Kaenlupuf Ransomware (Decrypt Files) - How to, Technology and PC Security Forum | SensorsTechForum.com

Kaenlupuf Ransomware (Decrypt Files)

Article created to give insight on the malware called Kaenlupuf which is still in development and show how to remove it and decrypt files if your computer has been infected.

A ransomware virus created solely for Malaysian-speaking users, calling itself Kaenlupuf has been reported to be using AES-128 to encrypt files on computers which it can infect. The ransomware infection drops multiple files on the compromised computers, including a file indicating that the virus is version 1.0b. The virus uses a fake name – Microsoft Network Realtime Inspection Service and several others. In case this virus hits the wild and infects, we have prepared instructions that will help you remove it from your computer and ways to use the decryptor for Kaenlupuf to unlock all your files for free.

Threat Summary



Short DescriptionEven though in development stage, the virus may encrypt the files on the compromised computers, and asks to pay in BitCoin to get the files back.
SymptomsThe user may witness ransom notes and “instructions” linking to a web page and a decryptor.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Kaenlupuf


Malware Removal Tool

User ExperienceJoin our forum to Discuss Kaenlupuf.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Kaenlupuf Virus – How May It Infect

The virus may be spread, depending on what the one who is infecting with it decides. Usually, a big chunk of ransomware viruses out there do not limit themselves with one infection method. They use fake program installers, infected such, fake game cracks and patches and other activators that may be uploaded as torrents on websites. Sometimes, even PUPs (potentially unwanted programs) are used in order to cause an infection via malicious pop-ups, but very rarely.

The most dominant form of infection however that may spread Kaenlupuf in the future, if the cyber-crooks behind this virus decide to update it, may be e-mail spam. Usually such spam messages are sent out very cheaply via spam bots to a pre-set list of e-mail addresses of real users. This method is very effective and can increase the infection ratio of this virus very fast. To succeed in the infection, the criminals use social engineering (deceptive) techniques, like pretend that either a malicious web link or attachment in the sent e-mail is completely legitimate. To do this, they often claim that this is a document that has more information on a problem that the user has (suspicious bank activity, invoice for purchase, the user hasn’t made and other). These tricks easily fool inexperienced users into opening e-mail attachments and hence becoming infected.

Kaenlupuf Virus – More Information

When an infection by this virus has been performed, it begins to create multiple files on the compromised computers. The files are primarily executable files, named:

  • Netsvc.exe
  • Kaenlupuf-note
  • Ajaw-rsa.exe

The virus also drops a very interesting ransom note, with asci art and elements of retrowave artwork:

The ransom note is written entirely in Malaysian, but the message in it is the same like most ransomware viruses out there. It roughly translates to the following:

First of all, we congratulate you on choosing one of the best file protection from external threats.
We understand that you need the files immediately. We will provide a special package at an affordable price for only 1 bitkoyn.
Are surprised by our offer? So what are you waiting for, register your bitcoin now to get a valuable addition to your important files.
The longer you wait, the greater the amount. Your files are protected by the RSA-2048 algorithm. Very good and interesting, is it not?
To return your files, follow these steps:
1. Register your account in the google-purse at the following URL:
2. Use our bitcoin-address to transfer the payment:
3. The amount of payment is as follows:
4. Be sure to report your ID when making a transaction.

Kaenlupuf Ransomware’s Encryption

For the encryption of the files, malware researchers report that this virus may take advantage of the AES-128 encryption algorithm. It is used to replace bytes of a working file’s data with encrypted symbols. This acts as if it scrambles the file and the file becomes similar to corrupt. It does not have an icon and can no longer be opened by any type of software.

The files that have been encrypted by this ransomware infection may usually be important files that are often used, like:

  • Microsoft Office Documents.
  • Adobe Documents.
  • Image files.
  • Archive files.
  • Files associated with virtual drives.
  • Database files.
  • Audio files.
  • Videos.

Fortunately, this virus is decryptable, thanks to MyCERT, who have released a decryptor on their web page. All you have to do if you have encrypted files is to click on the image below to go to the website and then type your unique id as a password and then follow the instructions on the website:

Click on the image to go to the decryption website.

Remove Kaenlupuf Ransomware

After having decrypted your files, it is important to think about the virus’s removal. For the removal, we advise following the removal instructions below. They are carefully created to help you successfully eradicate the infection files from your computer after isolating it. For maximum effectiveness and easier removal, experts often advise to follow the automatic approach and download a particular anti-malware tool that will fully eradicate Kaenlupuf at a click of a button.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website


  1. Adrian Reyes

    y donde se consigue el password?

    1. Vencislav Krustev

      i believe the password should be your Token ID, but i am still looking into it.


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share