Kraken Cryptor (Removal Instructions) - updated Oct 2018

Kraken Cryptor Removal Guide

What is Kraken Cryptor?

Kraken Cryptor — a dangerous RaaS that has been involved in numerous attacks in October 2018

Kraken Cryptor virusKraken Cryptor - a file-encrypting virus which belongs to the Kraken ransomware family.

Kraken Cryptor is a ransomware virus[1] that first emerged in August 2018. It uses several different encryption algorithms (AES-128/256, Salsa20, RC4, and RSA) to encode data and modifies files in the following way: [chronological_number]-Lock.onion. To retrieve data, victims are prompted to contact cybercriminals via after paying 0.25 BTC. All this information is presented in a ransom note called How to Decrypt files.txt which is sent to victims via the remote server. Initially, Kraken Cryptor virus used spam emails and other typical techniques for distribution. However, in October, researchers discovered that the malwa is relying on Fallout exploit kit. The latest version is Kraken Cryptor 2.0.7 which is using the wallpaper that imitates Cerber and GandCrab.

Name Kraken Cryptor
  • Kraken Cryptor 1.2;
  • Kraken Cryptor 1.3;
  • Kraken Cryptor 1.5;
  • Kraken Cryptor 1.6;
  • Kraken Cryptor 2.0;
  • Kraken Cryptor 2.0.4;
  • Kraken Cryptor 2.0.5;
  • Kraken Cryptor 2.0.7
Appendix .%8 numbers%-Lock.onion; random extension; 5 A-Z 0-9 file extension; .JLQUF
Ransom message How to Decrypt Files.txt; Instructions-{suffix}.txt; # How to Decrypt Files.html; Instructions.txt
Ransom type 0.075BTC; 0.25 BTC, 0.125 BTC
Purpose To encrypt files and demand a ransom in exchange for a decryption tool
Distribution Spreads through spam emails, P2P networks, using Fallout EK, RIG exploit kit
Prevent it Use antivirus protection, do not open suspicious email attachments
Removal process Get rid of the ransomware infection with FortectIntego

Malware Hunter Team noticed that Kraken Cryptor 1.2 authors left an interesting comment in malware's code. It contained the following: “When the researchers' party hard, our parties harder!”. While it seems like hackers have some sense of humor, the Kraken Cryptor virus infection is not a joke for the victims, as encoded files cannot be decrypted.

You can also recognize this virus from other signs such as:

  • Files are encrypted with the .%8 numbers%-Lock.onion extension;
  • A ransom note named How to Decrypt Files.txt has been displayed;
  • Dubious registry entries have been created in the Windows Registry.

Here is how the ransom message begins:



E-Mail :

Alternative :


Hackers use AES-128/256 cipher to encrypt personal files. To decrypt them, victims need to obtain a key which is generated for each person individually; hence cannot be used for different machines. The decryptor is stored on a remote C2 server which is only accessible to Kraken Cryptor 1.2 developers.

Kraken Cryptor ransomwareKraken Cryptor - ransomware which encrypts valuable files and offers a purchasable decryption tool.

However, do not rush to contact the criminals, as these people can not be trusted. If you did not prepare a backup before Kraken Cryptor struck, you could try using another option for file decryption. Look for our offered third-party software which you can find below this article.

Nevertheless, ransomware-type viruses may weaken the computer's security levels and clean the way for other infections. This is one of the main reasons why you need to remove Kraken Cryptor virus from your computer as soon as you spot first symptoms. For that, we suggest using FortectIntego or any other trustworthy anti-malware tool of your liking.

Kraken Cryptor removal should be performed before the file recovery because all the data will be encrypted again. Important: do not connect your external drive to the PC before the virus is eliminated!

Fallout EK is becoming more popular among ransomware distributors

As Kraken Cryptor uses RaaS[2] business model, many different associates take on its distribution. For example, Kraken Cryptor 1.5 was delivered with the help of a fake SuperAntiSpyware executable, implanted directly into the official website of the program.[3]

Now, researchers noticed that Kraken Cryptor virus 1.5, and a bit later – 1.6, has been distributed with the help of the relatively new Fallout exploit kit. Bad actors compromise several websites which then redirect victims to a domain that hosts Fallout exploit kit. It then tries to abuse the VBScript vulnerability to install malware on the susceptible machine.

Kraken Cryptor uses Fallout EKResearchers discovered that Kraken Cryptor 1.5 and 1.6 is being distributed with the help of Fallout EK

Once delivered, Kraken Cryptor 1.6 will encode data using a random file name and arbitrary file extension and also will download SDelete, which replaces all spaces which are empty with zeros, complicating the file recovery procedure.

Fallout EK was first discovered in August 2018 and is gaining more popularity among hackers. Experts are convinced that, after distributing GandCrab v5 and Kraken Cryptor 1.6, the exploit kit will be delivering other malicious payloads in the future.

Known variants of Kraken Cryptor

Kraken Cryptor 1.2

Hackers have been using the AES-128/256 encryption algorithm to lock your data and a ransom note named How to Decrypt Files.txt in which the message about the attack is displayed. However, the only information in the note is contact email and the Bitcoin wallet in which the ransom payment should be transferred. Encrypted files are marked with .%8 numbers%-Lock.onion extension to each file. The ransom amount for this cryptovirus is 0.25 BTC.

Kraken Cryptor 1.3

Like the previous version, this variant uses the same Kraken mutex and the message “When the researchers party hard, our parties harder!.” It came immediately after the discovery of the second version of the ransomware. The payment is reduced to 0.125BTC if compared with other threats. It is believed that this version is distributed using the exploit kits and other vulnerabilities.

