Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Sep 2017

How to remove Kryptonite ransomware virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Julie Splinters · Anti-malware specialist

Kryptonite continues its malicious tasks under the name of RBY

The image illustrating Kryptonite ransomware

Kryptonite is a crypto-malware that has been spreading as a fake Snake game. Due to this unique distribution name, the virus is known under Kryptonite Snake name. However, malware has been updated on September 2017, and currently, it spreads as RBY ransomware.

The recent version works similarly as the previous one. It spreads as an obfuscated Kryptonite.exe file. However, Kryptonite RBY sets a new wallpaper on the affected computer. The picture includes a short message in Russian and English languages:

ВНИМАНИЕ!
В этой фотографии скрывается флаг.

ATTENTION!
All the files on your disk were encrypted.

When the original version of the Kryptonite ransomware virus has been discovered, it was functioning as crypto-malware which seemed to be under development. However, the most distinguishable feature is that the malware disguises under the Snake game. Upon launching snake_game.exe, you see the names of the supposed authors: Manish Kumar and Gaurav Anand. Thanks to the IT specialist, Leo, who has found the sample, the virus links to the institute of technology located in Israel.

At the moment, the ransomware does not append any file extension, but it still encodes data with RSA-2048[1]. Here is a summary of its features:

  • Urges to launch getmyId.exe
  • Launches voice message after encryption
  • Leaves no file extension
  • Uses RSA-2048 encryption technique

Though the ransomware still manages to encode your files, Kryptonite removal might be a better option. FortectIntego or MalwarebytesMalwarebytes helps you do that faster.

The operation of ransomware has imperfections

Perhaps the authors wanted to test their programming skills rather than create a full-fledged malware. The operation mode is not polished as it occasionally crashes or gets stuck at a non-responding state.

Additionally, the malware asks to launch getmyID.exe file. However, such file is nowhere to be found. Interestingly, the authors took one feature from Cerber virus. After the virus gets finally executed and finishes encoding message, an abrupted male voice informs that all documents and photos are encrypted.

The authors did not bother themselves with elaborating the malware as it does not leave any file extension, though the content of the files is encrypted with an elaborate algorithm.

However, the most unusual feature of Kryptonite malware is the payment stage. Unlike other malware which asks to transfer files the files to a Bitcoin address, this malware asks to pay 500 dollars, but instead of sending the money, it demands to enter credit card information.

Needless to say that you should not remit the payment since the malware does is not fully developed. Furthermore, once the perpetrators get hold of your personal data, you might suffer much bigger financial losses. Thus, remove Kryptonite malware right away.The sample of Kryptonite

Possible ways to get infected with Kryptonite

As mentioned before, the original version of ransomware infiltrates into PCs under the snake game or, more specifically, snake_game.exe. Users may also notice cad.exe file in their Task Manager. In order to stop the trojan which might be identified as Win32.Trojan-Ransom.Filecoder.P@gen, Ransom_KRYPTONITE.A, make sure you enforce proper security of the device. Thus, you should install an anti-spyware application to avoid this crypto-virus.

However, software utilities are not sufficient in lowering infection rate. Note that gaming websites often happen to be a haven for ransomware. Thus, before downloading a game, make sure it is the legitimate version. 

Meanwhile, the RBY ransomware virus spreads as a Kryptonite.exe. The specific distribution methods are currently unknown. Thus, it seems that developers may have looked broader to the possible dissemination strategies and might spread the virus using:

  • malicious spam email campaigns;
  • unprotected RDP configuration;[2]
  • fake or illegal software downloads or updates;
  • exploit kits;
  • malware-laden ads.

Therefore, you should follow cyber security tips[3] to avoid ransomware. Avoid clicking or opening unknown links or email attachments. Staying away from unknown file-sharing sites and downloading only legit programs might help to minimize the risk of the attack too.

Guidelines for Kryptonite ransomware elimination

Fortunately, this malware is not fully developed[4] so you should not encounter Kryptonite removal difficulties. However, you should still rely on malware removal tools, such as FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. In case, the malware prevents you from deleting it, you might benefit from below instructions.

It is not recommended to remove Kryptonite virus manually as its affiliated files might remain on the system. On the final note, some users are likely to be more targeted.[5]

Be the first to comment

Read in your language

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.