Remove Kampret Ransomware and Restore .lockednikampret Files

Remove Kampret Ransomware and Restore .lockednikampret Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

The article will aid you to remove Kampret ransomware in full. Follow the ransomware removal instructions at the end of this article.

Kampret is the name of a ransomware cryptovirus. The extension .lockednikampret will get appended to each encrypted file. AES is believed to be the encryption algorithm which is used, as the ransomware is suggested to be a variant from the HiddenTear/EDA2 project. The Kampret cryptovirus will create a ransom note in a text file. Keep on reading and see how you could try to potentially recover some of your files.

Threat Summary

Short DescriptionThe ransomware encrypts files on your computer and leaves a ransom message afterward.
SymptomsThe ransomware will encrypt your files and put the extension .lockednikampret on your files after it finishes its encryption process.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Kampret


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Kampret.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Kampret Ransomware – Infection Spread

Kampret ransomware could spread its infection in multiple ways. A payload file which initiates the malicious script for the ransomware in question is seen before on the Internet. Your computer machine will get encrypted by the cryptovirus if its malicious script gets executed. You can preview one such payload dropper, uploaded to the VirusTotal service by malware researchers, from below here:

Kampret ransomware might also be spreading its payload file on social media sites and file-sharing networks. Freeware that is spread on the Internet can be presented as helpful but could also hide the malicious script for this cryptovirus. Refrain from opening files after you have downloaded them, especially if they are coming from suspicious places like emails or links of unknown origin. Instead, you should scan the files with a security tool and check their size and signatures for anything that seems out of place. Read the Tips for preventing ransomware from the forum section to see how to avoid infection.

Kampret Ransomware – Detailed Description

Kampret ransomware is also a cryptovirus. The etymology of its name is interesting. Kampret is an Indonesian word that literally translates to “bat” but is also used in that language as a curse word. Nonetheless, the ransomware could have a version named “Kampretos” as well. The extension .lockednikampret will get appended to all files that become locked after the encryption process is finished.

The web address associated with the ransomware and is seen in the following image:

Inside that site now are only sitting a couple of document files.

Kampret ransomware could make entries in the Windows Registry to achieve some form of persistence, and even launch and repress processes inside the Windows Operating System. Some of these entries are designed in a way that will start the virus automatically with every launch of Windows.

The ransom note will be placed inside a file after the encryption process is complete. The file with the ransom note is named READ_ME.txt file. Inside it there will be instructions for paying the ransom. Here is how the note may possibly look like:

The note will read something along the lines of the following:

Your files has been encrypted by Krampet
Pay 0.5BTC to my bitcoin address [REDACTED] And send the proof to my email

The ransomware is reported to be a HiddenTear variant by the malware researcher Karsten Hahn. You can read more about the HiddenTear/EDA2 open-source project from the corresponding article in the blog.

Inside the note of Kampret ransomware there is the e-mail address provided for contacting the cybercriminals. The encrypted e-mail service ProtonMail is used, which makes it near impossible for tracking down the criminals. The ransom sum that is demanded is 0.5 Bitcoin, which currently is equivalent to 607 US dollars. However, you should NOT under any circumstances pay those crooks, neither should you try contacting them. Your files may not get restored, and nobody could guarantee that. Furthermore, giving money to these criminals will likely motivate them to do crime, such as the creation of ransomware viruses.

Kampret Ransomware – Encryption Process

Kampret ransomware is a HiddenTear variant as mentioned before, and therefore it will most probably seek to encrypt files that have the following extensions:

→.txt, .doc, .docx, .xls, .xlsx, .pdf, .pps, .ppt, .pptx, .odt, .gif, .jpg, .png, .db, .csv, .sql, .mdb.sln.php, .asp, .aspx, .html, .xml, .psd, .frm, .myd, .myi, .dbf, .mp3, .mp4, .avi, .mov, .mpg, .rm, .wmv, .m4a, .mpa, .wav, .sav, .gam, .log, .ged, .msg, .myo, .tax, .ynab, .ifx, .ofx, .qfx, .qif, .qdf, .tax2013, .tax2014, .tax2015, .box, .ncf, .nsf, .ntf, .lwp

Every one of the files that gets encrypted will receive the same extension appended to them, and that is the .lockednikampret extension. The encryption which is utilized by the ransomware is believed to be AES as that is the encryption algorithm typically used by HiddenTear variants.

The Kampret cryptovirus might be set to erase the Shadow Copies from the Windows operating system by using the following command:

→vssadmin.exe delete shadows /all /Quiet

If the command above is indeed executed, it will make decryption efforts harder, if you try to use that specific method. Keep on reading and check out what ways you can try to potentially restore some of your files.

Remove Kampret Ransomware and Restore .lockednikampret Files

If your computer got infected with the Kampret ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share