KRIPTOVOR virus (Removal Guide) - Jun 2018 update
KRIPTOVOR virus Removal Guide
What is KRIPTOVOR virus?
KRIPTOVOR is ransomware that threatens computer users since 2014
KRIPTOVOR is a file-encrypting virus that uses AES cryptography to make files unusable on the affected machine. Originally, it adds .Just file extension to the data, but other versions of the virus append .neitrino and .excuses suffixes. The malware was first detected in 2014, though it is still active in 2018.
| Summary of the cyber threat | |
|---|---|
| Name | KRIPTOVOR |
| Type | Ransomware |
| Danger level | High. Makes system changes, encrypts files, tries to steal credentials |
| Release date | 2014 |
| Versions | Neitrino, Excuses |
| Affected region | Russia |
| Targeted OS | Windows |
| Cryptography | LockBox 3, AES |
| File extensions | .Just, .neitrino, .NEITRINO, .excuses |
| Contact email addresses | kirova.l@mutualizm.ru abramova@sabona.ru kirova.ls@orangedv.tmweb.ru kirova-l@wibor5.ru l_abramova@wibor5.ru abramova.l@wibor5.ru y.volkova@i-jazz.ru l_abramova@festivalps.ru payment.cashery@gmail.com neitrino@protonmail.com mr.anders@protonmail.com excuses@protonmail.com |
| Associated files | AdobeSystems.exe, AdobeUpdate.exe, svchost.bat |
| Decryption | Impossible without backups |
| To uninstall KRIPTOVOR, install FortectIntego and run a full system scan | |
KRIPTOVOR virus mainly targets Russian[1] companies and spreads via emails.[2] The majority of malicious letters have a subject line “Резюме на вакантную должность” (“Resume for the vacant post”). In the body criminals tell to double-click the attached file in order to open a resume in Adobe Reader:
Дважды кликните, чтобы открыть резюме в Adobe Reader
However, the attachment is a corrupted file that includes malicious content instead of person's resume. Once opened, malware downloads password-protected RAR file which includes AdobeSystems.exe. This file is the executable of the KRIPTOVOR.
On the affected machine, KRIPTOVOR ransomware does not act like typical ransomware. It encrypts files using LockBox 3 which uses AES cryptography. Additionally, it scans for login and password information that might be saved on the targeted data. Thus, the virus also aims to extract potentially useful information too.
When all files are locked, KRIPTOVOR also delivers a ransom note in the Russian language. The information about the attack and data recovery possibilities are included in the MESSAGE.txt file. The translation of the threatening message provided below:
The cost of the decryptor can be obtained by writing an email to: payment.cashery@gmail.com
In the subject line please include your ID:[redacted]
Please do not try to decrypt the files using third-party tools.
You can completely corrupt them, and even the original decryptor will not help.
Requests will be accepted until [Date]
After [Date] requests will be ignored.
Emails are handled automatically by the system.
There may be a delay in responses
According to the research, cyber criminals use different email addresses to communicate with victims. Currently known addresses:
- kirova.l@mutualizm.ru
- abramova@sabona.ru
- kirova.ls@orangedv.tmweb.ru
- kirova-l@wibor5.ru
- l_abramova@wibor5.ru
- abramova.l@wibor5.ru
- y.volkova@i-jazz.ru
- l_abramova@festivalps.ru
Criminals ask to contact them the same day as the infection occurred. However, security specialists do not recommend doing that because it may lead to money loss. Authors of ransomware usually demand to pay the ransom in cryptocurrency, but they may never give working decryption key.[3] For this reason, we recommend proceeding with KRIPTOVOR removal.
As you already know, the virus might try to extract personal data, so it’s better to terminate it as soon as possible. In order to remove KRIPTOVOR correctly and avoid possible damage to the system, you need to employ FortectIntego or another anti-malware tools. If you have difficulties with elimination, follow the guide below. 
Versions of KRIPTOVOR
Neitrino ransomware virus. The virus was first detected in autumn 2015 spreading in Russia via malicious spam emails that include obfuscated PDF file. It uses AES[4] cryptography appends either .neitrino or .NEITRINO file extension. Then it downloads a ransom note in MESSAGE.txt in each folder that contains locked files.
On the affected machine, malware is executed from AdobeUpdate.exe and svchost.bat files which are dropped on a system when a user opens a malicious email attachment. The purpose of the virus is to make people pay 5,000 rubles or more for file recovery.
According to the ransom note, victims have to send an email to neitrino@protonmail.com or mr.anders@protonmail.com address in order to get further recovery instructions. Though, it is not recommended process. It’s better to remove KRIPTOVOR Neitrino virus and try recovering files from backups or using third-party tools.
Excuses ransomware virus. In 2018, a new variant of KRIPTOVOR has been spotted spreading and targeting Russian users again. This version uses filemarker 0x20000000 and appends .excuses file extension to the targeted files.
Authors of ransomware ask to contact them via excuses@protonmail.com and send their unique victim’s ID number if they want to get back access to the files. Such information is provided in the Russian language. However, apart from changed contact email address, the text of the ransom note did not change:
Приобрести декриптор можно до [Date]
Запросить стоимость: excuses@protonmail.comВ ТЕМЕ письма укажите ваш ID: [redacted]
Письма без указания ID игнорируются.Убедительная просьба не пытаться расшифровать файлы сторонними инструментами.
