Kasiski ransomware / virus (updated Mar 2020) - Bonus: Decryption Steps
Kasiski virus Removal Guide
What is Kasiski ransomware virus?
Kasiski ransomware is the cryptovirus that uses unusual prefix for renaming encrypted files
Kasiski ransomware is the threat that spreads around using infected files as email attachments and locks users' files for the purpose of ransom demands. Kasiski ransomware is the virus that gets photos, documents, archives, video files, and other commonly used data encrypted to have the opportunity for a ransom demand. This ransomware spreads around the world and frustrates users with the money demanding message that appears on the desktop as a wallpaper and a text file. Criminals claim to offer the decryption tool, but that is all for faking legitimacy and trust. Cryptovirus creators only care for your money, so don't even consider paying them.
Kasiski virus is created by criminals who speak Spanish and want $500 from each victim. The threat is targetting Hispanic users, so it can be distributed around the world easily. Also, it is possible that some versions of the particular threat can aim to English-speaking users and lock files, demand ransoms.
Kasiski virus appears to be a new type of ransomware, which, surprisingly, is created for an x64 version of Windows. It seems that the threat cannot even work on 32-bit devices. The name of this ransomware is derived from the appendix that the original names of corrupted files get. The virus renames files during the encryption process. Unlike other ransomware, it doesn’t add extensions but appends [KASISKI] prefix to the file names.
|File marker||[KASISKI] prefix comes at the start of every encoded file and shows which data got locked by the threat|
|Targets||Hispanic users all over the world|
|Ransom note||INSTRUCCIONES.txt – a file that delivers the message from criminals and displays all the needed information for the victim about encrypted files and possible recovery options.|
|Ransom amount||The text file with instructions also offers to decrypt files with a decryptor for $500|
|Distribution||Spam email attachments with malicious macros get delivered to hundreds of users, so when the file is opened, and macros enabled, ransomware can drop straight on the system and start the encryption|
|Distinct feature||The virus is developed for 64-bit systems, so it is not working on 32-bit devices|
|Elimination||Kasiski ransomware removal should be performed with proper anti-malware tools, so all the malicious files get removed and virus terminated|
|Repair||A full system scan with tools like RestoroIntego can significantly improve the state of security because such utilities can repair system files and corrupted registries or functions|
The virus can be installed by the user himself, without knowing what kind of file/program it is. As we have already mentioned, Kasiski malware encrypts almost all files with a strong cipher and then changes desktop background with a basic yellow picture with some text written on it.
Then the virus drops a file called INSTRUCCIONES.txt (on the desktop) which is known to be a ransom note – a message from malicious actors. Cybercriminals typically create such files on the system after corrupting victim’s data. They aim to inform the victim of how the corrupted data can be recovered, and usually, they demand money immediately.
In this ransom note, authors of Kasiski ransomware ask the victim to pay a ransom in Bitcoins. They promise to provide a “DECRYPT TOOL” for $500. Here's how the beginning of the ransom note looks:
Este es su numero personal (NO LO BORRE) =
Todos sus archivos fueron encryptados (bloqueados)/
Para restaurar sus archivos usted necesita un (DECRYPT TOOL)
Nosotros le ofrecemos el (DECRYPT TOOL) para restaurar sus archivos, su costo es de ($500) quinie
However, we never advise victims to pay the ransom because obviously, cybercriminals are not the people you can count on. Therefore, we usually advise victims to remove Kasiski ransomware from the system using anti-malware tools because such software can easily find and remove the malware from the affected device.
Unfortunately, for affected system files, you should install a program designed for system repair such as RestoroIntego that can help with Kasiski virus damage. Then find a backup, which is needed for data recovery. If you do not have a needed backup, you can try data recovery methods provided below the article.
However, the virus is under analysis at the moment, researchers might come up with Kasiski decryption tool after a while. Until then, take care of the machine, clean virus traces, try to secure your PC from possible additional malware attacks, and try to restore all the encoded data with files stored on external devices. Make sure to double-check before adding any data on the machine, because you may lose your files if any leftover ransomware files trigger the secondary encryption round. Kasiski ransomware is the cryptovirus that shows the ransom demanding message on the wallpaper.
Traditional ransomware distribution techniques
How ransomware crooks distribute their malicious programs depends on their programming skills. More advanced ones employ hacking skills to spread malicious files via ad networks, others use exploit kits, and finally, some scammers use Trojans to infect devices with ransomware.
However, the most efficient technique that is the most used by such criminals so far is also a very basic one. Malware authors only need to compose convincing email letters and send them out to hundreds or even thousands of victims. The message typically says that the user needs to view “attached contents.” In most cases, attachments state about some kind of financial data like order information or invoices.
However, we advise users to think whether a) they know the sender personally or not; b) were they expecting to receive such an email or not. If the answer to these questions is no, better stay away from such letters and delete them ASAP. Always do so with emails you were not expecting to get or notifications that contain red flags like typos, grammar mistakes, or shortened hyperlinks. Those can also send you to macro-laced sites or trigger direct downloads of malicious files, malware.
Kasiski ransomware virus termination procedures include AV tools
If your computer was compromised, remove Kasiski ransomware immediately using proper anti-malware tools. Ransomware-type programs often come with various additional features such as an ability to install new malware, transmit personal information, and even more.
To make your PC safe again, it is recommended to use powerful anti-malware software such as SpyHunter 5Combo Cleaner or Malwarebytes. Full Kasiski ransomware removal guidelines are given down below – follow them carefully, do not rush! Using those methods may help you with the proper AV scan too.
You do not want to miss infectious components because if you do so, they might weaken your PC’s security, which would allow other viruses to infiltrate the system easier. When you are done with the proper elimination of all Kasiski virus components, you can go for the data recovery solutions that are also listed below. Make sure to repair system files using RestoroIntego before though.
Getting rid of Kasiski virus. Follow these steps
Manual removal using Safe Mode
Reboot the system in the Safe Mode with Networking and run the AV tool then
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove Kasiski using System Restore
Make the system virus free by enabling System Restore feature
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of Kasiski. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove Kasiski from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by Kasiski, you can use several methods to restore them:
Data Recovery Pro is the program that can restore your files after encryption and other incidents
You can use Data Recovery pro for encrypted files or for accidentally deleted data
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by Kasiski ransomware;
- Restore them.
Windows Previous Versions is the feature that can help with affected files
When System Restore gets enabled, you can rely on Windows Previous Versions feature and recover data individualy
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
ShadowExplorer restores files affected by Kasiski ransomware
The option can work when Shadow Volume Copies are left untouched
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
Kasiski ransomware has no decryption tool
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Kasiski and other ransomwares, use a reputable anti-spyware, such as RestoroIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Stream videos without limitations, no matter where you are
There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.
Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.
Data backups are important – recover your lost files
Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.
While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.
- ^ Kevin Savage, Peter Coogan, Hon Lau. The evolution of ransomware. Symantec Security Response. Analysis of and protection from IT security threats.
- ^ Jim Martin. 32-bit vs 64-bit. PC Advisor. Technology reviews, advice, videos, news and forums.
- ^ Ransomware: Information and prevention. Sophos Knowledge Base. Security Articles.
- ^ Backup Data. NUI Gateway. Information Solutions and Services.
- ^ Exploit Kits. F-Secure. News from the lab.
- ^ Macro virus. Wikipedia. The free encyclopedia.