Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Kriptovor Ransomware and Restore .Just Encrypted Files

encrypted-files-.locked-SkidLockerAES encryption algorithm is used by the nasty Kriptovor Ransomware which encrypts files with it adding the .Just file extension to their original one. This dangerous cyber-threat then adds an MESSAGE.txt file which gives the infected user PC unique ID and asks to contact the e-mail of the cyber-criminals for more information. Since this is done with a purpose to pay a huge ransom fee which is no guarantee you will get your files back, experts advise users not to contact the e-mail and try alternative methods to restore your files and remove this malware, like the ones posted in this article.

Threat Summary

Name

Kriptovor

Type Ransomware
Short Description The malware encrypts users’ files after force restarting their PC, dropping ransom message, named “MESSAGE.txt”
Symptoms The user may witness ransom messages and “instructions”.
Distribution Method Via malicious PDF and Infostealer.
Detection Tool See If Your System Has Been Affected by Kriptovor

Download

Malware Removal Tool

User Experience Join our forum to Discuss Neitrino Ransomware.

Kriptovor Ransomware and Its Distributing

To infect users, Kriptovor ransomware may take advantage of the freedom of torrent websites and post its malicious executables to be concealed and appear as if they were:

  • Game crackfixes.
  • Key generators for programs.
  • Fake installers of programs.

Not only this, but Kriptovor is also reported by researchers at the FireEye blog to spread via malicious e-mail addresses which have URLs leading to third-party sites containing a .PDF attachment:

pdfSource:fireeye.com

The e-mail message invites the user to download the PDF file which opens a resume of usually a female candidate for work. The resume is reported to contain a malicious script which activates an Infostealer component.

More About Kriptovor Ransomware

As soon as the Infostealer is activated, it begins to check for the following information on the affected computer:

  • Internet connection details.
  • Processes actively running on the machine of the user.
  • Name of the machine.
  • Outgoing and ingoing connection and all IP addresses connected to the victim as well as its own.
  • Registry entries information.

After this is done, the virus checks if the computer is on a virtual machine and if it is, Kriptovor shuts down. If not, it downloads its payload, called temporary.rar from the following web domain:

→ http://plantsroyal(.)org/css/salomon.rar

Kriptovor ransomware then hides the malicious file and adds a registry string, named AdobeUpdate which runs the encryptor once when you start Windows:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

After the virus is ran, it begins to look for multiple types of files to encrypt. The main ones are reported to be the following:

→ .1cd .cfn .dt .eml .html .ldf .pab .psb .shy .xcf .7z .crt .dwf .enc .jbc .lgp .pcx .psd .snk .xls .accdb .csr .dwg .epf .jif .md .pdf .pst .sql .sqlite .sqlite3 .sqlitedb .xlsm .xlsx .accdc .dbc .dws .eql .jiff .mdb .pem .rar .adp .dbf .dxe .erf .jpe .mdf .pfx .raw .xof .afp .dbt .dxl .fb .jpeg .mht .ply .rev .zip .bfa .dbx .ebd .fb2 .jpf .mxl .png .rtf .stl .zipx .bpk .der .edb .fc2 .jpg .oab .pov .rzk .tbb .bsk .djvu .efb .fcz .just .ost .ppsx .rzx .tbn .cdr .doc .efn .fg .kdb .p7 .ppt .sec .tif .cer .docm .egg .fp3 .kdbx .p7b .pptx .sef .tiff .cf .docx .emd .htm .key .p7c .prefab .sgn .txt Source: fireeye.com

The ransomware then leaves a ransom note in Russian, asking the user to contact one of the following e-mail addresses:

→ kirova.l@mutualizm.ru
abramova@sabona.ru
kirova.ls@orangedv.tmweb.ru
kirova-l@wibor5.ru
l_abramova@wibor5.ru
abramova.l@wibor5.ru
y.volkova@i-jazz.ru
l_abramova@festivalps.ru

The ransom note is in a MESSAGE.txt file which may be dropped onto the desktop of the user PC as well as affected folders. The message states the following:

→„Унать стоимость декриптора можно, написав письмо на адрес: {cyber-criminals’ e-mail address here}
В теме письма укажите ваш ID:2083043332
Убедительная просьба не пьiтаться расшифровать файльi сторонними инструментами.
Въi можете их окончательно испортить и даже оригинальньiй дешифровщик не поможет.
Обращения принимаются до (Date)
После (Date) любьie обращения будут игнориоваться.
Письма обрабатьiвается автоматической системой.
Возможньi задержки ответов“

What is important in this ransom message is that the cyber-criminals warn the infected used not to try and directly decrypt the files. This strongly suggests that a CBC-mode may have been used to encrypt the files.

Remove Kriptovor Ransomware and Try To Get Your Files Back

In order to delete Kriptovor Ransomware, we strongly advise you to focus on automatically removing it by using an advanced anti-malware program. This may automatically find all files and registry entries which you would have difficulty removing manually because they are concealed.

If you with to get back your files, we advise NOT TO TRY direct decryption because there may be a CBC-mode on the encrypted files which may break them if you use third-party decryptors, making them lost forever. Instead, we advise to follow the alternative file-restoration solutions in step “3. Restore files encrypted by Kriptovor” below. They may not be 100 percent effective, but they might also help to restore at least small portion of your files.

Manually delete Kriptovor from your computer

Note! Substantial notification about the Kriptovor threat: Manual removal of Kriptovor requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Kriptovor files and objects
2. Find malicious files created by Kriptovor on your PC
3. Fix registry entries created by Kriptovor on your PC

Automatically remove Kriptovor by downloading an advanced anti-malware program

1. Remove Kriptovor with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Kriptovor in the future
3. Restore files encrypted by Kriptovor
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.