Remove Kriptovor Ransomware and Restore .Just Encrypted Files - How to, Technology and PC Security Forum |

Remove Kriptovor Ransomware and Restore .Just Encrypted Files

encrypted-files-.locked-SkidLockerAES encryption algorithm is used by the nasty Kriptovor Ransomware which encrypts files with it adding the .Just file extension to their original one. This dangerous cyber-threat then adds an MESSAGE.txt file which gives the infected user PC unique ID and asks to contact the e-mail of the cyber-criminals for more information. Since this is done with a purpose to pay a huge ransom fee which is no guarantee you will get your files back, experts advise users not to contact the e-mail and try alternative methods to restore your files and remove this malware, like the ones posted in this article.

Threat Summary



Short DescriptionThe malware encrypts users’ files after force restarting their PC, dropping ransom message, named “MESSAGE.txt”
SymptomsThe user may witness ransom messages and “instructions”.
Distribution MethodVia malicious PDF and Infostealer.
Detection Tool See If Your System Has Been Affected by Kriptovor


Malware Removal Tool

User ExperienceJoin our forum to Discuss Neitrino Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Kriptovor Ransomware and Its Distributing

To infect users, Kriptovor ransomware may take advantage of the freedom of torrent websites and post its malicious executables to be concealed and appear as if they were:

  • Game crackfixes.
  • Key generators for programs.
  • Fake installers of programs.

Not only this, but Kriptovor is also reported by researchers at the FireEye blog to spread via malicious e-mail addresses which have URLs leading to third-party sites containing a .PDF attachment:

The e-mail message invites the user to download the PDF file which opens a resume of usually a female candidate for work. The resume is reported to contain a malicious script which activates an Infostealer component.

More About Kriptovor Ransomware

As soon as the Infostealer is activated, it begins to check for the following information on the affected computer:

  • Internet connection details.
  • Processes actively running on the machine of the user.
  • Name of the machine.
  • Outgoing and ingoing connection and all IP addresses connected to the victim as well as its own.
  • Registry entries information.

After this is done, the virus checks if the computer is on a virtual machine and if it is, Kriptovor shuts down. If not, it downloads its payload, called temporary.rar from the following web domain:

→ http://plantsroyal(.)org/css/salomon.rar

Kriptovor ransomware then hides the malicious file and adds a registry string, named AdobeUpdate which runs the encryptor once when you start Windows:

→ HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\

After the virus is ran, it begins to look for multiple types of files to encrypt. The main ones are reported to be the following:

→ .1cd .cfn .dt .eml .html .ldf .pab .psb .shy .xcf .7z .crt .dwf .enc .jbc .lgp .pcx .psd .snk .xls .accdb .csr .dwg .epf .jif .md .pdf .pst .sql .sqlite .sqlite3 .sqlitedb .xlsm .xlsx .accdc .dbc .dws .eql .jiff .mdb .pem .rar .adp .dbf .dxe .erf .jpe .mdf .pfx .raw .xof .afp .dbt .dxl .fb .jpeg .mht .ply .rev .zip .bfa .dbx .ebd .fb2 .jpf .mxl .png .rtf .stl .zipx .bpk .der .edb .fc2 .jpg .oab .pov .rzk .tbb .bsk .djvu .efb .fcz .just .ost .ppsx .rzx .tbn .cdr .doc .efn .fg .kdb .p7 .ppt .sec .tif .cer .docm .egg .fp3 .kdbx .p7b .pptx .sef .tiff .cf .docx .emd .htm .key .p7c .prefab .sgn .txt Source:

The ransomware then leaves a ransom note in Russian, asking the user to contact one of the following e-mail addresses:

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

The ransom note is in a MESSAGE.txt file which may be dropped onto the desktop of the user PC as well as affected folders. The message states the following:

→„Унать стоимость декриптора можно, написав письмо на адрес: {cyber-criminals’ e-mail address here}
В теме письма укажите ваш ID:2083043332
Убедительная просьба не пьiтаться расшифровать файльi сторонними инструментами.
Въi можете их окончательно испортить и даже оригинальньiй дешифровщик не поможет.
Обращения принимаются до (Date)
После (Date) любьie обращения будут игнориоваться.
Письма обрабатьiвается автоматической системой.
Возможньi задержки ответов“

What is important in this ransom message is that the cyber-criminals warn the infected used not to try and directly decrypt the files. This strongly suggests that a CBC-mode may have been used to encrypt the files.

Remove Kriptovor Ransomware and Try To Get Your Files Back

In order to delete Kriptovor Ransomware, we strongly advise you to focus on automatically removing it by using an advanced anti-malware program. This may automatically find all files and registry entries which you would have difficulty removing manually because they are concealed.

If you with to get back your files, we advise NOT TO TRY direct decryption because there may be a CBC-mode on the encrypted files which may break them if you use third-party decryptors, making them lost forever. Instead, we advise to follow the alternative file-restoration solutions in step “3. Restore files encrypted by Kriptovor” below. They may not be 100 percent effective, but they might also help to restore at least small portion of your files.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share