Kupidon ransomware (Virus Removal Instructions) - Decryption Methods Included

Kupidon virus Removal Guide

What is Kupidon ransomware?

Kupidon ransomware is the cryptovirus that targets companies and mainly spreads in Romania

Kupidon ransomwareKupidon ransomware is the threat that encodes files and demands payment for the alleged decryption tool. Kupidon ransomware – malware that encrypts data and demand payment from the victim by claiming to have a decryption tool needed for the proper file restoring. The initial report[1] about this new threat states that it is a possible copy of some other older ransomware because the ransom note text delivered via !KUPIDON_DECRYPT.TXT file resembles a threat from before, but that is not new since many actors reuse information or code from other threats to build their own malware. Also, the post from researchers reveals that targets of this cryptovirus are mainly companies, and most of them are related to Romania. There are not many samples, at the time, but more details reveal that threat is dangerous and can evolve petty quickly.

Kupidon ransomware virus is not reported to come from another family or malware developers. Once the machine is infected, that runs the encryption on common files using AES and RSA algorithms.[2] File locking is ensuring that creators have a reason for the money demands and scary messages that come right after the encryption. When images, documents, archives, or different types of files get encoded they become useless and receives .kupidon marker at the end, so the victim can differentiate which files got encrypted. Even though ransomware directly corrupts common files on the machine, system data can get affected when the malicious processes running in the background or parts of the system like registry entries and security tools altered.

Name Kupidon ransomware
File marker .kupidon – file marker that is placed at the end after all the original names and file-type extensions once the encryption process is completed
Danger Cryptocurrency-extortion based threats are dangerous because attacks involve money demands, blackmailing messages, and money. People can pay for nothing and end up losing money and data after all
Ransom amount Attackers ask for $300 from victims whose samples got analyzed. The amount is preferred to be obtained in the form of Bitcoin and can be determined for each victim separately judging on the value and amount of data encoded during the attack
Ransom note !KUPIDON_DECRYPT.TXT is the file that contains the message from virus creators and includes contact information, details on ransom amount and the unique victims' ID
Elimination Kupidon ransomware removal should be performed using anti-malware tools, so any associated programs can get deleted
Distribution The threat is delivered with the help of malicious files that can be placed on emails as attachments or downloaded from malware-laced pages, torrent services. The infiltration happens quickly, and users cannot notice the payload drop
Recovery As for the virus damage that ransomware possibly triggers in the background to affect the persistence of the virus, you should rely on FortectIntego or similar tools that can check for affected data or settings

Kupidon ransomware starts with the encryption process, during which files get appended with .kupidono extensions and ransom note indicating the same name of the ransomware get placed in various folders. This !KUPIDON_DECRYPT.TXT file is created to inform people about further actions and encourage them to pay the demanded amount for the criminals.

Unfortunately, the Kupidon ransomware virus is focused on getting money and making a profit. Your files, devices, and other belongings are not important for the cybercriminals, so trusting them is not a good option. Malicious actors may even offer the test decryption for you to fake that this is a legitimate service and that decryption tool works.

The test decryption prior to the payment can be performed on files no larger than 10 MB. This may be the case because criminals store some of these files for the purpose of tricking you that data got recovered. Do not fall for any of these tricks that attackers use.

The text displayed in Kupidon ransomware ransom note:

All your files have been encrypted with Kupidon Virus.
Your unique id:
As a private person you can buy decryption for 300 $ in Bitcoins.
But before you pay, you can make sure that we can really decrypt any of your files.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
To do this:
1) Download and install Tor Browser (https://www.torproject.org/download/)
2) Open the http://oc3g3q5tznpubyasjgliqyykhxdfaqge4vciegjaapjchwtgz4apt6qd.onion/ web page in the Tor Browser and follow the instructions.

Kupidon ransomware mainly targets companies and businesses, so the ransom amount can go up a notch and be specific for the particular target. However, even large businesses shouldn't pay this demand and remove malware instead. The ransom payment page shows the following:

1) Send a few encrypted files (no more 3 files, no more 10 MB per letter) to kupidon@cock.li . Dont forget to include you ID from ! KUPIDON_DECRYPT.TXT .
2) We will decipher them and send you back with bitcoin address for payment.
3) After payment ransom for Bitcoin, we will send you a decryption program and aes-key with instructions. If we can decrypt any of your files, we have no reason to deceive you after payment.

Kupidon ransomware virusKupidon ransomware - cryptocurrency extortion based malware that shows you a demanding message as the text file.

You need to remove Kupidon ransomware instead of paying the ransom because the options of getting your files may be false and not possible at all. Decryption tool officially is not released yet, so the option for file recovery is only one- data backups. Of course, you can rely on some third-party programs and our suggestions below, but the best thing you can do when encountered such intruder is run the cleaning process.

