.Kimchenyn Ransomware - Decrypt Files Encrypted for Free + Remove

.Kimchenyn Ransomware – Decrypt Files Encrypted for Free + Remove

This article has a goal to help you by showing you how to remove the .kimchenyn GlobeImposter ransomware variant and how to restore files that have been encrypted with the added .kimchenyn file extension to them.

GlobeImposter ransomware family of viruses keeps resurfacing with many new variants. One of them is the virus, using the .kimchenyn file extension which it adds to your files after the malware encrypts them. The ransomware also adds a ransom note, named how_to_back_files.html which not only notifies the users that their files are encoded, but also aims to get them to make a ransom payment to the cyber-crooks who are behind this virus in order to decrypt the files. If your computer has been infected by the .kimchenyn ransomware variant, we strongly recommend that you read this article and learn how to remove the .kimchenyn ransomware and how to decrypt your files for free without paying the ransom.

Threat Summary

Name.kimchenyn Ransomware
TypeRansomware, Cryptovirus
Short DescriptionNew GlobeImposter ransomware variant, one of hundreds detected so far. Encrypts files and demands a ransom payment.
SymptomsThis GlobeImposter virus, adds the .kimchenyn file extension to the files encrypted by it after which drops a ransom note, named how_to_back_files.html.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .kimchenyn Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .kimchenyn Ransomware.

.kimchenyn Ransomware – How Does It Infect

The infection process of this ransomware virus is conducted via an infection file. This file may be spread via a multitude of methods, the main one of which is reported to be e-mail spam. Such spammed messages may be sent to victims in various forms. Most often the malicious file is masked as a fake:

  • Invoice.
  • Receipt.
  • Banking statement.
  • Company document.

Such fraudulent files are often accompanied with messages that seem like they are coming from legitimate companies from the likes of PayPal, FedEx, DHL and others. Most of the messages are very professionally written, for example:

One of the malicious samples of .kimchenyn ransomware virus infection has been detected to be conducted via a chess.exe.old infection file, suggesting that the virus may be uploaded as a fake chess game on torrent sites or suspicious software providing sites as well.

.kimchenyn Files Virus – More Information on It’s Activity

When an infection takes place, the chess.exe.old file runs in an obfuscated manner on the computer of the victim. As soon as the malware does this, it immediately begins to perform other activities on the victim’s computer, like:

  • Obtain system information about your computer.
  • Obtain network information.
  • Steal data, such as saved passwords and user names.
  • Drop it’s malicious files.

In order to situate the malicious files on your computer, the malware may begin to download the virus files of .kimchenyn file ransomware. They may be under different names and located in the commonly targeted Windows folders which generally are:

After having dropped the malicious files, the .kimchenyn ransomware may delete the backups and shadow volume copies on your computer, by using the vssadmin command. This happens by running the command as an administrator in Windows:

→ vssadmin delete shadows /for={DrivePartition} /oldest | /all | /shadow={Identification of the shadow copies}] /quiet

After having done this, the .kimchenyn GlobeImposter ransomware variant may also modify the following Windows Registry sub-keys with the one and only purpose to add registry value strings in them:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

These strings have the one and only purpose of making it possible fr the malicious files of .kimchenyn ransomware to run automatically on Windows boot and and encrypt the files afterwards. If you locate the value string in the Run and RunOnce sub-keys, there is a good chance that In them you will find the data leading to the actual location and the name of the file encryption executable, which is often randomly named or may have the same chess.exe.old name as the infection file.

.kimchenyn File Ransomware – Encryption Process

For this ransomware to encrypt the files on the computers that are infected by it, it uses a scanning and matching sequence. The .kimchenyn ransomware firstly has a pre-set list of the most commonly used file extensions most of which are the following:


The malware also has a white list of folders which are excluded from the scanning process, like the %Windows% and other system folders, so that it does not damage your OS. If the files it scans for match with the files on it’s pre-configured list, the .kimchenyn virus encrypts them and generates a unique decryption key. The malware also ads it’s distinctive file extension and this results in your important files to begin appearing like the image below and no longer to be usable:

Fortunately, the virus may just be decryptable. In order to learn how to remove it and decrypt it’s files, we advise you to read the paragraph below and follow the instructions carefully.

Remove .kimchenyn Ransomware and Restore Your Files

In order to remove this ransomware infection from your computer, it is important to isolate it first, just like you would do with any cyber-threat. To do this, we advise you to follow either the manual or automatic removal instructions below. It is preffered to download an advanced anti-malware software to help you with the full and automatic removal of .kimchenyn ransomware instead of having to do it manually with no guarantee.

Furthermore, the previous variants of this virus were decryption, which suggests that this variant may also be of this type. This is why you should try and use the decrypter we have linked below for GlobeImposter in order to attempt and decrypt .kimchenyn encoded files without having to pay ransom.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

1 Comment

  1. AvatarPerumal

    krishna studio.psd.539788850.ransomed@india

    539788850.ransomed@india thi crypted file name
    file type ms-dos exe. application

    how to remove sir


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share