Remove Keslan Virus (.TR, .MMTeam, .Sifrelendi, .TMTEAM, .TRSomware Files)

Remove Keslan Virus (.TR, .MMTeam, .Sifrelendi, .TMTEAM, .TRSomware Files)


What is Keslan virus ransomware? How does Keslan virus work? How to open Keslan virus files? How to remove Keslan virus and try to restore files, encrypted by it?

The Keslan virus is actually a ransomware infection, whose main idea is to make sure that you won’t be able to use your files anymore, until you pay ransom to the cyber-criminals who are behind it. The main idea of this is that your files get blocks of their data replaced with data from the AES encryption algorithm used by the Keslan virus. The virus then adds its own file extension and drops a ransom note file. This file’s main purpose is to get victims to pay ransom to get your files to be decrypted using the unique decryption key that is generated and held by the crooks. Read this article to learn how to remove Keslan virus from your computer and learn how to recover data encoded by it.

Threat Summary

NameKeslan virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt files and then ad its custom file extension to them.
SymptomsFiles are encrypted and cannot be opened. The Keslan virus also drops a ransom note file, containing the extortionist message.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Keslan virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Keslan virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

In December 2019 a new sample of the .Sifrelendi Keslan ransomware has been detected. This shows that the virus is still being spread across the world. The method of distribution of the samples is done by inserting the Keslan virus code into executable files. We assume that the most popular distribution techniques are used once again. The performed security analysis gives detailed information on what modules are to be run.

One of the first components is the data removal — it will search for valuable data that will be wiped from the system. This includes all sorts of backups, Shadow volume copies and archives. This step will make recovery much more difficult and the users will have to use a professional-grade data recovery in order to effectively restore their computers.

It can also interact with already installed processes which is commonly done to spy on the victims activities. By accessing the web browsers the hackers can acquire sensitive information about the habits of the victims and stored credentials to commonly accessed services. By overtaking control of the programs they can manipulate fields and cause unexpected behavior. When every component has finished running the encryption phase will follow.

Following the ongoing attack campaigns carrying the Keslan ransomware there have been numerous attempts at taking down computer systems. More specific information about the hackers behind attacks is not available, we do not know if the intrusions are carried out by one collective or several different groups.

One of the latest virus strains adds the .EXT extension to the processed files. The victims will find that a lot of their data will not be accessible. The victims will find that the Keslan virus varant that adds this particular extension will not create a ransom note.

The next release of the Keslan (Sifrelendi) ransomware threat is a new iteration encrypting files with the .Deniz_Kızı extension. To differentiate itself from prior sample it is being distributed using an executable file. The captured samples indicate that it is called ransomware downloader yeni.exe which alludes to the fact that the criminal collective is sending out double extension files.

Keslan virus Ransomware – How Did I Get It and What Does It Do?

The Keslan virus is a malware family of several distinct viruses which have been made by a supposedly Turkish hacking group. Reports about these strains have appeared at te same time indicating that they have been launched against the intended victims. What we know about these versions is that they same the same code base and only feature a different expression in their second stage — the encryption phase.

The distribution techniques used by the virus creators can range from the most common ones to other which are used only in certain situations. This includes the creation of email messages which will contain links to the virus files or attach them directly. Phishing strategies also make use of hacker-made sites that are hosted on domain names that sound similar to legitimate sites.

Keslan virus infections are often caused by interacting with infected files. They can be either malware documents or dangerous application installers. All files are made to impersonate commonly used data. They can be distributed over file-sharing sites and also social networks where the criminals can use fake or hacked accounts.

Related: .TMTEAM Virus File (Turkish Ransomware) – How to Remove

The security report shows that the Keslan virus family of ransomware is based on the well-known Hidden Tear code base. Given the description it is very possible that the hackers are not very experienced in order to have created this new threat.

Such viruses can be easily customized to lead to dangerous actions. The type of malware activity will depend on the local machine conditions or the specific hacker instructions. At this point we can only list some of the possible modules that are often engaged in such threats:

  • Boot Options Changes — The Keslan virus and its associated derivatives can be set to modify the system in a way which will automatically launch the ransomware when the computer boots.
  • Windows Registry Changes — The main engine can also make changes to the Windows Registry which will lead to severe performance issues. When existing values have been changed it can also lead to issues when running certain programs.
  • Additional Virus Delivery — The existing Keslan virus can be used to lead to other infections including Trojans and cryptocurrency miners.

In the end the actual encryption module will be run. Using a built-in list of target file type extensions and a strong cipher the victims will find most of their files inaccessible. This can include sensitive data like their music or family photos. Commonly ransomware variants will act against common data like documents, multimedia files, archives and databases. The Keslan virus will place a respective extension: .TR, .MMTeam, .Sifrelendi, .TMTEAM or .TRSomware. A ransomware note will be created in several text files written in Turkish. Its aim is to manipulate the victims into paying the hackers a set decryption fee.

Remove Keslan and Try Restoring Files

To remove Keslan virus from your computer, we strongly recommend that you read the instructions underneath. They have been created with the primary purpose to help you remove the Keslan virus files and try to restore all encrypted data. For a faster and effective removal, we strongly recommend that you download and run a scan of your computer using a professional malware removal software. Such program has been made with the main idea to help you erase all traces of the Keslan virus from your machine by scanning for its files and objects. It can also protect you from future threats and intrusive software of this type.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share