Kupidon ransomware removal results are the best when you rely on professional anti-malware tools and can clean the threat completely alongside other possible infections or malicious files, applications. Security tools cannot recover those encrypted documents or images, but you shouldn't even consider file recovery until the system is virus-free.

Kupidon ransomware can easily run the encryption algorithms again and affect files you newly added on the machine. This way you lose all of your data. This can happen to your external data backup when you plug in the USB device to the still infected computer. We strongly advise staying away from criminals and terminating the threat ASAP.

The process of cleaning the machine can get difficult when Kupidon ransomware damages shadow volume copies, alters Windows registry entries, changes settings, or disable programs that can be helpful for either malware termination or file recovery. We have listed a few tips to bypass these changes below.

As for the virus damage that Kupidon ransomware causes, rely on optimization software or tools designed to repair computers like FortectIntego and run the full check for affected files. Later on, you can repair any corrupted parts of the system. Experts[3] always note how important it is to get rid of the damage and repair functions as to the normal stage. Kupidon cryptovirusKupidon ransomware - a threat that delivers ransom note on the desktop as soon as the encryption is done.

Malware targets users data by dropping the payload via a malicious file

Payload droppers for the ransomware-type malware can be anything from trojans, other cyber threats, to files attached to email notifications that contain malicious macro triggering functionalities. Malware script initiates the installation of the main launched of the threat, so the infection happens and the system gets affected significantly.

These files that spread malware can be disguised as PDFs, Microsoft Word, or Excel documents and state about important information, so people fall for the trick and download the attachment from a questionable email. At this point, users' interaction is needed because malicious macros need to be enabled. The file that you open shows a form to agree on, so the content can be displayed.

One-click and malware script gets dropped directly on the system. If you want to avoid such infiltration, you need to delete any suspicious emails after receiving them and rely on proper security tools before downloading anything from the internet, Most of such tools can check the attachment and show if that is safe to download.

Kupidon ransomware termination includes cleaning infectious files from the system

When you encounter the Kupidon ransomware virus, you should take the additional infections and programs that can be loaded behind your back, into consideration. Anything related to the malware that is left on the machine can affect the persistence of the ransomware and interfere with security tools, other methods of data recovery, and malware elimination.

Kupidon ransomware removal can be achieved with anti-malware tools that check the system for malware and intruders, deletes those payload files and other threats. Security programs like SpyHunter 5Combo Cleaner or Malwarebytes can for such purposem but you may want to reboot the machine in Safe Mode with Networking first to get better results.

When you remove Kupidon ransomware using the anti-malware program, you can be sure that no additional threats can run in the background. However, some of the alterations that malware does to system files and functions can trigger unwanted symptoms or even further damage, so running FortectIntego or a different PC repair tool can help to fix the damage completely.

do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Kupidon virus. Follow these steps

Manual removal using Safe Mode

Rebooting the machine in Safe Mode with Networking can significantly lessen the frustration when terminating Kupidon ransomware with AV tools

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Kupidon using System Restore

System Restore is the feature that can help with malware elimination since it recovers computer in the previous state

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Kupidon. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with FortectIntego and make sure that Kupidon removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Kupidon from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Kupidon, you can use several methods to restore them:

Data Recovery Pro – the program that restores files after encryption or accidental deletion

Your device may get affected by Kupidon ransomware or you remove files unwantedly. Both times your data gets damaged. Data Recovery Pro is the solution for both too

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Kupidon ransomware;
  • Restore them.

Windows Previous Versions relies on recovering affected data

When you use System Restore gets enabled, Windows Previous Versions can also get used for file restoring

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is the method that allows recovering the encrypted files

If Shadow Volume Copies don't cent affected, you can rely on ShadowExplorer

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Kupidon ransomware decryption tool is not available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Kupidon and other ransomwares, use a reputable anti-spyware, such as FortectIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Do not let government spy on you

The government has many issues in regards to tracking users' data and spying on citizens, so you should take this into consideration and learn more about shady information gathering practices. Avoid any unwanted government tracking or spying by going totally anonymous on the internet. 

You can choose a different location when you go online and access any material you want without particular content restrictions. You can easily enjoy internet connection without any risks of being hacked by using Private Internet Access VPN.

Control the information that can be accessed by government any other unwanted party and surf online without being spied on. Even if you are not involved in illegal activities or trust your selection of services, platforms, be suspicious for your own security and take precautionary measures by using the VPN service.

Backup files for the later use, in case of the malware attack

Computer users can suffer from data losses due to cyber infections or their own faulty doings. Ransomware can encrypt and hold files hostage, while unforeseen power cuts might cause a loss of important documents. If you have proper up-to-date backups, you can easily recover after such an incident and get back to work. It is also equally important to update backups on a regular basis so that the newest information remains intact – you can set this process to be performed automatically.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware strikes out of nowhere. Use Data Recovery Pro for the data restoration process.

About the author
Julie Splinters
Julie Splinters - Anti-malware specialist

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Julie Splinters
About the company Esolutions