Karo ransomware virus has been determined to exploit a vicious strategy of being transmitted in malicious .doc files that require users to enable macros. An open source project of EDA2 was selected as the inspiration for this infection. Furthermore, a typical method from cryptography is utilized for file-encoding: AES cipher. The crypto-virus gains control over Windows Registry and inserts additional entries to have its payload auto-executed.
Summary of the analysis
We have been found some evidence that the payload of this ransomware is transmitted via misleading email letters that are sent to random accounts. The structure of the received message is simple: scammers are pretending to be handling users’ banking accounts.
The email informs victims that more than a thousand dollars is to be taken out of user’s Mastercard account, but we were unable to find any explanatory statements. All of the necessary information is supposed to be found in the malicious .doc executable. After users’ launch it, the document will require them to enable macros and to enter a password. In the email letter, this code is provided. However, if you type in the required combination and allow macros to be active, you will permit the real payload to be placed into an operating system.
The ransomware places a ReadMe.html file which provides more information about the infection. What is more, users’ desktop backgrounds are also switched to an original picture. In the .txt file, hackers urge victims to download and launch a TOR browser which will allow Bvmcu4eayyxjc4j.onion website to be loaded. Researchers have also discovered the extension that the crypto-virus exploits: it’s .ipygh.
While being active, Karo virus enjoys shutting down several processes and maybe even deleting Shadow Volume Copies since this is a regular command for a ransomware to carry out. Despite looking rather neat, this infection is not impossible to defeat. Thanks to some minor errors during the file-encryption process, security researchers believe that it is possible to decrypt this variant.
After becoming familiar with this infection, it is important to stress out the importance of backing up your data in online storages or USB flash drives. We hope that you won’t be ignorant to these warnings, especially when crypto-viruses have started to go worldwide more frequently than ever. By having your files in secure locations, threats of a ransomware won’t work on you. If you still have not created an alternative source of your digital data, then we suggest you do it right away.
Since deceptive messages (especially involving your credit card balance) can trick you into opening harmful documents, you should check the message for any red-flags. If the sender’s email does not look appropriate for the facility it pretends to work for, then you should immediately assume that the file has been sent by an unreliable third-party. If you have any questions, do not open the file for more information but contact your banking service instead.
We have already mentioned that security researchers have explained that file-recovery is real possibility. Until a free tool for decryption is generated, we can suggest you to try alternative methods. For instance, check whether the infection removed all Shadow Volume Copies. Additionally, you are welcome to try out tools for file-recovery that have already been created. We make no promises that these techniques will be functional, but they are worth a try.
Before file-recovery can be done, it is important to get rid of a Karo virus. You can aim to implement the removal manually, by looking at the guidelines we have constructed. Additionally, there is another option that will protect you from malware in the future as well. Scan an operating system with Spyhunter or Hitman and these tools will determine the security status of your device.
Karo Virus quicklinks
- Summary of the analysis
- Automatic Malware removal tools
- How to recover Karo virus encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- 1. Reboot your computer to Safe Mode with Command Prompt:
- 2.Restore System files and settings.
- Step 4. Use Data Recovery programs to recover Karo virus encrypted files
Automatic Malware removal tools
How to recover Karo virus encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Karo virus has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Karo virusAfter restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Karo virus. You can check other tools here.
Step 3. Restore Karo virus affected files using Shadow Volume CopiesIf you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Karo virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Karo virus encrypted filesThere are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download a data recovery program.
- Install and scan for recently deleted files.