KODC ransomware (Removal Instructions) - Recovery Instructions Included

KODC virus Removal Guide

What is KODC ransomware?

KODC ransomware is a file locking virus that mainly spreads via software cracks

KODC ransomwareKODC ransomware is a money extortion-based malware that stems from the notorious family Djvu

KODC is a new variant of Djvu/STOP ransomware family that was first spotted by security researcher Michael Gillespie in the second half of January 2020.[1] Just as its predecessors .piny, .redl, .nbes, and others, .kodc version belongs to the newer surge of infections that apply a more secure RSA encryption algorithm[2] to lock all videos, documents, PDF, and other personal files, and then demands $980 to for an alleged KODC ransomware decryption tool.

All data encrypted in such a way is appended with .kodc extension, and no access to it is available. Additionally, the virus also drops a ransom note _readme.txt explaining to users what happened to their data and that they should contact hackers via datarestorehelp@firemail.cc or datahelp.iran.cc. Unfortunately, while recovering data without paying KODC ransomware developers might be possible, the likelihood is relatively low.

Name KODC ransomware
Type File locking virus, crypto-malware
Malware family Djvu/STOP ransomware – one of the most prolific crypto-malware families, as hundreds of versions have been released since its release in December 2017
Distribution Most of the victims infect their computers with this virus when they download pirated applications or use software cracks
Encryption algorithm Ransomware uses a secure RSA encryption algorithm to lock the most popular file types, although system files and executables are skipped in order to ensure that Windows is functional
Extension Each non-system and non-executable file located on the local and networked drives is marked with .kodc extension; for example, a picture.jpg turns into picture.jpg.kodc
Ransom note _readme.txt is dropped into each folder that holds the encrypted files
Contact datarestorehelp@firemail.cc or datahelp.iran.cc
Ransom size Users are asked to pay $490 or $980 worth of Bitcoin for decryption software
Data recovery Recovering data from backups is the only secure way to retrieve it without risks. However, in cases where KODC ransomware failed to contact its C2 server, Emsisoft's decrypter might work; alternatively, Dr.Web's paid decryption service might be used to retrieve at least some types of files. If nothing helps, recovery software can be used, although chances of it being successful are relatively low – check the recovery section below for more information
Malware removal Use reputable anti-malware software to scan your machine in Safe Mode with Networking
System fix If you experience issues after you delete malware, you can apply FortectIntego to fix virus damage and revert Windows to its pre-infection state in order to avoid reinstalling it completely

Djvu ransomware family has been one of the most prevalent crypto-malware for some time now, and security researchers now have a long history with creating tools like STOPDecrypter, as well as other decryptors that previously helped many users to recover their files for free. Nevertheless, because versions of this virus might install additional modules that could steal personal information, it is important to remove KODC virus and all its components promptly.

.KODC files virus is mostly spread with the help of software cracks and pirated software installers. Therefore, most users who visit torrent, warez, and similar sites are at an elevated risk of getting infected. To avoid this, you should stay away from pirated software sites, as they are known to be used as one of the main attack vectors for ransomware, trojans, worms, cryptojackers,[3] and other malware. That said, cybercriminals might be open to new methods, so check out our tips below to ensure your computer's safety in the future.

KODC ransomware virusKODC ransomware is a file locking virus that primary spreads with the help of software cracks

Infection and encryption routine

Once inside the system, KODC ransomware does not immediately encrypt all data, as special preparations need to be made and system modified. As soon as the main executable (can be named as anything, for example, crack.exe, c652.tmp.exe, or update.exe) is launched, it places itself into %Temp%, %AppData% or %LocalAppData% folder.

From there, .KODC virus begins to launch all the necessary files that would enable it to perform file encryption, and also modify Windows system settings, such as changing Windows registry, disabling startup repair, and deleting Shadow Volume Copies.

It is also important to note that the virus also adds a predetermined list of IP addresses into Windows hosts file – this action prevents users from reaching those websites. These are security-focused sites that could help users with .KODC ransomware removal and file recovery process, such as 2-spyware. To fix this, users should delete the hosts file located in the following folder:

  • C:\Windows\System32\drivers\etc\

During the infection process, KODC also attempts to establish a connection with its Command & Control server[4] – a process which, as researchers found out, fails relativity often. If that happens, users have a greater chance of data recovery with the help of Emsisoft's decryption tool; alternatively, if Shadow Volume Copies fail to be deleted, retrieving data becomes a much easier task by using automatic backups.

KODC ransomware decryptorIf KODC ransomware performed the file encryption process using an offline ID, Emsisoft's tool might help to recover them

KODC ransomware uses an asymmetric[5] RSA encryption algorithm to encrypt all data on the machine, as well as all the connected drives. Nevertheless, it skips system, executable, and some other file types in order to ensure that Windows can operate – it is not threat actors' goal to corrupt the computer but rather extort money. During the encryption process, KODC ransomware might show a fake Windows update pop-up window to cause less suspicion and prevent users from shutting down the machine.