Kraken Cryptor 1.5

Kraken Cryptor 1.5 was distributed using the fake SuperAntiSpyware executable which was placed directly on the official website of this program. Released in August of 2018, it landed on the system unnoticeably because the only difference between the malicious file and the safe one was S at the end -SUPERAntiSpywares.exe. Cybercriminals even used the icon of the original file. It also used random file names and extensions. Ransom note for this version called # How to Decrypt Files.html.

Kraken Cryptor 1.6

In October 2018, researchers discovered this version of Kraken Cryptor that uses Fallout exploit kit to spread around. It also encrypts data using the sophisticated method and adds random file extensions and a randomly named ransom note. Also, while distributing this particular version, hackers try to abuse VBScript vulnerability to install the malicious payload.

Kraken Cryptor 2.0

This variant of ransomware virus displays and empty windows containing numerous buttons as Send Payment, Request Free Decryption. When this version of ransomware was discovered analysts stated that it looks as being in development still. When one of those buttons gets pressed, another pop-up window opens which allows users to request free decryption. Hospitals, software development studios encounter this function. Regular people suggested paying $50 in various gift cards. The payment method is rather unusual for crypto-demanding ransomware type virus. Therefore, this ransomware looked like a test version.

Kraken Cryptor 2.0.4

This variant was exposed by MalwareHunterTeam on Twitter on October 19th as the strange version of ransomware which sends statistics to a server using TOR browser (kraken656kn6wyyx[.]onion). The ransomware uses ransom letters for the file extension and contact email that is used for other versions too. There is not much information about the particular version because if affected fewer victims and haven't displayed a proper ransom note for them. Soon after this variant came the other one.

Kraken Cryptor 2.0.5

This version was spotted in late October of 2018. Once the malware infects the system, encrypted data gets .JLQUF or any other appendix consisting of random characters. Also, the virus drops Instructions.txt ransom note containing information about the recent events. The message states about 0.075BTC ransom amount and suggests contacting hackers via email address.

Kraken Cryptor 2.0.6

One of the latest versions of Kraken Cryptor was discovered on the last weekend of October. The virus has already affected more than 200 victims since the 20th of October. BleepingComputer were the first ones who reported about this variant because hackers have been connecting to their site during the encryption process.[4] According to experts nao_sec and Kafeine, malware is distributed using RIG exploit kit. Instead of connecting or redirecting to google, it connects to BleepingComputer and uses URL that belongs to The website allows users to create shorter URLs and track statistics. ( address) This connection allows BleepingComputer to track victims.

Kraken Cryptor 2.0.7

A few days after the first discovery of the previous version, 2.0.7 version was out. It uses wallpaper similar to Cerber or GandCrab and uses random 5 A-Z 0-9 file extension to mark encrypted files. Also, this version adds Instructions-{suffix}.txt ransom note name pattern to the mix. It is distributed as typical ransomware using spam email attachments disguised as financial information documents. The ransom amount for this version at the time of writing was $300. That is equivalent to about 0.054 BTC.

Kraken Cryptor 2.0.7Kraken Cryptor 2.0.7 displays wallpaper similar to other cyber threats.

Prevent ransomware infections by being attentive online

According to IT experts, users infect their computers with ransomware through suspicious email messages. Such spam is dropped straight to a victim's email inbox. The phishing email comes with a suspicious attachment or a cleverly hidden hyperlink. While some emails might look legitimate, do not get tricked by it. Ignore it and never open any attachments or click on links inside.

Additionally, you can get a ransomware infection from peer-to-peer networks[5] and file-sharing sites. These types of websites lack protection and are more likely to be hacked by criminals who can inject their malicious code using JavaScript or other methods. Do not forget that anti-virus software is one of the most important security measures and should not be neglected.

As mentioned above, the virus also started using Fallout EK, that abuses CVE-2018-8174 VBScript vulnerability, so patching all your software is mandatory in order to avoid malware attacks.

Make sure you get rid of Kraken Cryptor and all virus-related components

Even though manual elimination is not quite possible for this case, you can perform the Kraken Cryptor removal by downloading and installing a professional anti-malware tool. We suggest using FortectIntego, SpyHunter 5Combo Cleaner, or Malwarebytes. Choose the program that suits you the most.

You need to remove Kraken Cryptor virus and get rid of all components that were injected while the malware was active. After you perform the automatic elimination, you can attempt to get your files back either via the backup or by using third-party software. experts[6] recommend taking some precautionary measures for the future. Most importantly, you need to take care of valuable documents. It is advisable to store them on an external device such as a USB flash drive or iCloud.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Kraken Cryptor. Follow these steps

Manual removal using Safe Mode

Reboot your computer to Safe Mode with Networking to disable the virus:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Kraken Cryptor using System Restore

Follow these instructions to activate the System Restore feature:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Kraken Cryptor. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Kraken Cryptor removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Kraken Cryptor from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If you were thinking how to get various encrypted documents back, we have provided some solutions for you. You will see some methods below, that, if performed as required, might be helpful for data recovery.

If your files are encrypted by Kraken Cryptor, you can use several methods to restore them:

Use Data Recovery Pro to recover various corrupted data:

If your files were encrypted with a certain appendix that was added by the ransomware-type virus, this method might help you get important files back.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Kraken Cryptor ransomware;
  • Restore them.

Try Windows Previous Versions feature if wanted to restore some documents:

Take notice that this method might be helpful only if you have taken some precautionary measure before the cyber attack managed to infect your computer system. You should have activated the System Restore feature before the ransomware infection spread, otherwise, this method will not work.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use Shadow Explorer and recover lost data:

This method might help you to get valuable files back if the ransomware infection did not destroy Shadow Volume Copies of affected documents.

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

The official Kraken Cryptor decryptor has not currently been discovered.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Kraken Cryptor and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions