Severity scale:  

Remove KRIPTOVOR virus (Removal Guide) - Jun 2018 update

removal by Lucia Danes - - | Type: Ransomware

KRIPTOVOR is ransomware that threatens computer users since 2014

KRIPTOVOR ransomware

KRIPTOVOR is a file-encrypting virus that uses AES cryptography to make files unusable on the affected machine. Originally, it adds .Just file extension to the data, but other versions of the virus append .neitrino and .excuses suffixes. The malware was first detected in 2014, though it is still active in 2018.

Summary of the cyber threat
 Type Ransomware
Danger level High. Makes system changes, encrypts files, tries to steal credentials
Release date 2014
Versions Neitrino, Excuses
Affected region Russia
Targeted OS Windows
Cryptography LockBox 3, AES
File extensions .Just, .neitrino, .NEITRINO, .excuses
Contact email addresses
Associated files AdobeSystems.exe, AdobeUpdate.exe, svchost.bat
Decryption Impossible without backups
To uninstall KRIPTOVOR, install Reimage Reimage Cleaner Intego and run a full system scan

KRIPTOVOR virus mainly targets Russian[1] companies and spreads via emails.[2] The majority of malicious letters have a subject line “Резюме на вакантную должность” (“Resume for the vacant post”). In the body criminals tell to double-click the attached file in order to open a resume in Adobe Reader:

Дважды кликните, чтобы открыть резюме в Adobe Reader

KRIPTOVOR spam emailKRIPTOVOR spreads via malicious spam emails that include fake resume.

However, the attachment is a corrupted file that includes malicious content instead of person's resume. Once opened, malware downloads password-protected RAR file which includes AdobeSystems.exe. This file is the executable of the KRIPTOVOR.

KRIPTOVOR ransomware virusKRIPTOVOR ransomawre virus is executed when a victim opens obfuscated resume in the PDF file.

On the affected machine, KRIPTOVOR ransomware does not act like typical ransomware. It encrypts files using LockBox 3 which uses AES cryptography. Additionally, it scans for login and password information that might be saved on the targeted data. Thus, the virus also aims to extract potentially useful information too.

When all files are locked, KRIPTOVOR also delivers a ransom note in the Russian language. The information about the attack and data recovery possibilities are included in the MESSAGE.txt file. The translation of the threatening message provided below:

The cost of the decryptor can be obtained by writing an email to:
In the subject line please include your ID:[redacted]
Please do not try to decrypt the files using third-party tools.
You can completely corrupt them, and even the original decryptor will not help.
Requests will be accepted until [Date]
After [Date] requests will be ignored.
Emails are handled automatically by the system.
There may be a delay in responses

According to the research, cyber criminals use different email addresses to communicate with victims. Currently known addresses:


KRIPTOVOR ransom noteAuthors of KRIPTOVOR provides a contact email address for victims who are interested in data recovery.

Criminals ask to contact them the same day as the infection occurred. However, security specialists do not recommend doing that because it may lead to money loss. Authors of ransomware usually demand to pay the ransom in cryptocurrency, but they may never give working decryption key.[3] For this reason, we recommend proceeding with KRIPTOVOR removal.

As you already know, the virus might try to extract personal data, so it’s better to terminate it as soon as possible. In order to remove KRIPTOVOR correctly and avoid possible damage to the system, you need to employ Reimage Reimage Cleaner Intego or another anti-malware tools. If you have difficulties with elimination, follow the guide below.  KRIPTOVOR virusKRIPTOVOR is a malicious program that is designed to encrypt files and demand to pay the ransom in order to for the decryption tool.

Versions of KRIPTOVOR

Neitrino ransomware virus. The virus was first detected in autumn 2015 spreading in Russia via malicious spam emails that include obfuscated PDF file. It uses AES[4] cryptography appends either .neitrino or .NEITRINO file extension. Then it downloads a ransom note in MESSAGE.txt in each folder that contains locked files.

