Severity scale:  
  (98/100)

Kraken Cryptor. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware

Kraken Cryptor — a dangerous RaaS that has been involved in numerous attacks in October 2018

Kraken Cryptor virus
Kraken Cryptor - a file-encrypting virus which belongs to the Kraken ransomware family.

Kraken Cryptor is a ransomware virus[1] that first emerged in August 2018. It uses several different encryption algorithms (AES-128/256, Salsa20, RC4, and RSA) to encode data and modifies files in the following way: [chronological_number]-Lock.onion. To retrieve data, victims are prompted to contact cybercriminals via onionhelp@memeware.net after paying 0.25 BTC. All this information is presented in a ransom note called How to Decrypt files.txt which is sent to victims via the remote server. Initially, Kraken Cryptor virus used spam emails and other typical techniques for distribution. However, in October, researchers discovered that the malwa is relying on Fallout exploit kit. The latest version is Kraken Cryptor 2.0.7 which is using the wallpaper that imitates Cerber and GandCrab.

Name Kraken Cryptor
 versions
  • Kraken Cryptor 1.2;
  • Kraken Cryptor 1.3;
  • Kraken Cryptor 1.5;
  • Kraken Cryptor 1.6;
  • Kraken Cryptor 2.0;
  • Kraken Cryptor 2.0.4;
  • Kraken Cryptor 2.0.5;
  • Kraken Cryptor 2.0.7
Appendix .%8 numbers%-Lock.onion; random extension; 5 A-Z 0-9 file extension; .JLQUF
Ransom message How to Decrypt Files.txt; Instructions-{suffix}.txt;  # How to Decrypt Files.html; Instructions.txt
Ransom type 0.075BTC; 0.25 BTC, 0.125 BTC
Purpose To encrypt files and demand a ransom in exchange for a decryption tool
Distribution Spreads through spam emails, P2P networks, using Fallout EK, RIG exploit kit
Prevent it Use antivirus protection, do not open suspicious email attachments
Removal process Get rid of the ransomware infection with Reimage

Malware Hunter Team noticed that Kraken Cryptor 1.2 authors left an interesting comment in malware's code. It contained the following: “When the researchers' party hard, our parties harder!”. While it seems like hackers have some sense of humor, the Kraken Cryptor virus infection is not a joke for the victims, as encoded files cannot be decrypted.

You can also recognize this virus from other signs such as:

  • Files are encrypted with the .%8 numbers%-Lock.onion extension;
  • A ransom note named How to Decrypt Files.txt has been displayed;
  • Dubious registry entries have been created in the Windows Registry.

Here is how the ransom message begins:

– ALL YOUR FILES HAS BEEN ENCRYPTED BY “KRAKEN CRYPTOR”!

– READ THIS GUIDE BELOW TO RECOVERY YOUR FILES!

E-Mail        : onionhelp@memeware.net

Alternative : BM-2cWdhn4f5UyMvruDBGs5bK77NsCFALMJkR@bitmessage.ch

<…>

Hackers use AES-128/256 cipher to encrypt personal files. To decrypt them, victims need to obtain a key which is generated for each person individually; hence cannot be used for different machines. The decryptor is stored on a remote C2 server which is only accessible to Kraken Cryptor 1.2 developers.

However, do not rush to contact the criminals, as these people can not be trusted. If you did not prepare a backup before Kraken Cryptor struck, you could try using another option for file decryption. Look for our offered third-party software which you can find below this article.

Nevertheless, ransomware-type viruses may weaken the computer's security levels and clean the way for other infections. This is one of the main reasons why you need to remove Kraken Cryptor virus from your computer as soon as you spot first symptoms. For that, we suggest using Reimage or any other trustworthy anti-malware tool of your liking.

Kraken Cryptor removal should be performed before the file recovery because all the data will be encrypted again. Important: do not connect your external drive to the PC before the virus is eliminated!

