Ransomware, created mainly for Russian speaking users, named KawaiiLocker has been reported to increasingly infect more and more users. The virus locks the files of the infected computer by encrypting them and asks the victim to pay approximately 6000 rubles (approximately 100$) to the criminals in order for them to restore access to his encrypted files. The files are then kept in a list, called crypt_list. It does not add any file extensions to the encrypted files or changes their names. Everyone who has had their files encrypted by KawaiiLocker, are strongly advised not to pay the decryption price and see alternative methods like the ones in this article to remove KawaiiLocker and restore the encrypted files.
|Short Description||The malware encrypts users files using a strong AES (OBD mode) encryption algorithm, making direct decryption possible only via a unique decryption key available only for the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions” and a sound message all linking to a web page and a decryptor. It doesn’t change file names or file extensions.|
See If Your System Has Been Affected by KawaiiLocker
Malware Removal Tool
|User Experience||Join our forum to Discuss KawaiiLocker Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
KawaiiLocker – How Does It Infect
For it to conduct a successful infection, the KawaiiLocker virus uses a complex mechanism of coded executables, designed to hide it from any antivirus programs an make it seem as if it’s malicious file is a legitimate one (Adobe Reader, Microsoft Word, Excel, PowerPoint, etc). There is nothing legitimate about the file, however. The KawaiiLocker virus may use an exploit kit to take advantage of an exploit in Windows or other software and via this exploit conduct a successful infection.
Furthermore, the malicious file belonging to KawaiiLocker may spread via several different methods. One of them is by being uploaded online and being drive-by downloaded onto the user’s computer automatically if the user opens the web link. Such web links are usually posted as chat spam on social media chats and communication programs, like Skype, for example.
Another form this file may assume is “the legitimate attachment”, being attached to an e-mail that usually contains a convincing message, such as “Confirmation of your payment” and other cleverly designed ones to trick inexperienced users into opening them.
Kawaii Locker Ransomware – More Information
As soon as the malware situates itself on your computer, it drops the following files:
- HOW DECRYPT FILES.TXT
The virus also connects to the following domains:
This may be for a purpose to send different information such as the decryption keys for the AES files it enciphers. The KawaiiLocker virus also looks for over 60 types of files to encrypt:
The files are encrypted using a very strong AES (Advanced Encryption Standard) encryption algorithm. In addition to this, the KawaiiLocker virus also deletes the shadow copies with the following command in Windows Command Prompt:
After the encryption, the KawaiiLocker virus leaves the HOW DECRYPT FILES.TXT file which contains it’s ransom note, written in Russian:
KawaiiLocker Ransomware – Conclusion, Removal, File Restoration
The bottom line for the KawaiiLocker virus is that it sets a lower amount for it’s victims, believing they are more likely to pay then try to decrypt their files on their own. However, malware researchers strongly recommend against paying the ransom money to the developers of KawaiiLocker, since for one it is no guarantee you will get your files decrypted and in addition to this, you support their criminal activity.
Instead, it is strongly advisable to remove the KawaiiVirus by following the removal instructions below. For maximum effectiveness, researchers strongly advise using an advanced anti-malware scanner to detect the location of all files and objects associated with KawaiiLocker. This also gives the opportunity to detect other malware if present on your computer and protect it in the future against such threats.
In case you want to decrypt your files, be advised that you can try restoring them instead, since a direct decryptor is not available at the moment. To try and restore your files see the methods in step “3. Restore Files Encrypted by KawaiiLocker” below.
Manually delete KawaiiLocker from your computer
Note! Substantial notification about the KawaiiLocker threat: Manual removal of KawaiiLocker requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.
Automatically remove KawaiiLocker by downloading an advanced anti-malware program
How to Find Decryption Key for Files Encrypted By KawaiiLocker Ransomware
We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how