Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Jun 2018

How to remove KRIPTOVOR virus

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Lucia Danes · Virus researcher

KRIPTOVOR is ransomware that threatens computer users since 2014

KRIPTOVOR ransomware

KRIPTOVOR is a file-encrypting virus that uses AES cryptography to make files unusable on the affected machine. Originally, it adds .Just file extension to the data, but other versions of the virus append .neitrino and .excuses suffixes. The malware was first detected in 2014, though it is still active in 2018.

Summary of the cyber threat
Name KRIPTOVOR
 Type Ransomware
Danger level High. Makes system changes, encrypts files, tries to steal credentials
Release date 2014
Versions Neitrino, Excuses
Affected region Russia
Targeted OS Windows
Cryptography LockBox 3, AES
File extensions .Just, .neitrino, .NEITRINO, .excuses
Contact email addresses kirova.l@mutualizm.ru
abramova@sabona.ru
kirova.ls@orangedv.tmweb.ru
kirova-l@wibor5.ru
l_abramova@wibor5.ru
abramova.l@wibor5.ru
y.volkova@i-jazz.ru
l_abramova@festivalps.ru
payment.cashery@gmail.com
neitrino@protonmail.com
mr.anders@protonmail.com
excuses@protonmail.com
Associated files AdobeSystems.exe, AdobeUpdate.exe, svchost.bat
Decryption Impossible without backups
To uninstall KRIPTOVOR, install FortectIntego and run a full system scan

KRIPTOVOR virus mainly targets Russian[1] companies and spreads via emails.[2] The majority of malicious letters have a subject line “Резюме на вакантную должность” (“Resume for the vacant post”). In the body criminals tell to double-click the attached file in order to open a resume in Adobe Reader:

Дважды кликните, чтобы открыть резюме в Adobe Reader

KRIPTOVOR spam email

However, the attachment is a corrupted file that includes malicious content instead of person's resume. Once opened, malware downloads password-protected RAR file which includes AdobeSystems.exe. This file is the executable of the KRIPTOVOR.

KRIPTOVOR ransomware virus

On the affected machine, KRIPTOVOR ransomware does not act like typical ransomware. It encrypts files using LockBox 3 which uses AES cryptography. Additionally, it scans for login and password information that might be saved on the targeted data. Thus, the virus also aims to extract potentially useful information too.

When all files are locked, KRIPTOVOR also delivers a ransom note in the Russian language. The information about the attack and data recovery possibilities are included in the MESSAGE.txt file. The translation of the threatening message provided below:

The cost of the decryptor can be obtained by writing an email to: payment.cashery@gmail.com
In the subject line please include your ID:[redacted]
Please do not try to decrypt the files using third-party tools.
You can completely corrupt them, and even the original decryptor will not help.
Requests will be accepted until [Date]
After [Date] requests will be ignored.
Emails are handled automatically by the system.
There may be a delay in responses

According to the research, cyber criminals use different email addresses to communicate with victims. Currently known addresses:

  • kirova.l@mutualizm.ru
  • abramova@sabona.ru
  • kirova.ls@orangedv.tmweb.ru
  • kirova-l@wibor5.ru
  • l_abramova@wibor5.ru
  • abramova.l@wibor5.ru
  • y.volkova@i-jazz.ru
  • l_abramova@festivalps.ru

KRIPTOVOR ransom note

Criminals ask to contact them the same day as the infection occurred. However, security specialists do not recommend doing that because it may lead to money loss. Authors of ransomware usually demand to pay the ransom in cryptocurrency, but they may never give working decryption key.[3] For this reason, we recommend proceeding with KRIPTOVOR removal.

As you already know, the virus might try to extract personal data, so it’s better to terminate it as soon as possible. In order to remove KRIPTOVOR correctly and avoid possible damage to the system, you need to employ FortectIntego or another anti-malware tools. If you have difficulties with elimination, follow the guide below. KRIPTOVOR virus

Versions of KRIPTOVOR

Neitrino ransomware virus. The virus was first detected in autumn 2015 spreading in Russia via malicious spam emails that include obfuscated PDF file. It uses AES[4] cryptography appends either .neitrino or .NEITRINO file extension. Then it downloads a ransom note in MESSAGE.txt in each folder that contains locked files.

On the affected machine, malware is executed from AdobeUpdate.exe and svchost.bat files which are dropped on a system when a user opens a malicious email attachment. The purpose of the virus is to make people pay 5,000 rubles or more for file recovery.

KRIPTOVOR Neitrino virus

According to the ransom note, victims have to send an email to neitrino@protonmail.com or mr.anders@protonmail.com address in order to get further recovery instructions. Though, it is not recommended process. It’s better to remove KRIPTOVOR Neitrino virus and try recovering files from backups or using third-party tools.

Excuses ransomware virus. In 2018, a new variant of KRIPTOVOR has been spotted spreading and targeting Russian users again. This version uses filemarker 0x20000000 and appends .excuses file extension to the targeted files.

Authors of ransomware ask to contact them via excuses@protonmail.com and send their unique victim’s ID number if they want to get back access to the files. Such information is provided in the Russian language. However, apart from changed contact email address, the text of the ransom note did not change:

Приобрести декриптор можно до [Date]
Запросить стоимость: excuses@protonmail.com

В ТЕМЕ письма укажите ваш ID: [redacted]
Письма без указания ID игнорируются.

Убедительная просьба не пытаться расшифровать файлы сторонними инструментами.
Вы можете их окончательно испортить и даже оригинальный декриптор не поможет.

Заявки обрабатываются автоматической системой.

KRIPTOVOR Excuses virus

We want to remind that it’s not a good idea to trust cyber criminals. They will demand to pay the ransom and might disappear as soon as you send a couple of hundred of dollars. Hence, focus on KRIPTOVOR removal and try alternative ways to recover your files.

Obfuscated email attachments might include ransomware payload

The main way how ransomware viruses spread is malicious spam email attachments.[5] Though, not all dangerous emails end up in the spam folders. Crooks might use advanced techniques and make sure that their letter appears in the main emails box. However, they might be identified by these signs:

  • weird or mismatching email address;
  • lack of credentials;
  • empty body;
  • urge to open the attachment;
  • grammar and spelling mistakes.

If the letter does not seem to be sent for you or you did not expect to receive it, stay away from the attachment. Also, you can check it with online file scanners before opening it.

Removal of the KRIPTOVOR ransomware virus

The only correct way to remove KRIPTOVOR from Windows PC is to employ professional software. Tools like FortectIntego or MalwarebytesMalwarebytes can quickly detect malicious components and eliminate them from the device. However, if you have some difficulties, you should reboot the device to Safe Mode with Networking as explained below.

After KRIPTOVOR removal, you can plug in the external hard drive with backups or try our suggested third-party tools. You can find them listed below. However, we want to stress out that the official decryptor is not released yet. So, chances to full recovery are low if you do not have backups.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.