_readme.txt file pops up before victims' eyes as soon as the file encryption process is over. As a result, users see their file icons as “blanks,” and each of them has a .kodc extension appended. The note states the following:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-4NWUGZxdHc
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
datarestorehelp@firemail.cc

Reserve e-mail address to contact us:
datahelp@iran.ir

As stated above, if none of the predetermined ransomware functions fail, paying criminals might be the last hope of retrieving the locked data. However, keep in mind that threat actors cannot be trusted, and might never send you the required software to recover .KODC files.

If you have no data backups, you should copy all the important files that were encrypted before using .KODC remover, as such a process might permanently damage them and turn them into a cluster of unreadable data. In such a case, even the decryption tool from the attackers would not be able to recover your files.

Note that KODC might damage certain system files or registry files in a way that might start making Windows to malfunction. Thus, if you experience system crashes, errors, and other disturbances after the infection, scan your machine with FortectIntego – it can fix virus damage and save you from reinstalling the operating system.

KODC ransomware encrypted filesAs soon as KODC ransomware performs file encryption process, victims are unable to access their data

Software cracks are dangerous – stay away if you want to keep your computer virus-free

The safety record of software cracks and pirated program installers, while highly debatable, still serves as a major security risk. Because cracks are essentially tools that are used to break certain code within an application, they will be considered malicious by most anti-malware applications. In some cases, cracks/keygens/loaders are designed to work as intended but, due to a modified executable file by cybercrooks, a malicious payload might also be installed in the background. Therefore, even if you scan a crack with anti-malware software, there is no way to check whether it is actually malicious or not. As a result, you might inject all sorts of malware into your computer, and you will not even know about it (unless it's ransomware, of course).

Thus, the best solution would be avoiding not only software cracks but also websites that distribute such software, as they are known to have a poor safety record and might have additional infection triggers, such as malicious ads. Here are some basic tips from security advisers:

  • Equip your computer with powerful anti-malware software and keep it updated.
  • Prepare regular backups of your files – use remote cloud-based service or an external device like USB flash.
  • Patch your operating system and all the installed software with the latest security updates.
  • Employ secondary protection measures like a Firewall and ad-block.
  • Make sure you turn off Remote Desktop connections as soon as it is not needed and ensure its protection during the usage (such as not relying on the default TCP/UDP port 3389).
  • Never reuse passwords and make sure you use strong ones for all your accounts; alternatively, use a password manager.
  • Do not allow macros to be run on documents that were clipped to an email from unknown origin; do not click on embedded links.

Backup your encrypted files and only then remove KODC ransomware from your machine

While KODC ransomware removal is imperative to regaining full control of your computer, you should not rush doing some. The first step you should do (unless you are sure that you have all your files on backups), is using an external device to copy all the encrypted files over. As mentioned before, any type of system modifications after the KODC virus infection might result in a permanent corruption of data.

Once that is done, you should then remove KODC ransomware from your machine by scanning it with anti-malware software, such as SpyHunter 5Combo Cleaner, Malwarebytes, or other security tool (note that new variants might require a scan with different anti-malware, as each of them uses different databases which might not recognize a threat immediately after its release). If you are having trouble, you should access Safe Mode with Networking as explained below – malware might tamper with security applications in order to stop victims from terminating it.

Finally, you can then attempt to recover your lost data in one of the ways described below. There are several options available, although there is no guarantee that any of them will work for you.

Offer
do it now!
Download
Fortect Happiness
Guarantee
Download
Intego Happiness
Guarantee
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of KODC virus. Follow these steps

Manual removal using Safe Mode

To remove KODC file virus safely, enter Safe Mode with Networking as explained below:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
    Settings
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
    Reboot
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.
    Startup

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Downloads
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):

    %AppData%
    %LocalAppData%
    %ProgramData%
    %WinDir%

After you are finished, reboot the PC in normal mode.

Remove KODC using System Restore

System Restore might sometimes be useful when trying to eliminate the virus:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of KODC. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that KODC removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove KODC from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by KODC, you can use several methods to restore them:

Make use of Data Recovery Pro

Data Recovery Pro might be successful in recovering some portion of your files if you did not use your computer after the infection that much. In other words, the less you use your PC after the ransomware locked your data, the more chances you have of recovery software being successful.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by KODC ransomware;
  • Restore them.

Windows Previous Versions Feature might be useful

This method might work if you had System Restore prepared before the infection.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might be the best solution

Shadow Volume Copies might not get deleted if you are lucky. In such cases, ShadowExplorer might serve as an excellent tool to retrieve the encrypted files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Try Emsisoft's decryption tool

In case KODC ransomware used an offline ID to lock your files, you should immediately make use of Emsisoft's decrypter – it is highly likely to recover your files in such a case. Additionally, you could also contact Dr.Web – the security firm offers a paid service that could recover some file types (MS Office documents, PDFs, etc.).

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from KODC and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.

 

Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 

 

About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions

References