On the affected machine, malware is executed from AdobeUpdate.exe and svchost.bat files which are dropped on a system when a user opens a malicious email attachment. The purpose of the virus is to make people pay 5,000 rubles or more for file recovery.

KRIPTOVOR Neitrino virusNeitrino virus is a version of KRIPTOVOR ransomware that acts very similar to the original version.

According to the ransom note, victims have to send an email to or address in order to get further recovery instructions. Though, it is not recommended process. It’s better to remove KRIPTOVOR Neitrino virus and try recovering files from backups or using third-party tools.

Excuses ransomware virus. In 2018, a new variant of KRIPTOVOR has been spotted spreading and targeting Russian users again. This version uses filemarker 0x20000000 and appends .excuses file extension to the targeted files.

Authors of ransomware ask to contact them via and send their unique victim’s ID number if they want to get back access to the files. Such information is provided in the Russian language. However, apart from changed contact email address, the text of the ransom note did not change:

Приобрести декриптор можно до [Date]
Запросить стоимость:

В ТЕМЕ письма укажите ваш ID: [redacted]
Письма без указания ID игнорируются.

Убедительная просьба не пытаться расшифровать файлы сторонними инструментами.
Вы можете их окончательно испортить и даже оригинальный декриптор не поможет.

Заявки обрабатываются автоматической системой.

KRIPTOVOR Excuses virusKRIPTOVOR started adding .excuses file extension in June 2018.

We want to remind that it’s not a good idea to trust cyber criminals. They will demand to pay the ransom and might disappear as soon as you send a couple of hundred of dollars. Hence, focus on KRIPTOVOR removal and try alternative ways to recover your files.

Obfuscated email attachments might include ransomware payload

The main way how ransomware viruses spread is malicious spam email attachments.[5] Though, not all dangerous emails end up in the spam folders. Crooks might use advanced techniques and make sure that their letter appears in the main emails box. However, they might be identified by these signs:

  • weird or mismatching email address;
  • lack of credentials;
  • empty body;
  • urge to open the attachment;
  • grammar and spelling mistakes.

If the letter does not seem to be sent for you or you did not expect to receive it, stay away from the attachment. Also, you can check it with online file scanners before opening it.

Removal of the KRIPTOVOR ransomware virus

The only correct way to remove KRIPTOVOR from Windows PC is to employ professional software. Tools like Reimage Reimage Cleaner Intego or Malwarebytes can quickly detect malicious components and eliminate them from the device. However, if you have some difficulties, you should reboot the device to Safe Mode with Networking as explained below.

After KRIPTOVOR removal, you can plug in the external hard drive with backups or try our suggested third-party tools. You can find them listed below. However, we want to stress out that the official decryptor is not released yet. So, chances to full recovery are low if you do not have backups.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove KRIPTOVOR virus, follow these steps:

Remove KRIPTOVOR using Safe Mode with Networking

If ransomware blocks installatio of the security program or prevents from system scan, follow these steps:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove KRIPTOVOR

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete KRIPTOVOR removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove KRIPTOVOR using System Restore

System Restore method might also help to get rid of the virus with security programs:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of KRIPTOVOR. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner Intego and make sure that KRIPTOVOR removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove KRIPTOVOR from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by security experts.

If your files are encrypted by KRIPTOVOR, you can use several methods to restore them:

Data Recovery Pro – alternative way to recover files

Data Recovery Pro is not an official decryptor for KRIPTOVOR ransomware. However, it might be helpful. The program is designed to restore accidentally deleted or corrupted files.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by KRIPTOVOR ransomware;
  • Restore them.

Try Windows Previous Versions feature for the most imporant files

If System Restore was enabled before ransomware attack, you can travel back in computer's time and copy individual files by following these steps:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Take advatage of ShadowExplorer

If ransomware failed to delete Shadow Volume Copies of the targeted files, follow these steps and use this recovery software:

  • Download Shadow Explorer (;
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

KRIPTOVOR decryptor is not available yet

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from KRIPTOVOR and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Lucia Danes
About the company Esolutions


Your opinion regarding KRIPTOVOR virus