Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Remove Korean Ransomware and Restore .암호화됨 Encrypted Files

STF-korean-ransomware-screen-skull-picture

A new HiddenTear crypto-virus variant, named Korean ransomware, was discovered in the wild. Its ransom note is written in Korean, thus it is believed to be mainly targeting Korea, but it is not excluded for other users across the globe to become its victims. The Korean ransomware will encrypt your files and add the .암호화됨 extension to them. Read the article to the end to see how you can remove the ransomware and possibly decrypt your files.

Threat Summary

NameKorean Ransomware
TypeRansomware
Short DescriptionThe ransomware encrypts all your important files and displays a ransom message, giving out details about the ransom payment.
SymptomsThe ransomware will encrypt files with the .암호화됨 extension and append them to every file.
Distribution MethodSpam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Korean Ransomware

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Korean Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Korean Ransomware – Infection Spread

Korean ransomware could be utilizing targeted attacks for the infection of computers, and victims are probably mainly of Korean origin. Other methods for spreading the infection could exist, as well. It might also be spread in other ways, and it depends on what the cyber crooks do about it. There could be spam emails, which deliver letters with malicious attachments; some software or a website which is not updated having an exploit kit using that vulnerability as an entry point, etc. Even Social media networks or services for file-sharing could be used. Be extremely careful with your online actions and refrain from interacting with dubious emails, links, websites or files.

Korean Ransomware – Technical Details

Korean ransomware is based on the HiddenTear project. It is called that because its ransom note is in the Korean language and targets mainly users who speak that language. This does not exclude the possibility for other people to become victims of this crypto-virus. The malware researcher, Michael Gillespie discovered the ransomware a little over a day ago.

The ransomware might make the following entry in the Windows Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

If that entry is indeed made, the ransomware will maintain persistence and launch with each start of the Windows Operating System.

After the Korean ransomware encrypts a user’s files it will create the file ReadMe.txt which is a ransom message, written in Korean. You can preview it here:

STF-korean-ransomware-ransom-message

The text inside it reads:

당신 의 파일 이 암호화 되었습니다. zMUTnnIOp / Ns & 3G [Password]

A rough English translation of that ransom message will look somewhat like this:

Your files have been encrypted. zMUTnnIOp / Ns & 3G [Password]

But that is not all – there is another file, which is the actual ransom note with instructions for paying the ransom. The file is a picture and is put on your desktop, so you see it. Here it is:

STF-korean-ransomware-ransom-note-instructions-screen

The text there is again in Korean and translates into English as the following:

Your files have been encrypted.
Download and install https://www.torproject.org/projects/torbrowser.html.en
and enter your ID-code.
[Website and code given] Follow the instructions on the site.

From the tweet of Michael Gillespie mentioned earlier, we find out that the website used for a decryption service is in actuality that of CrypMIC ransomware. You can see a picture of the website down here:

STF-korean-ransomware-decryption-service-site

The website has not stopped being active for more than two months, and the cyber criminals have probably amassed lots of money from their victims. The owners of the Korean ransomware could be affiliates or partners of the ones who created CrypMIC or virtually be the same people.

That is not important, because whatever the case is, you should not pay them. No guarantee is there that you will get your files decrypted, nor that the crooks will answer you. In the case that the owners of the two ransomware viruses are different, it might create a mess and a discrepancy between the encryption and decryption processes.

→.png, .xls, .xlsx, .doc, .docx, .ppt, .pptx, .psd, .svg, .bak, .db, .txt, .rar, .zip, .jpeg, .jpg, .pdf, .sql

STF-korean-ransomware-extension-encrypted-file

The above list is with file extensions which are still what people use on a daily basis for saving their important data, so it is probably those files that will 100% get encrypted. Files will get encrypted with the .암호화됨 extension, and in English that extension would translate exactly to “encrypted”. The Korean ransomware will lock the files using an AES 256-bit algorithm, as many other HiddenTear variants do.

Korean ransomware is not known if it deletes the Shadow Volume Copies from the Windows Operating System, but it is very likely to do that.

Remove Korean Ransomware and Restore .암호화됨 Encrypted Files

If your computer system got infected with the Korean ransomware, you should have some experience in malware removal. You should get rid of this ransomware as quickly as possible before it encrypts other files and spreads deeper in your used network. The recommended action for you to remove the ransomware effectively by following the step-by-step instructions manual provided down below.

Manually delete Korean Ransomware from your computer

Note! Substantial notification about the Korean Ransomware threat: Manual removal of Korean Ransomware requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Korean Ransomware files and objects.
2. Find malicious files created by Korean Ransomware on your PC.
3. Fix registry entries created by Korean Ransomware on your PC.

Automatically remove Korean Ransomware by downloading an advanced anti-malware program

1. Remove Korean Ransomware with SpyHunter Anti-Malware Tool
2. Back up your data to secure it against infections and file encryption by Korean Ransomware in the future
3. Restore files encrypted by Korean Ransomware
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.