOuBq4nNjnU9” ID is related to online key. Currently, files encrypted with this key cannot be decrypted.. Try to restore the contents of encrypted files using the following guide: How to recover ransomware encrypted files.
Sir my PC Rote virus attack online key plz help me
The files encrypted with an online key cannot be decrypted. Try to restore the contents of encrypted files using the steps linked below: How to recover encrypted files.