KK_ (Estonian) Virus Remove and Restore Files - How to, Technology and PC Security Forum | SensorsTechForum.com

KK_ (Estonian) Virus Remove and Restore Files

kk_ransomware-remove-decrypt-files-sensorstechforumRansomware virus that encrypts the files on the infected computer, dubbed the KK virus because of the file extension it uses (KK_) has been reported to infect users on a massive scale. The virus uses a powerful encryption algorithm, which it claims to be RSA-1024 bit cipher. After encryption, the KK_ virus leaves a ransom note, named “KK_ IN YOUR DOCUMENTS.txt” in which the virus asks users to pay the insane payoff amount of 4 BitCoins to get decryption software for their files. Everyone who has become a victim of the KK_ ransomware is strongly advisable to be extremely careful and not pay any ransom to the cyber-criminals. Instead, we advise reading this article to learn more about KK_ ransomware, learn how to remove it and learn alternative methods to restore your files until a decryptor has been released.

Threat Summary

TypeRemote Access Trojan with file encryption capability.
Short DescriptionThe ransomware encrypts files with a powerful encryption cipher, demanding users to pay the sum of 4 BTC to get the ransom ammount back.
SymptomsThe files encoded by the KK_ virus are reported to have the KK_ prefix in front of their name, for example “KK_Picture.jpg”
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by KK_


Malware Removal Tool

User ExperienceJoin our forum to Discuss KK_ Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

KK_ (Estonian) Virus – Distribution Methods

To successfully be spread, the KK_ ransomware virus may use several different methods, the most widely employed of which is the spam e-mail distribution campaigns. Such campaign may include the wide spreading of spam messages that include malicious e-mail attachments. Such e-mail attachments may contain various topics, like:

  • “Your PayPal Receipt.”
  • “Your Bank Account has been disclosed.”
  • “Your order has been confirmed.”

In addition to these, a malicious e-mail attachment may be added which could resemble a document, like a Microsoft Office or Adobe file.

KK_ (Estonian) Ransomware In Details

When it has been dropped on your computer, via an Exploit Kit, JavaScript or another type of attack, the virus may drop it’s malicious files on several key Windows locations.

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalRow%
  • %Startup%
  • %SystemDrive%

After dropping it’s malicious files on the computer, the KK_ ransomware may also begin to employ modules that may perform different activities like modify the Run and RunOnce registry keys and delete any system backups, using the vssadmin delete shadows command. Not only this, but the KK_ ransomware may also cause a system restart so that it starts encrypting files on system boot, even before the antivirus software on the compromised machine runs.

Regarding file encryption, the KK_ ransomware uses a strong enough cipher to render the files impossible to directly decrypt in case you do not have the decryption key. The KK_ virus may begin to scan for the following types of files to encrypt them:

  • Videos.
  • Audio Files.
  • Images.
  • Files associated with Microsoft Office.
  • Files that are associated with Adobe Reader.
  • Database files.
  • Files belonging to widely used programs such as Adobe Photoshop, etc.

After it has successfully encrypted the files, the KK_ virus drops the following text file on the victim’s computer:

“Dear man, your computer has been locked by ransomware, your personal files are encrypted, and you have, unfortunately “lost” all your pictures,
files, and documents on the computer. Your important files encryption produced on this computer: videos, photos, documents, etc.
Encryption was produced using unique public key RSA-1024 generated for this computer. To decrypt files, you need to obtain the private key.
All encrypted files contain KK_
Your number: ***
To obtain the program for this computer, which will decrypt all files, you need to pay 4 bitcoins on our bitcoin address {unique identifier}*** (today 1 bitcoin was 250 $). Only you and we know about this bitcoin address.
You can check bitcoin balance here – https://www.blockchain.info/address/{unique identifier}***
After payment sends us your number on our mail [email protected] and we will send you decryption tool (you need only run it, and all files will be decrypted during 1…3 hours)
Before payment, you can send us one small file (100.500 kilobytes), and we will decrypt it – it’s your guarantee that we have decryption tool. And send us your number with attached file.
We don’t know who are you. All that we need – it’s some money.
Don’t panic if we don’t answer you during 24 hours. It means that we didn’t receive your letter (for example if you use hotmail.com or outlook.com
it can block letter, SO DON’T USE HOTMAIL.COM AND OUTLOOK.COM. You need to register your mail account in www.ruggedinbox.com (it will take 1.2 minutes) and write us again)
You can use one of that bitcoin exchangers for transferring bitcoin.
You don’t need install bitcoin programs – you need only use one of this exchanger or another exchanger that you can find in www.google.com for your country.
Please use the English language in your letters. If you don’t speak English, then use https://translate.google.com to translate your letter into the English language.”

KK_ (Estonian) Ransomware – Remove It and Restore Encrypted Files

To remove KK_ ransomware fully from your computer, it is strongly advisable to follow the step-by-step instructions posted in this article below. They are methodologically arranged so that you can remove this virus manually as well as automatically in case you are unsure that you have fully deleted it. Malware researchers and security analysts strongly advise that you focus on removing KK_ ransomware using a malware removal tool. Such anti-malware software will not only swiftly delete KK_ virus from your PC but protect you in the future as well.

Files encrypted by KK_ ransomware may be difficult for decryption. This is because the virus has also been reported to send the decryption key to the cyber-criminals’ servers, making them the only holder of your files. However, malware analysts are constantly on the lookout for decryption opportunities, and we are going to notify you if there is a free decryptor released, by updating this article. Meanwhile, you may want to try using the alternative solutions in step “3.Restore files encrypted by KK_ Ransomware” below. They may help you restore some of your files, but they are not 100% guaranteed success.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share