KawaiiLocker Ransomware Remove and Restore Your Files - How to, Technology and PC Security Forum | SensorsTechForum.com

KawaiiLocker Ransomware Remove and Restore Your Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

fix-your-malware-problem-sensorstechforumRansomware, created mainly for Russian speaking users, named KawaiiLocker has been reported to increasingly infect more and more users. The virus locks the files of the infected computer by encrypting them and asks the victim to pay approximately 6000 rubles (approximately 100$) to the criminals in order for them to restore access to his encrypted files. The files are then kept in a list, called crypt_list. It does not add any file extensions to the encrypted files or changes their names. Everyone who has had their files encrypted by KawaiiLocker, are strongly advised not to pay the decryption price and see alternative methods like the ones in this article to remove KawaiiLocker and restore the encrypted files.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong AES (OBD mode) encryption algorithm, making direct decryption possible only via a unique decryption key available only for the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” and a sound message all linking to a web page and a decryptor. It doesn’t change file names or file extensions.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by KawaiiLocker


Malware Removal Tool

User ExperienceJoin our forum to Discuss KawaiiLocker Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

KawaiiLocker – How Does It Infect

For it to conduct a successful infection, the KawaiiLocker virus uses a complex mechanism of coded executables, designed to hide it from any antivirus programs an make it seem as if it’s malicious file is a legitimate one (Adobe Reader, Microsoft Word, Excel, PowerPoint, etc). There is nothing legitimate about the file, however. The KawaiiLocker virus may use an exploit kit to take advantage of an exploit in Windows or other software and via this exploit conduct a successful infection.

Furthermore, the malicious file belonging to KawaiiLocker may spread via several different methods. One of them is by being uploaded online and being drive-by downloaded onto the user’s computer automatically if the user opens the web link. Such web links are usually posted as chat spam on social media chats and communication programs, like Skype, for example.

Another form this file may assume is “the legitimate attachment”, being attached to an e-mail that usually contains a convincing message, such as “Confirmation of your payment” and other cleverly designed ones to trick inexperienced users into opening them.

Kawaii Locker Ransomware – More Information

As soon as the malware situates itself on your computer, it drops the following files:

  • KawaiiLocker.exe
  • Crypt_list

The virus also connects to the following domains:

  • hxxp://7476357288-0.myjino.ru
  • hxxp://

This may be for a purpose to send different information such as the decryption keys for the AES files it enciphers. The KawaiiLocker virus also looks for over 60 types of files to encrypt:


The files are encrypted using a very strong AES (Advanced Encryption Standard) encryption algorithm. In addition to this, the KawaiiLocker virus also deletes the shadow copies with the following command in Windows Command Prompt:

vssadmin delete shadows /for=C: /all /quiet

After the encryption, the KawaiiLocker virus leaves the HOW DECRYPT FILES.TXT file which contains it’s ransom note, written in Russian:


KawaiiLocker Ransomware – Conclusion, Removal, File Restoration

The bottom line for the KawaiiLocker virus is that it sets a lower amount for it’s victims, believing they are more likely to pay then try to decrypt their files on their own. However, malware researchers strongly recommend against paying the ransom money to the developers of KawaiiLocker, since for one it is no guarantee you will get your files decrypted and in addition to this, you support their criminal activity.

Instead, it is strongly advisable to remove the KawaiiVirus by following the removal instructions below. For maximum effectiveness, researchers strongly advise using an advanced anti-malware scanner to detect the location of all files and objects associated with KawaiiLocker. This also gives the opportunity to detect other malware if present on your computer and protect it in the future against such threats.

In case you want to decrypt your files, be advised that you can try restoring them instead, since a direct decryptor is not available at the moment. To try and restore your files see the methods in step “3. Restore Files Encrypted by KawaiiLocker” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share