Kerkoporta Ransomware – Remove + Restore . encrytpedsadly Files

Kerkoporta Ransomware – Remove + Restore .encryptedsadly Files

This article aims to help you by explaining how to remove Kerkoporta Ransomware and how to restore encrypted files.

A new ransomware virus in Greek has appeared in the wild, infecting computers via different types of methods. The virus aims to encrypt the files on the infected computers and then add the .encryptedsadly file extensions to the encrypted machines. Named Keroporta ransomware, the malware has been created on Visual Studio 2017 environment. If your computer or server has been infected by Kerkoporta Ransomware, we strongly advise you to remove It immediately and try to restore your encrypted files by using the instructions in this article.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the computers infected by it and then asks victims to pay $100 in ransom
Symptoms The ransomware changes the wallpaper on your computer with the ransom note screen of it that has instructions in greek on how to pay $100. Files are encrypted with the added .encryptedsadly file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Kerkoporta


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Kerkoporta.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Kerkoporta Ransomware – Spread

So far, the virus is believed to be infecting machines only in computers which are located in Greece, since it’s ransom note is written in greek exclusively. The virus can come on your computer as a result of a spammed e-mail message which may ask you to open an e-mail attachment. Usually such e-mail attachments are cleverly concealed to appear like legitimate:

  • Documents.
  • Invoices.
  • Banking statements.
  • Other.

The e-mails may also have cleverly typed messages that are convincing you these attachments are of great importance, like an invoice of something that you have not purchased but has been purchased from your PayPal account, for example, etc. Here is an example of how a spam e-mail, carrying Kerkoporta ransomware may look like:

Kerkoporta Ransomware – More Information

The malicious files carrying Kerkoporta ransomware may be of the following file types:

  • Trojan.Downloaders.
  • Trojan.Droppers.
  • Extractors.
  • Loaders.

Once these files are open, they may immediately drop the malicious payload of Kerkoporta ransomware on your computer. This results in the ransomware virus immediately being able to drop it’s payload files. These files may reside in the following Windows locations:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

After the malicious files dropped by Kerkoporta ransomware have already been situated on your computer, the ransomware becomes active on your computer. This results in the virus performing various actions, such as modify the volume shadow copies on your computer using administrative commands in Windows command prompt:

→ process call create “cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures”

After this has been done, the malware may also begin to perform other activities on the victim’s PC, such as changing it’s wallpaper to the following ransom note in greek:

Message translated in English:
What happened ?
All your personal files have been encrypted!
What to do ?
Buy an amazon gift card of 100$ type the code below and you will get your dectryption key on your email
WARNING: Any false credentials or attempts to remove the ransomware will result in further damage

Kerkoporta Ransomware – Encryption

The encryption of the important files on your computer is conducted with the aid of a specific file, responsible for it. It alters not the whole file, but only a portion of it (for example, it’s header) and this may result in the file becoming to appear like it is corrupt and cannot be opened via any program. As a result from the encryption, a unique decryption key is generated. This allows for the process to be reverse-engineered and the files to be decrypted again. However, the cyber-criminals are the only ones who have this decryption key and sell it to victims for $100. The files which may be targeted by Kerkoporta ransomware are believed to be the following file types:


After the encryption process has completed, the Kerkoporta ransomware infection leaves the files encoded with an added .encryptedsadly file extension, making them appear like the following:

Remove Kerkoporta Ransomware and Restore .encryptedsadly Files

In order to remove this ransomware infection fully from your computer, we recommend that you follow the removal instructions below. They are divided in manual and automatic removal instructions. According to experts the best way to remove the Kerkoporta ransomware infection is by using an advanced anti-malware tool to automatically scan for and remove all associated files and objects with this virus and protect your PC from other infections like Kerkoporta in the future too.

Furthermore, if you want to restore files that have been encrypted with the .encryptedsadly file extension, experts recommend that you try out the alternative methods for file recovery in step “2. Restore files encrypted by Kerkoporta” below. They are specifically created to help you restore as many files as possible without having to pay the ransom.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share