Вы можете их окончательно испортить и даже оригинальный декриптор не поможет.Заявки обрабатываются автоматической системой.
We want to remind that it’s not a good idea to trust cyber criminals. They will demand to pay the ransom and might disappear as soon as you send a couple of hundred of dollars. Hence, focus on KRIPTOVOR removal and try alternative ways to recover your files.
Obfuscated email attachments might include ransomware payload
The main way how ransomware viruses spread is malicious spam email attachments.[5] Though, not all dangerous emails end up in the spam folders. Crooks might use advanced techniques and make sure that their letter appears in the main emails box. However, they might be identified by these signs:
- weird or mismatching email address;
- lack of credentials;
- empty body;
- urge to open the attachment;
- grammar and spelling mistakes.
If the letter does not seem to be sent for you or you did not expect to receive it, stay away from the attachment. Also, you can check it with online file scanners before opening it.
Removal of the KRIPTOVOR ransomware virus
The only correct way to remove KRIPTOVOR from Windows PC is to employ professional software. Tools like FortectIntego or Malwarebytes can quickly detect malicious components and eliminate them from the device. However, if you have some difficulties, you should reboot the device to Safe Mode with Networking as explained below.
After KRIPTOVOR removal, you can plug in the external hard drive with backups or try our suggested third-party tools. You can find them listed below. However, we want to stress out that the official decryptor is not released yet. So, chances to full recovery are low if you do not have backups.
Getting rid of KRIPTOVOR virus. Follow these steps
Manual removal using Safe Mode
If ransomware blocks installatio of the security program or prevents from system scan, follow these steps:
Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
Downloads
Recycle Bin
Temporary files - Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
%AppData%
%LocalAppData%
%ProgramData%
%WinDir%
After you are finished, reboot the PC in normal mode.
Remove KRIPTOVOR using System Restore
System Restore method might also help to get rid of the virus with security programs:
-
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
-
Select Command Prompt from the list
Windows 10 / Windows 8- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
-
Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
-
Step 2: Restore your system files and settings
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
-
Now type rstrui.exe and press Enter again..
-
When a new window shows up, click Next and select your restore point that is prior the infiltration of KRIPTOVOR. After doing that, click Next.
-
Now click Yes to start system restore.
-
Once the Command Prompt window shows up, enter cd restore and click Enter.
Bonus: Recover your data
Guide which is presented above is supposed to help you remove KRIPTOVOR from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.If your files are encrypted by KRIPTOVOR, you can use several methods to restore them:
Data Recovery Pro – alternative way to recover files
Data Recovery Pro is not an official decryptor for KRIPTOVOR ransomware. However, it might be helpful. The program is designed to restore accidentally deleted or corrupted files.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by KRIPTOVOR ransomware;
- Restore them.
Try Windows Previous Versions feature for the most imporant files
If System Restore was enabled before ransomware attack, you can travel back in computer's time and copy individual files by following these steps:
- Find an encrypted file you need to restore and right-click on it;
- Select “Properties” and go to “Previous versions” tab;
- Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.
Take advatage of ShadowExplorer
If ransomware failed to delete Shadow Volume Copies of the targeted files, follow these steps and use this recovery software:
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
KRIPTOVOR decryptor is not available yet
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from KRIPTOVOR and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting ransomware
Protect your privacy – employ a VPN
There are several ways how to make your online time more private – you can access an incognito tab. However, there is no secret that even in this mode, you are tracked for advertising purposes. There is a way to add an extra layer of protection and create a completely anonymous web browsing practice with the help of Private Internet Access VPN. This software reroutes traffic through different servers, thus leaving your IP address and geolocation in disguise. Besides, it is based on a strict no-log policy, meaning that no data will be recorded, leaked, and available for both first and third parties. The combination of a secure web browser and Private Internet Access VPN will let you browse the Internet without a feeling of being spied or targeted by criminals.
No backups? No problem. Use a data recovery tool
If you wonder how data loss can occur, you should not look any further for answers – human errors, malware attacks, hardware failures, power cuts, natural disasters, or even simple negligence. In some cases, lost files are extremely important, and many straight out panic when such an unfortunate course of events happen. Due to this, you should always ensure that you prepare proper data backups on a regular basis.
If you were caught by surprise and did not have any backups to restore your files from, not everything is lost. Data Recovery Pro is one of the leading file recovery solutions you can find on the market – it is likely to restore even lost emails or data located on an external device.
If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.
- ^ Bedynet. Bedynet. Russian cyber security news.
- ^ Maria Korolov. 93% of phishing emails are now ransomware. CSO. Security news, features and analysis.
- ^ Ryan Whitwam. Hospital pays ransomware, but doesn’t get files decrypted. ExtremeTech. News and analysis of emerging science and technology trends.
- ^ Advanced Encryption Standard. Wikipedia. The free encyclopedia.
- ^ Emma Bordessa. Phishing emails and malicious attachments responsible for 34% of cyber attacks. IT Governance. IT governance, risk management and compliance solutions.