Remove Korean Ransomware and Restore .암호화됨 Encrypted Files - How to, Technology and PC Security Forum |

Remove Korean Ransomware and Restore .암호화됨 Encrypted Files


with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Korean Ransomware and other threats.
Threats such as Korean Ransomware may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy


A new HiddenTear crypto-virus variant, named Korean ransomware, was discovered in the wild. Its ransom note is written in Korean, thus it is believed to be mainly targeting Korea, but it is not excluded for other users across the globe to become its victims. The Korean ransomware will encrypt your files and add the .암호화됨 extension to them. Read the article to the end to see how you can remove the ransomware and possibly decrypt your files.

Threat Summary

NameKorean Ransomware
Short DescriptionThe ransomware encrypts all your important files and displays a ransom message, giving out details about the ransom payment.
SymptomsThe ransomware will encrypt files with the .암호화됨 extension and append them to every file.
Distribution MethodSpam Emails, File Sharing Networks
Detection Tool See If Your System Has Been Affected by Korean Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Korean Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Korean Ransomware – Infection Spread

Korean ransomware could be utilizing targeted attacks for the infection of computers, and victims are probably mainly of Korean origin. Other methods for spreading the infection could exist, as well. It might also be spread in other ways, and it depends on what the cyber crooks do about it. There could be spam emails, which deliver letters with malicious attachments; some software or a website which is not updated having an exploit kit using that vulnerability as an entry point, etc. Even Social media networks or services for file-sharing could be used. Be extremely careful with your online actions and refrain from interacting with dubious emails, links, websites or files.

Korean Ransomware – Technical Details

Korean ransomware is based on the HiddenTear project. It is called that because its ransom note is in the Korean language and targets mainly users who speak that language. This does not exclude the possibility for other people to become victims of this crypto-virus. The malware researcher, Michael Gillespie discovered the ransomware a little over a day ago.

The ransomware might make the following entry in the Windows Registry:


If that entry is indeed made, the ransomware will maintain persistence and launch with each start of the Windows Operating System.

After the Korean ransomware encrypts a user’s files it will create the file ReadMe.txt which is a ransom message, written in Korean. You can preview it here:


The text inside it reads:

당신 의 파일 이 암호화 되었습니다. zMUTnnIOp / Ns & 3G [Password]

A rough English translation of that ransom message will look somewhat like this:

Your files have been encrypted. zMUTnnIOp / Ns & 3G [Password]

But that is not all – there is another file, which is the actual ransom note with instructions for paying the ransom. The file is a picture and is put on your desktop, so you see it. Here it is:


The text there is again in Korean and translates into English as the following:

Your files have been encrypted.
Download and install
and enter your ID-code.
[Website and code given] Follow the instructions on the site.

From the tweet of Michael Gillespie mentioned earlier, we find out that the website used for a decryption service is in actuality that of CrypMIC ransomware. You can see a picture of the website down here:


The website has not stopped being active for more than two months, and the cyber criminals have probably amassed lots of money from their victims. The owners of the Korean ransomware could be affiliates or partners of the ones who created CrypMIC or virtually be the same people.

That is not important, because whatever the case is, you should not pay them. No guarantee is there that you will get your files decrypted, nor that the crooks will answer you. In the case that the owners of the two ransomware viruses are different, it might create a mess and a discrepancy between the encryption and decryption processes.

→.png, .xls, .xlsx, .doc, .docx, .ppt, .pptx, .psd, .svg, .bak, .db, .txt, .rar, .zip, .jpeg, .jpg, .pdf, .sql


The above list is with file extensions which are still what people use on a daily basis for saving their important data, so it is probably those files that will 100% get encrypted. Files will get encrypted with the .암호화됨 extension, and in English that extension would translate exactly to “encrypted”. The Korean ransomware will lock the files using an AES 256-bit algorithm, as many other HiddenTear variants do.

Korean ransomware is not known if it deletes the Shadow Volume Copies from the Windows Operating System, but it is very likely to do that.

Remove Korean Ransomware and Restore .암호화됨 Encrypted Files

If your computer system got infected with the Korean ransomware, you should have some experience in malware removal. You should get rid of this ransomware as quickly as possible before it encrypts other files and spreads deeper in your used network. The recommended action for you to remove the ransomware effectively by following the step-by-step instructions manual provided down below.

Note! Your computer system may be affected by Korean Ransomware and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Korean Ransomware.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Korean Ransomware follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Korean Ransomware files and objects
2. Find files created by Korean Ransomware on your PC

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Korean Ransomware

Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share