Fallout EK is becoming more popular among ransomware distributors

As Kraken Cryptor uses RaaS[2] business model, many different associates take on its distribution. For example, Kraken Cryptor 1.5 was delivered with the help of a fake SuperAntiSpyware executable, implanted directly into the official website of the program.[3]

Now, researchers noticed that Kraken Cryptor virus 1.5, and a bit later – 1.6, has been distributed with the help of the relatively new Fallout exploit kit. Bad actors compromise several websites which then redirect victims to a domain that hosts Fallout exploit kit. It then tries to abuse the VBScript vulnerability to install malware on the susceptible machine.

Kraken Cryptor uses Fallout EK
Researchers discovered that Kraken Cryptor 1.5 and 1.6 is being distributed with the help of Fallout EK

Once delivered, Kraken Cryptor 1.6 will encode data using a random file name and arbitrary file extension and also will download SDelete, which replaces all spaces which are empty with zeros, complicating the file recovery procedure.

Fallout EK was first discovered in August 2018 and is gaining more popularity among hackers. Experts are convinced that, after distributing GandCrab v5 and Kraken Cryptor 1.6, the exploit kit will be delivering other malicious payloads in the future.

Known variants of Kraken Cryptor 

Kraken Cryptor 1.2 

Hackers have been using the AES-128/256 encryption algorithm to lock your data and a ransom note named How to Decrypt Files.txt in which the message about the attack is displayed. However, the only information in the note is onionhelp@memeware.net contact email and the Bitcoin wallet in which the ransom payment should be transferredEncrypted files are marked with .%8 numbers%-Lock.onion extension to each file. The ransom amount for this cryptovirus is 0.25 BTC.

Kraken Cryptor 1.3 

Like the previous version, this variant uses the same Kraken mutex and the message “When the researchers party hard, our parties harder!.” It came immediately after the discovery of the second version of the ransomware. The payment is reduced to 0.125BTC if compared with other threats. It is believed that this version is distributed using the exploit kits and other vulnerabilities.

Kraken Cryptor 1.5

Kraken Cryptor 1.5 was distributed using the fake SuperAntiSpyware executable which was placed directly on the official website of this program. Released in August of 2018, it landed on the system unnoticeably because the only difference between the malicious file and the safe one was S at the end -SUPERAntiSpywares.exe. Cybercriminals even used the icon of the original file. It also used random file names and extensions. Ransom note for this version called # How to Decrypt Files.html. 

Kraken Cryptor 1.6

In October 2018, researchers discovered this version of Kraken Cryptor that uses Fallout exploit kit to spread around. It also encrypts data using the sophisticated method and adds random file extensions and a randomly named ransom note. Also, while distributing this particular version, hackers try to abuse VBScript vulnerability to install the malicious payload.

Kraken Cryptor 2.0

This variant of ransomware virus displays and empty windows containing numerous buttons as Send Payment, Request Free Decryption. When this version of ransomware was discovered analysts stated that it looks as being in development still. When one of those buttons gets pressed, another pop-up window opens which allows users to request free decryption. Hospitals, software development studios encounter this function. Regular people suggested paying $50 in various gift cards. The payment method is rather unusual for crypto-demanding ransomware type virus. Therefore, this ransomware looked like a test version. 

Kraken Cryptor 2.0.4

This variant was exposed by MalwareHunterTeam on Twitter on October 19th as the strange version of ransomware which sends statistics to a server using TOR browser (kraken656kn6wyyx[.]onion). The ransomware uses ransom letters for the file extension and nikolatesla@cock.li contact email that is used for other versions too. There is not much information about the particular version because if affected fewer victims and haven't displayed a proper ransom note for them. Soon after this variant came the other one.

Kraken Cryptor 2.0.5

This version was spotted in late October of 2018. Once the malware infects the system, encrypted data gets .JLQUF or any other appendix consisting of random characters. Also, the virus drops Instructions.txt ransom note containing information about the recent events. The message states about 0.075BTC ransom amount and suggests contacting hackers via nikolatesla@cock.li email address. 

Kraken Cryptor 2.0.6

One of the latest versions of Kraken Cryptor was discovered on the last weekend of October. The virus has already affected more than 200 victims since the 20th of October. BleepingComputer were the first ones who reported about this variant because hackers have been connecting to their site during the encryption process.[4] According to experts nao_sec and Kafeine, malware is distributed using RIG exploit kit. Instead of connecting or redirecting to google, it connects to BleepingComputer and uses URL that belongs to IPlogger.com. The website allows users to create shorter URLs and track statistics. (https://2no.co/2SVJa5 address) This connection allows BleepingComputer to track victims. 

