Kryptonite Ransomware – Remove It and Restore Files
THREAT REMOVAL

Kryptonite Ransomware – Remove It and Restore Files

The article will help you to remove the Kryptonite ransomware completely. Follow the ransomware removal instructions provided at the end of this article.

Kryptonite ransomware is a virus that is cleverly disguised as the game Snake running in Command Prompt. The virus does not change the extensions of encrypted files, but still locks them, leaving them unopenable. After encryption, a ransom note will be displayed with instructions on how to pay the demanded ransom. Keep on reading and find out what ways you could try to potentially recover some of your files.

Threat Summary

NameKryptonite
TypeRansomware
Short DescriptionThe ransomware encrypts files on your computer system and it shows a ransom note afterward.
SymptomsThis ransomware virus will encrypt your files and lock them, leaving them unable to be opened.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Kryptonite

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Kryptonite.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Kryptonite Ransomware – Delivery Ways

Kryptonite ransomware could be delivered in more than one way. However, the way that is the most widespread is through a payload dropper. That is a file which initiates the malicious script for the ransomware. Malware samples have been spotted by researchers and you can view one of them, which was sent for analysis on the VirusTotal service, from down here:

Kryptonite ransomware could be using other ways to deliver the payload file, like social media and sites for file-sharing. Freeware applications located on the Web could be promoted as being useful, but could also hide the malicious script for the virus. Before opening any files after you have downloaded them, you should first scan them with a security tool. Especially if they come from suspicious places, such as emails or links. Also, don’t forget to check the size and signatures of such files for anything that seems out of place. You should read the ransomware prevention tips provided in the forum.

Kryptonite Ransomware – Detailed Analysis

The Kryptonite ransomware is a cryptovirus, which has been disguised as a Command Prompt variant of the famous Snake game as shown in the picture:

When the Kryptonite ransomware encrypts your files you will notice a file that is a ransom note containing instructions on how you might get your files recovered.

Kryptonite could be set to make new registry entries in the Windows Registry to achieve a higher level of persistence. Those entries are usually designed in a way that will start the virus automatically with every launch of the Windows Operating System, like in the example down below:

→“HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”

The ransom note is in a file called “Ransom Note.txt“. Besides the text file a copy of the note with a more concise message is displayed as a picture, too:

Below you can read what the text on that image is:

ATTENTION
All your files, images, vidoes and databases have been encrypted with an RSA-2048 private and unique key generated for this computer stored on a secret server.
Original files have been over written, recovery tools will not help.
Don’t worry!! We could help you restore your files but it will cost you 500$
Follow the instructions on ‘Ransome Note.txt’ file on your desktop.
After payment is confirmed, use the Decryptor program to restore yor files.
If you care about your files, DO NOT TRY TO GET RID OF THIS PROGRAM!!
Any actions to do so will result in decryption key being destroyed, and you will loose your files forever!

Three variants of the ransom note exist. Down here you can preview them:

1.

Kryptonite RANSOMWARE
All your important files are encrypted
Your files has been encrypted using RSA2048 algorithm with unique public – key stored on your PC.
There is only one way to restore your files : Contact with us, Pay 500$ and get your files back.
To Do that you must have a connection to the internet and disable your firewall.
Run getMyId.exe to get your ID, then go to http://adsgoogle.eastus2.cloudapp.azure.com:27030/
This is a secured web-site for monetary transactions.
After a successful transaction, disable your Anti-Virus and Firewall and run decryptMyFiles.exe as administrator.

2.

Kryptonite RANSOMWARE
All your important files are encrypted
Your files has been encrypted using RSA2048 algorithm with unique public – key stored on your PC.
There is only one way to restore your files : Contact with us, Pay 500$ and get your files back.
To pay us go to http://adsgoogle.eastus2.cloudapp.azure.com:27030/
This is a secured web-site for monetary transactions.
In order to make the transactions you will need the below ID.
After a successful transaction, disable your Anti-Virus and Firewall and run decryptMyFiles.exe as administrator.
You can download the Decryptor from https://s3.amazonaws.com/adsgoogle/Decrypt/decryptor.exe
Your ID:

3.

Kryptonite RANSOMWARE
All your important files are encrypted
Your files has been encrypted using RSA2048 algorithm with unique public – key stored on your PC.
There is only one way to restore your files : Contact with us, Pay 500$ and get your files back.
To pay us go to http://adsgoogle.eastus2.cloudapp.azure.com:27030/
This is a secured web-site for monetary transactions.
In order to make the transactions you will need the below ID.
After a successful transaction, disable your Anti-Virus and Firewall and run decryptMyFiles.exe as administrator.
Your ID:

The ransom sum that is demanded as payment for allegedly restoring your files is currently 500 US dollars. No matter what sum of money is asked from you, you shouldn’t in any case consider paying the cybercriminals. Paying these crooks can motivate them to continue committing similar crimes as extorting people online.

You can preview one of the URLs given as a payment page for this ransomware from the screenshot below:

The above image and URLs of the payment page are provided in the article solely for informational purposes.

Kryptonite Ransomware – Encryption Process

No official list exists, with file extensions that the Kryptonite ransomware seeks to encrypt. This article will be duly updated if such a list is discovered. However, all files which get encrypted do not have their extensions changed. Alas the files are still scrambled and unusable.

Kryptonite is highly likely to erase the Shadow Volume Copies from the Windows Operating System by executing the following command:

→vssadmin.exe delete shadows /all /Quiet

In case the above-stated command is executed in the Command Prompt of the Windows OS, that will make the encryption process more effective, as one of the ways for file recovery will be gone. That command’s execution is not hard as the virus poses as Command Prompt variant of the game “Snaked” as mentioned before. That means that the virus already has access and uses CMD. Keep reading to find out what methods you can try out to potentially restore some of your files.

Remove Kryptonite Ransomware and Restore Files

If your computer got infected with the Kryptonite ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...