Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Kampret Ransomware and Restore .lockednikampret Files

The article will aid you to remove Kampret ransomware in full. Follow the ransomware removal instructions at the end of this article.

Kampret is the name of a ransomware cryptovirus. The extension .lockednikampret will get appended to each encrypted file. AES is believed to be the encryption algorithm which is used, as the ransomware is suggested to be a variant from the HiddenTear/EDA2 project. The Kampret cryptovirus will create a ransom note in a text file. Keep on reading and see how you could try to potentially recover some of your files.

Threat Summary

Name Kampret
Type Ransomware
Short Description The ransomware encrypts files on your computer and leaves a ransom message afterward.
Symptoms The ransomware will encrypt your files and put the extension .lockednikampret on your files after it finishes its encryption process.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Kampret

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Kampret.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Kampret Ransomware – Infection Spread

Kampret ransomware could spread its infection in multiple ways. A payload file which initiates the malicious script for the ransomware in question is seen before on the Internet. Your computer machine will get encrypted by the cryptovirus if its malicious script gets executed. You can preview one such payload dropper, uploaded to the VirusTotal service by malware researchers, from below here:

Kampret ransomware might also be spreading its payload file on social media sites and file-sharing networks. Freeware that is spread on the Internet can be presented as helpful but could also hide the malicious script for this cryptovirus. Refrain from opening files after you have downloaded them, especially if they are coming from suspicious places like emails or links of unknown origin. Instead, you should scan the files with a security tool and check their size and signatures for anything that seems out of place. Read the Tips for preventing ransomware from the forum section to see how to avoid infection.

Kampret Ransomware – Detailed Description

Kampret ransomware is also a cryptovirus. The etymology of its name is interesting. Kampret is an Indonesian word that literally translates to “bat” but is also used in that language as a curse word. Nonetheless, the ransomware could have a version named “Kampretos” as well. The extension .lockednikampret will get appended to all files that become locked after the encryption process is finished.

The web address http://whereyougoiaminhere.tk/aomh/ associated with the ransomware and is seen in the following image:

Inside that site now are only sitting a couple of document files.

Kampret ransomware could make entries in the Windows Registry to achieve some form of persistence, and even launch and repress processes inside the Windows Operating System. Some of these entries are designed in a way that will start the virus automatically with every launch of Windows.

The ransom note will be placed inside a file after the encryption process is complete. The file with the ransom note is named READ_ME.txt file. Inside it there will be instructions for paying the ransom. Here is how the note may possibly look like:

The note will read something along the lines of the following:

Your files has been encrypted by Krampet
Pay 0.5BTC to my bitcoin address [REDACTED] And send the proof to my email kampretos@protonmail.com

The ransomware is reported to be a HiddenTear variant by the malware researcher Karsten Hahn. You can read more about the HiddenTear/EDA2 open-source project from the corresponding article in the blog.

Inside the note of Kampret ransomware there is the kampretos@protonmail.com e-mail address provided for contacting the cybercriminals. The encrypted e-mail service ProtonMail is used, which makes it near impossible for tracking down the criminals. The ransom sum that is demanded is 0.5 Bitcoin, which currently is equivalent to 607 US dollars. However, you should NOT under any circumstances pay those crooks, neither should you try contacting them. Your files may not get restored, and nobody could guarantee that. Furthermore, giving money to these criminals will likely motivate them to do crime, such as the creation of ransomware viruses.

Kampret Ransomware – Encryption Process

Kampret ransomware is a HiddenTear variant as mentioned before, and therefore it will most probably seek to encrypt files that have the following extensions:

→.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb.sln.php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp

Every one of the files that gets encrypted will receive the same extension appended to them, and that is the .lockednikampret extension. The encryption which is utilized by the ransomware is believed to be AES as that is the encryption algorithm typically used by HiddenTear variants.

The Kampret cryptovirus might be set to erase the Shadow Copies from the Windows operating system by using the following command:

→vssadmin.exe delete shadows /all /Quiet

If the command above is indeed executed, it will make decryption efforts harder, if you try to use that specific method. Keep on reading and check out what ways you can try to potentially restore some of your files.

Remove Kampret Ransomware and Restore .lockednikampret Files

If your computer got infected with the Kampret ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete Kampret from your computer

Note! Substantial notification about the Kampret threat: Manual removal of Kampret requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Kampret files and objects
2. Find malicious files created by Kampret on your PC

Automatically remove Kampret by downloading an advanced anti-malware program

1. Remove Kampret with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Kampret
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.