Kraken Cryptor 2.0.7

A few days after the first discovery of the previous version, 2.0.7 version was out. It uses wallpaper similar to Cerber or GandCrab and uses random 5 A-Z 0-9 file extension to mark encrypted files. Also, this version adds Instructions-{suffix}.txt ransom note name pattern to the mix. It is distributed as typical ransomware using spam email attachments disguised as financial information documents. The ransom amount for this version at the time of writing was $300. That is equivalent to about 0.054 BTC.

Kraken Cryptor 2.0.7
Kraken Cryptor 2.0.7 displays wallpaper similar to other cyber threats.

Prevent ransomware infections by being attentive online

According to IT experts, users infect their computers with ransomware through suspicious email messages. Such spam is dropped straight to a victim's email inbox. The phishing email comes with a suspicious attachment or a cleverly hidden hyperlink. While some emails might look legitimate, do not get tricked by it. Ignore it and never open any attachments or click on links inside.

Additionally, you can get a ransomware infection from peer-to-peer networks[5] and file-sharing sites. These types of websites lack protection and are more likely to be hacked by criminals who can inject their malicious code using JavaScript or other methods. Do not forget that anti-virus software is one of the most important security measures and should not be neglected.

As mentioned above, the virus also started using Fallout EK, that abuses CVE-2018-8174 VBScript vulnerability, so patching all your software is mandatory in order to avoid malware attacks.

Make sure you get rid of Kraken Cryptor and all virus-related components

Even though manual elimination is not quite possible for this case, you can perform the Kraken Cryptor removal by downloading and installing a professional anti-malware tool. We suggest using Reimage, Malwarebytes MalwarebytesCombo Cleaner, or Plumbytes Anti-MalwareMalwarebytes Malwarebytes. Choose the program that suits you the most.

You need to remove Kraken Cryptor virus and get rid of all components that were injected while the malware was active. After you perform the automatic elimination, you can attempt to get your files back either via the backup or by using third-party software.

LesVirus.fr experts[6] recommend taking some precautionary measures for the future. Most importantly, you need to take care of valuable documents. It is advisable to store them on an external device such as a USB flash drive or iCloud.

Offer
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to remove virus damage. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Malwarebytes.
Alternative Software
Different security software includes different virus database. If you didn’t succeed in finding malware with Reimage, try running alternative scan with Combo Cleaner.

To remove Kraken Cryptor, follow these steps:

Remove Kraken Cryptor using Safe Mode with Networking

Reboot your computer to Safe Mode with Networking to disable the virus:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Kraken Cryptor

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Kraken Cryptor removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Kraken Cryptor using System Restore

Follow these instructions to activate the System Restore feature:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Kraken Cryptor. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Kraken Cryptor removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Kraken Cryptor from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If you were thinking how to get various encrypted documents back, we have provided some solutions for you. You will see some methods below, that, if performed as required, might be helpful for data recovery.

If your files are encrypted by Kraken Cryptor, you can use several methods to restore them:

Use Data Recovery Pro to recover various corrupted data:

If your files were encrypted with a certain appendix that was added by the ransomware-type virus, this method might help you get important files back.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Kraken Cryptor ransomware;
  • Restore them.

Try Windows Previous Versions feature if wanted to restore some documents:

Take notice that this method might be helpful only if you have taken some precautionary measure before the cyber attack managed to infect your computer system. You should have activated the System Restore feature before the ransomware infection spread, otherwise, this method will not work.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Use Shadow Explorer and recover lost data:

This method might help you to get valuable files back if the ransomware infection did not destroy Shadow Volume Copies of affected documents.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

The official Kraken Cryptor decryptor has not currently been discovered.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Kraken Cryptor and other ransomwares, use a reputable anti-spyware, such as Reimage, Malwarebytes MalwarebytesCombo Cleaner or Plumbytes Anti-MalwareMalwarebytes Malwarebytes

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions

References