Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


[KASISKI] File Virus (Restore Files)

Article designed to help you get rid of the ransomware virus, known as Kasiski which uses [KASISKI] prefix after it encrypts files.

A ransomware virus, called [KASISKI] ransomware has been reported to demand victims to pay $500 to get files encrypted by this virus. The ransomware is operating in both 64 as well as 32 bit Windows operating systems. [KASISKI] ransomware also drops a INSTRUCCIONES.txt file in which the developers of the virus clearly demand the victim to pay a hefty fee to get the files back. In case you have become a victim of this ransomware infection, advices are to read this article and learn how to remove [KASISKI] from your computer and hopefully restore the files that have been encrypted by the virus.

Threat Summary

Name

[KASISKI] Virus

Type Ransomware
Short Description The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms The user may witness ransom notes and “instrucciones.txt” having instructions on how to pay $500 to get the files back. The prefix [KASISKI] has been used.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by [KASISKI] Virus

Download

Malware Removal Tool

User Experience Join our forum to Discuss [KASISKI] Virus.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

[KASISKI] Ransomware – How Does It Spread

In order for this virus to infect unsuspecting users it may use e-mails with deceptive content. Since the malware attacks primarily Spanish speakers, the e-mails may be written in the same language too.

In the e-mails with which [KASISKI] ransomware may infect a computer, there may be either malicious e-mail attachments or web links, if the e-mail provider hasn’t blocked them. Those contain malicious code In them and after either opening an attachment or clicking on a link, believing they are legitimate documents or websites. Usually they are accompanied by deceitful messages that are primarily focused on getting the user to do what is asked. Some of the e-mails may even pretend to be an automated response of an e-mail with an invoice and fool the user that something is purchased in his name. Once these e-mail attachments or web links are opened, the virus begins to immediately download the payload on the infected machine.

[KASISKI] Ransomware – Further Details

The payload of the [KASISKI] infection has been reported to be named as the following:

  • Kasiski.exe(malicious executable)
  • Wpm.jpg(Wallpaper)
  • INSTRUCCIONES.txt(Ransom note file)

After this has been done, the virus may modify the registry entries of the affected computer only to get kasiski.exe to run on system start. The usual sub-keys in the Windows Registry editor for this purpose are the following:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

After the malicious executable of [KASISKI] Ransomware has been ran, the virus may begin scanning to encrypt files of the following file types:

→ “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

After the encryption process has been completed, the files appear to look the same, however, cannot be opened and have the [KASISKI] prefix written on them. They may appear like the following:

After the encryption process has completeted, a ransom note, named “INSTRUCCIONES.txt” and a wallpaper appear. They both have the same message:

→ “TODOS SUS ARCHIVOS FUERON ENCRYPTADOS
PARA RECUPERARLOS ABRA EL DOCUMENTO
‘INSTRUCCiONES.txt’ QUE SE ENCUENTRA EN SU
ESCRITORIO Y SIGA LAS INSTRUCCIONES QUE ALI…
Información importante
Este es su numero personal (NO LO BORRE) =
Todos sus archivos fueron ecnryptados (bloqueados).
Para restaurar sus archivos usted necesita un (DECRYPT TOOL)
Nosotros le ofrecemos el (DECRYPT TOOL) para restaurar sus archivos, su costo es de ($500) quinie”

Judging by the ransom note, the cyber-criminals want the victims to purchase a decryptor, which is most likely a tool that contains the unlock key generated after the encryption process has complete. Since often those tools may not decrypt your files even after paying the ransom, experts strongly advise against paying.

Remove [KASISKI] Ransomware and Restore Your Data

For the removal process of this ransomware infection, malware researchers often advise using powerful anti-malware tool, which will help detect all associated objects with this virus and remove them automatically. In case you have experience you can follow the manual malware removal instructions below, but if you haven’t done this before, we recommend the automatic approach underneath.

After having removed [KASISKI] ransomware from your computer systems, it is time to think about the files. There are numerous methods to restore deleted or corrupted files and we have suggested some of them in step “2. Restore files encrypted by [KASISKI]” below. They may not be 100 percent guaranteed, however may help restore at least some of your files. Also, before trying them, we advise backing up your encrypted files, just in case.

Manually delete [KASISKI] Virus from your computer

Note! Substantial notification about the [KASISKI] Virus threat: Manual removal of [KASISKI] Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove [KASISKI] Virus files and objects
2.Find malicious files created by [KASISKI] Virus on your PC

Automatically remove [KASISKI] Virus by downloading an advanced anti-malware program

1. Remove [KASISKI] Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by [KASISKI] Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.