A ransomware with the name KratosCrypt is currently running in the wild. The extension the ransomware appends to encrypted files is .kratos and creates a file with instructions. The ransom price it demands as payment is 0.03 Bitcoins or around 20 US dollars, which is low compared to other ransomware. To know how to remove this ransomware and see what you can try in restoring your data, you should read this article to its end.
|Short Description||The ransomware uses an AES algorithm and encrypts files putting .kratos as an extension to them.|
|Symptoms||The ransomware will lock your files and display a ransom note. The note sttes that you have to pay 0.03 Bitcoins for decryption.|
|Distribution Method||Spam Emails, Email Attachments, Suspicious Sites|
|Detection Tool|| See If Your System Has Been Affected by KratosCrypt |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss KratosCrypt.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
KratosCrypt Ransomware – Infection Spread
KratosCrypt ransomware is probably spread mainly with spam email campaigns. Spam emails have files attached to them. Malicious code hides inside the attachments very often. And when you open such an attachment, your computer gets infected. A curious fact about that is some malware creators make the sole body of the email contain the malicious code, where you might get infected just by opening the email letter.
Social media sites and services for file-sharing could have malware files, which might have been uploaded by the criminals. To avoid most of the chances of getting infected with ransomware you have to be wary around what you click, open and download while surfing the Internet. Suspicious links and files of unknown origin could help with the spread of the infection, especially if they contain malicious code.
KratosCrypt Ransomware – Technical Description
KratosCrypt is the name of a ransomware recently found in the wild by researchers. The name is included in the ransom note. When the encryption process is set and done, it will point to the following email address – kratosdimetrici@gmail(.)com.
The ransomware might create an entry in the Windows Registry for an auto-run option to execute with every Windows start:
→HKCU\Software\Microsoft\Windows\CurrentVersion\Run [exe name]
After encryption, the KratosCrypt ransomware creates a file named “README_ALL.html” ransom note file. The payment instructions are described there. You can see a picture of the note:
The ransom message states the following:
Your documents, photos, databases and other important files have been encrypted!
To decrypt your files you need to buy the special software – “Kratos Decryptor”.
The purchase should be performed via network only at a special price: BTC0.03.
How to get “Kratos Decryptor” ?
1- Create a Bitcoin Wallet (we recommend Blockchain.info)
2- Buy necessary amount of Bitcoins
Do not forget about the transaction commision in the Bitcoin network (0.0005 BTC).
Here are our recommendations:
LocalBitcoins.com – The fastest and easiest way to buy and sell Bitcoins;
CoinCafe.com – The simplest and fastest way to buy, sell and use Bitcoins;
BTCDirect.eu – The best for Europe;
CEX.IO – VISA / MasterCard;
CoinMama.com – VISA / MasterCard;
HowToBuyBitcoins.info – Discover quickly how to buy and sell bitcoins in your local currency;
3- Send BTC 0.03 to the following Bitocoin Address:
4- Send an E-mail to this address containing the TRANSACTION ID:
5- You will receive an E-mail containing the download link + PASSWORD.
The wanted ransom price is 0.03 Bitcoins, which is a little over than 20 US dollars. The note tries to make you pay for a decryptor, but you should know better than follow suit into that extortion method. Do not pay the ransom as there are other ways you can try to restore your files. Also, the ransomware doesn’t threaten to delete anything or to increase the price, etc. A solution or free decryption is still a possible outcome. Paying supports the creators of the ransomware, but does not guarantee in any way that you will get your files back.
The KratosCrypt ransomware uses a 256-bit ciphers with the AES algorithm for file encryption. File extensions which the probably encrypts are:
→.svg, .php, .jpg, .jpeg, .jps, .bmp, .tiff, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .txt, .pdf, .html, .rtf, .psd, .ps, .odt, .odp, .odx, .ibooks, .xlp, .db, .dbf, .mdf, .sdf, .mdb, .sql, .rar, .7z, .zip, .vcf, .csv, .xml
When the encryption process is finished, each file on your computer will have one, and the same extension appended – .kratos.
KratosCrypt ransomware most probably also erases the Shadow Volume Copies from the Windows operating system. Keep reading the article to see in what ways you could try to restore your data back to normal.
Remove KratosCrypt Ransomware and Restore .kratos Encrypted Files
If your computer is infected by the KratosCrypt ransomware, you should have some experience with removing malware. You should get rid of the ransomware as fast as you can because it might encrypt more files and spread further in your currently used network. The recommended thing to do is for you to remove the ransomware completely by following the step-by-step instructions provided below.