Remove Korean Ransomware and Restore .암호화됨 Encrypted Files - How to, Technology and PC Security Forum |

Remove Korean Ransomware and Restore .암호화됨 Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


A new HiddenTear crypto-virus variant, named Korean ransomware, was discovered in the wild. Its ransom note is written in Korean, thus it is believed to be mainly targeting Korea, but it is not excluded for other users across the globe to become its victims. The Korean ransomware will encrypt your files and add the .암호화됨 extension to them. Read the article to the end to see how you can remove the ransomware and possibly decrypt your files.

Threat Summary

NameKorean Ransomware
Short DescriptionThe ransomware encrypts all your important files and displays a ransom message, giving out details about the ransom payment.
SymptomsThe ransomware will encrypt files with the .암호화됨 extension and append them to every file.
Distribution MethodSpam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Korean Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Korean Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Korean Ransomware – Infection Spread

Korean ransomware could be utilizing targeted attacks for the infection of computers, and victims are probably mainly of Korean origin. Other methods for spreading the infection could exist, as well. It might also be spread in other ways, and it depends on what the cyber crooks do about it. There could be spam emails, which deliver letters with malicious attachments; some software or a website which is not updated having an exploit kit using that vulnerability as an entry point, etc. Even Social media networks or services for file-sharing could be used. Be extremely careful with your online actions and refrain from interacting with dubious emails, links, websites or files.

Korean Ransomware – Technical Details

Korean ransomware is based on the HiddenTear project. It is called that because its ransom note is in the Korean language and targets mainly users who speak that language. This does not exclude the possibility for other people to become victims of this crypto-virus. The malware researcher, Michael Gillespie discovered the ransomware a little over a day ago.

The ransomware might make the following entry in the Windows Registry:


If that entry is indeed made, the ransomware will maintain persistence and launch with each start of the Windows Operating System.

After the Korean ransomware encrypts a user’s files it will create the file ReadMe.txt which is a ransom message, written in Korean. You can preview it here:


The text inside it reads:

당신 의 파일 이 암호화 되었습니다. zMUTnnIOp / Ns & 3G [Password]

A rough English translation of that ransom message will look somewhat like this:

Your files have been encrypted. zMUTnnIOp / Ns & 3G [Password]

But that is not all – there is another file, which is the actual ransom note with instructions for paying the ransom. The file is a picture and is put on your desktop, so you see it. Here it is:


The text there is again in Korean and translates into English as the following:

Your files have been encrypted.
Download and install
and enter your ID-code.
[Website and code given] Follow the instructions on the site.

From the tweet of Michael Gillespie mentioned earlier, we find out that the website used for a decryption service is in actuality that of CrypMIC ransomware. You can see a picture of the website down here:


The website has not stopped being active for more than two months, and the cyber criminals have probably amassed lots of money from their victims. The owners of the Korean ransomware could be affiliates or partners of the ones who created CrypMIC or virtually be the same people.

That is not important, because whatever the case is, you should not pay them. No guarantee is there that you will get your files decrypted, nor that the crooks will answer you. In the case that the owners of the two ransomware viruses are different, it might create a mess and a discrepancy between the encryption and decryption processes.

→.png, .xls, .xlsx, .doc, .docx, .ppt, .pptx, .psd, .svg, .bak, .db, .txt, .rar, .zip, .jpeg, .jpg, .pdf, .sql


The above list is with file extensions which are still what people use on a daily basis for saving their important data, so it is probably those files that will 100% get encrypted. Files will get encrypted with the .암호화됨 extension, and in English that extension would translate exactly to “encrypted”. The Korean ransomware will lock the files using an AES 256-bit algorithm, as many other HiddenTear variants do.

Korean ransomware is not known if it deletes the Shadow Volume Copies from the Windows Operating System, but it is very likely to do that.

Remove Korean Ransomware and Restore .암호화됨 Encrypted Files

If your computer system got infected with the Korean ransomware, you should have some experience in malware removal. You should get rid of this ransomware as quickly as possible before it encrypts other files and spreads deeper in your used network. The recommended action for you to remove the ransomware effectively by following the step-by-step instructions manual provided down below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share