Skip to content
  • Active
  • Severity: High
  • Ransomware
  • Windows
  • Verified · Apr 2023

How to remove Proton ransomware

A step-by-step removal guide for affected devices. Follow the verified procedure below — most readers complete it in under 10 minutes.

Gabriel E. Hall · Passionate web researcher

Proton ransomware is a malicious program that is used by cybercriminals to extort money

Proton ransomware is a file-locking virus that prevents users from opening personal files such as photos, videos, documents, and other files. After the malicious program has infiltrated the computer, files are encrypted using complex algorithms.

The affected files are labeled with the email address kigatsu@tutanota.com, the victim's ID, and the .kigatsu extension. Typically, victims become aware of the infection during this time. The file names are something like picture.jpg.[tutanota.com][546735HY].kigatsu, video.mp4.[Kigatsu@tutanota.com][538993YH].kigatsu, and the icons become white pages, making thumbnails unavailable.

The malware then creates a text file called README.txt. This is known as a ransom note. In the note, hackers explain what happened to victims' data and request payment in exchange for a decryption key. Ransomware attacks can be catastrophic for those who do not have backups. To avoid this in the future, we recommend that you thoroughly read the guide.

NAME Proton
TYPE Ransomware, cryptovirus, data locking malware
DISTRIBUTION Email attachments, peer-to-peer file-sharing platforms, malicious ads
FILE EXTENSION .kigatsu
RANSOM NOTE README.txt
FILE RECOVERY It is almost impossible to recover the files if you do not have backups
MALWARE REMOVAL Scan your machine with anti-malware software to eliminate malicious files. This will not recover your files.
SYSTEM FIX Windows reinstallation can be avoided with FortectIntego maintenance tool, which can fix damaged files

The ransom note

Proton ransomware drops a README.txt ransom note on the affected machine:

~~~ Proton ~~~
>>> What happened?
We encrypted and stolen all of your files.
We use AES and ECC algorithms.
Nobody can recover your files without our decryption service.

>>> How to recover?
We are not a politically motivated group and we want nothing more than money.
If you pay, we will provide you with decryption software and destroy the stolen data.

>>> What guarantees?
You can send us an unimportant file less than 1 MG, We decrypt it as guarantee.
If we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.

>>> How to contact us?
Our Telegram ID: @ransom70
Our email address: Kigatsu@tutanota.com
In case of no answer within 24 hours, contact to this email: Kigatsu@mailo.com
Write your personal ID in the subject of the email.

>>>>> Your personal ID: – <<<<<

>>> Warnings!
– Do not go to recovery companies, they are just middlemen who will make money off you and cheat you.
They secretly negotiate with us, buy decryption software and will sell it to you many times more expensive or they will simply scam you.
– Do not hesitate for a long time. The faster you pay, the lower the price.
– Do not delete or modify encrypted files, it will lead to problems with decryption of files.

The ransom note is a message from the Proton ransomware group in which they claim to have encrypted and stolen all of the victim's files using advanced encryption algorithms such as AES and ECC. If the victim pays the ransom, the note promises to provide decryption software.

The group emphasizes that they are not political in nature and that their only goal is to obtain money from the victim. They provide reassurance by allowing the victim to send a small file (less than 1 MB) that they will decrypt as proof that they have the decryption software.

The ransom note warns the victim not to contact recovery companies because they are considered middlemen who will cheat and profit from them. The group also advises the victim not to wait too long because the ransom price will rise over time. Finally, they warn the victim not to delete or modify any encrypted files, as this will cause decryption problems.

Victims should not pay the ransom because there is no guarantee that the group will provide the decryption software once payment is received. The group's claim that they will destroy the stolen data is also untrustworthy, given that they have already shown that they can encrypt and steal the victim's data. Paying the ransom only helps criminals and may not result in the recovery of the victim's files.

Distribution methods

Cyber criminals spread malicious programs through a variety of methods, including email attachments, fake software updates, unofficial websites offering “cracked” programs,[1] and peer-to-peer file-sharing platforms. When downloading email attachments, especially from unknown senders, exercise extreme caution.

Fake software updates frequently contain malware and should be avoided. Never update software via a web browser; instead, go to the official software page or open the program itself to check for available updates. It is also critical not to download anything from random pop-ups.

Exploiting software vulnerabilities[2] is another method used by cybercriminals to distribute ransomware. It is critical to keep both the operating system and software up to date to prevent hackers from exploiting security flaws. Software developers release security patches that address known vulnerabilities on a regular basis, so it is best to install them as soon as possible.

Ransomware removal

Attempting to recover data on your own may lead to permanent loss or further encryption of your files by malicious programs. To stop the encryption process, it is necessary to remove the malicious files causing it. However, it is not recommended to try removing the program yourself. Instead, use reliable anti-malware tools such as SpyHunterCombo Cleaner or MalwarebytesMalwarebytes to scan your system.

These security software programs are designed to detect and remove all related files and entries automatically, ensuring complete removal without leaving any traces behind. Sometimes, malware can disable your antivirus software, making it difficult to remove the malicious program. In such cases, it is recommended to access Safe Mode first, which will provide a secure environment to run anti-malware tools and remove the threat.

Windows 7 / Vista / XP

  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list.Windows XP/7

Windows 10 / Windows 8

  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.Update & Security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.Recovery
  6. Select Troubleshoot.Choose an option
  7. Go to Advanced options.Advanced options
  8. Select Startup Settings.Startup settings
  9. Click Restart.
  10. Press 5 or click 5) Enable Safe Mode with Networking.Press F5 to enable Safe Mode with Networking

File recovery using third-party software

If you have not backed up your files prior to the encryption, only the hackers possess the decryption key that can unlock them. This means that without the key, your files may be lost permanently. Although third-party data recovery software can be attempted, it may not always be successful in decrypting the files. We recommend attempting this method as a last resort.

Before proceeding with data recovery, it is crucial to remove the Proton ransomware and make a copy of the encrypted files to a USB flash drive or another storage device. It is important to note that this should only be done after removing the ransomware.

  1. Download Data Recovery Pro.
  2. Double-click the installer to launch it.
  3. Follow on-screen instructions to install the software.Install program
  4. As soon as you press Finish, you can use the app.
  5. Select Everything or pick individual folders where you want the files to be recovered from.Select what to recover
  6. Press Next.
  7. At the bottom, enable Deep scan and pick which Disks you want to be scanned.Select Deep scan
  8. Press Scan and wait till it is complete.Scan
  9. You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
  10. Press Recover to retrieve your files.Recover files

Fix the operating system

Malware infections can cause significant performance, stability, and usability issues on a computer, to the extent that a full Windows reinstall may be necessary. Such infections can manipulate the Windows registry database, damage critical bootup and other sections, and delete or corrupt DLL files. Once a system file is damaged by malware, antivirus software may not be able to restore it.

To address this problem, FortectIntego was developed. It is designed to repair a variety of damage caused by malware infections, such as Blue Screen errors,[3] freezes, registry errors, and damaged DLLs, which can render a computer completely unusable. By utilizing this maintenance tool, it is possible to avoid the need for a complete Windows reinstallation.

Be the first to comment

Spyware news
Privacy preferences

We use cookies to improve your experience and analyze traffic. Some cookies enable embedded content like videos and social posts. Choose what you allow — you can change this anytime.