Kook ransomware (Virus Removal Guide) - Aug 2020 update

Kook virus Removal Guide

What is Kook ransomware?

Kook ransomware is a malicious program designed to lock your files and keep them hostage until a ransom is paid

Kook ransomwareKook ransomware - the cryptovirus that marks encrypted files using .kook appendix and asks for money.

Kook ransomware – a version of the notorious cryptovirus that is known as Djvu. Since this is one of many versions in the prominent malware family, there are many features and functions that haven't changed much for the past year. Since August 2019, cybercrooks changed the encryption algorithm from AES to RSA, which made established decryption tools obsolete. This particular version of ransomware is appending files with .kook extension, so it can be distinguished from other variants, which also use the same ransom note – the text file named _readme.txt.

Unfortunately, the Kook ransomware virus is no different from other variants that came out in 2020, so there is little to no possibility to get your files recovered when the encryption algorithm is used to change the original code. The ransom note states about payment options and encourages people to contact criminals via helpmanager@mail.ch and restoremanager@airmail.cc emails. However, when you try to get more information about the payment, you may get tricked instead, and the sum of $490 or $980 might be lost forever.

In some cases, there is a tool that helps – Emsisoft Djvu decrypter. There is an issue of online vs offline IDs, so only some of the encoded files get decrypted this way. You can check your encrypted files with this tool and see if you deal with the older or newer variant of the STOP/Djvu virus. This fact determines the offline and online ID issue. You might have the option to decrypt files marked by .kook ransomware. However, the best option is to remove the threat completely and recover from your separate data backups.

Name Kook virus
Type Ransomware[1]
Family STOP virus/ Djvu ransomware
File extension .kook – the file appendix that comes after a filetype extension and indicates encrypted files
Distribution The threat uses methods involving malicious files. The virus can be spread via email attachments with malicious macros or from torrent platforms, pirating sites when malicious scripts get injected on software package files
Amount demanded from victims $980 or $490, when the discount is offered
Ransom note _readme.txt – a file that contains a direct message from criminals
Contact emails helpmanager@mail.ch and restoremanager@airmail.cc
Elimination To properly remove Kook ransomware from the system, you need a trustworthy anti-malware tool that
Repair The system gets affected while alterations in system functions get made. Make sure to repair them or at least find affected parts with FortectIntego

Kook ransomware can trigger changes in the system, so your device is not working as it supposed to. In most cases, cryptovirus affect data recovery options, file restoring features, security software, and other programs that could help with virus removal or file restoring functionalities.

Since the threat focuses on keeping malicious activities and files on the system, Kook ransomware triggers these changes immediately after the encryption. The behavior of the stealthy threat is not easily noticed because these changes happen in the background.

The victim of the .Kook files virus can notice the infection when files get marked using the .kook extension, and the ransom note is delivered on the screen, placed on the desktop, in other folders. The message in _readme.txt states:


Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

This message should be ignored because there is no need to contact the criminals behind the Kook ransomware. Those people are not concerned about victims' files. The only purpose of this file virus is to get cryptocurrency from people directly by scaring them. Victims cannot know what to do when this text is displayed, and all the files get locked, so there are the ones who decide to pay. Unfortunately, it is not recommended by experts.[2]

Kook ransomware virusKook ransomware - the threat that locks files with the purpose of making profit in cryptocurrency. Kook ransomware displays only a part of the malicious activities on the screen, so many changes can happen in the background. This is why you need to react as soon as possible. Also, when the time that ransomware creators give ends your files may get damaged even further, so removing the virus as soon as you can, may save your data.

Make sure to remove Kook ransomware properly from the system before you attempt any file restoring methods. Especially, when you rely on data backups from external devices that need to be plugged into the computer. You may lose all your data when the secondary encryption is launched.

Kook files virus is equipped with multiple features

The primary goal of ransomware, such as the Kook file virus, is to access your device, scan for susceptible files, lock them, and then demand ransom for their redemption. However, Djvu variants are a bit more sophisticated than that, as malicious actors seek to gain maximum benefits from each of the infections.

If you had no backups, Kook file recovery might not be possible – this fact is devastating by itself. However, it is important to note that malware also equipped with additional modules that could cause even more damage than permanent data loss. Here are a few examples and reasons why you should hurry to remove Kook ransomware from your system:

  • Djvu ransomware variants are known to modify Windows “hosts” file in order to prevent victims from seeking help on security-focused websites, including 2-spyware.com. As a result, you might not be able to access these sites when seeking help. To revert this process, you should visit the following location and delete the “hosts” file:


  • If you keep Kook ransomware running in the background, it might begin stealing information via your web browser. As a result, your banking details, various account information and other data can be stolen and sold for profits on the dark web;
    This malware family is known to be collaborating with other strains, and people infected with Djvu were also found banking Trojan AZORult on their systems. In other words, it is possible that malicious actors might install other malware on your machine.

The different ways for Kook file recovery

Since Kook ransomware is the variant from a known virus family, it is known that previously developers used offline IDs, and the method allowed many victims to get their files back. Unfortunately, the technique is no longer used by these 2020 variants. Each victim gets a unique ID that is needed for the decryption process. It means that decryption tool development is even harder.

Even though the decryption is not possible, there are some options for the file recovery. Some variants that use offline IDs still can be decrypted, some types of data[3] also have solutions. Nevertheless, to get back to the system that works properly, you need a thorough system cleaning and Kook ransomware removal process that can eliminate the virus. For that purpose, you need anti-malware or security tools.

As for the data that is affected by .Kook file-encrypting virus, you need to rely on trustworthy data recovery options. A few listed below the guide. You can try to restore files from the cloud database or archive stored on the external device. Remember to repair system files also, so the machine can run as it supposed to. You can rely on FortectIntego for this purpose since the program can show affected files and corrupted functions for you.

Kook files virusKook - ransom-demanding virus that makes various claims about paying and offers discount.

Removing Kook virus cannot unlock your files

Your files will remain locked and encrypted even when you remove the virus using security tools or renewing the operating system entirely. Kook ransomware virus can alter various system settings, folders, and functions of the computer to remain persistent. The reversed encryption process is the best option, but there is no such decryption tool that could work at the moment.

You need to remove the Kook virus from the system, stop it from running, so it can no longer encrypt your files and then clear all the traces. This is how you completely terminate the threat. If you risk replacing encrypted files with safe copies while the virus is active, you can permanently lose files and money if you decide to pay up. Do not consider these options at all.

You need to pay attention to avoid the difficult Kook ransomware virus removal

As we mentioned Kook ransomware virus is distributed using various malicious files included on email attachments or packages with licensed software, game cheats, cracked program versions. These files get installed automatically and trigger the payload drop of the ransomware.

Kook virus removal gets affected by the processes and files planted in the background. Some security functions can get disabled, so you have fewer options for the elimination. However, tools like SpyHunter 5Combo Cleaner or Malwarebytes are the best ones for such instances.

Unfortunately, these anti-malware or security tools cannot recover files encrypted by the virus or help to repair or remove Kook ransomware damage. You need a proper system application or a PC repair tool that can check and fix the damage on the system. Try FortectIntego for the virus damage repair. Then fully restore your device and all the affected files yourself.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Kook virus. Follow these steps

Manual removal using Safe Mode

Rebooting the machine in Safe Mode with Networking can help with the Kook ransomware removal

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Kook using System Restore

System Restore is the feature that can be used as a virus removal method because it recovers the machine in a previous state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Kook. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Kook removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Kook from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Kook, you can use several methods to restore them:

Data Recovery Pro is the feature that restored affected files

You can try to recover files encrypted by Kook ransomware with Data Recovery Pro

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Kook ransomware;
  • Restore them.

Windows Previous Versions feature is helpful with files encrypted by Kook ransomware

If you used System Restore before, you can try Windows Previous Versions for data recovery

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer – a method for file restoring after Kook ransomware attack

This method works when Shadow Volume Copies are left untouched

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Kook ransomware decryption options

You can try the Djvu decryption tool for some of the versions of Kook ransomware virus

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Kook and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions