KingOuroboros virus - How to remove

Discovered and reported on Twitter by the malware hunting expert Micheal, KingOuroboros is a new ransomware virus, which infects the operating system, encrypts victim’s files and asks for a ransom. King Ourobos seems to be related to the other very similar parasites called CryptoWire and VapeLauncher. We can only be guessing if their viruses were made by the same hackers or simply are using the same intrusion and encryption techniques, but what we know for sure is that KingOuroboros crypto-extortionist is one sophisticated piece of malware.

Compromised computer’s files from the hard drive, network folders, external drives all become in danger of the KingOuroboros’ strong AES cipher encryption, yet the Program Files, Data and Windows directories are not touched so the user could still use the functioning machine to make the Bitcoin transaction to the crooks. 

The name King Ouroboros is originating from the Japanese manga series called Toriko, and one of the characters who is a serpent beast living in the Underground Forest – Kingu Uroborosu. Most likely hackers choose this name because of the cold-blooded reptiles represented abilities which are very similar to the virus qualities – an ability to camouflage and blend in, cunningly attack the prey undetected, and to survive even in the very extreme conditions. More on the Toriko Fan Fiction wiki page.

Actually, everything about this threat is malicious – the deceptive intrusion, sneaky installation without the permission, file encryption, ransom demand, and perseverance. While the small $50 fee (0,0080BTC) doesn’t seem much to get back your files, you can never be sure if the hackers will honestly give you the decryption key. You can’t trust the Pirate’s word even in the cyber world. Instead of risking your fifty bucks better read this article which might help you to get close the KingOuroboros free computer.

What’s so special about the King Ouroboros virus

First of all, the KingOuroboros threat is a ransomware virus, which typically earns its money by encrypting personal users’ files and asking for money to unlock it. In order to push the victim to make the payment virtual pirates came up with a quite worrisome ransom message, claiming that the fee must be paid in 72 hours or else the decryption key will be deleted and the locked files will be forever encrypted.

Some ransom infections even have the ability to delete files themselves and not just the key, StalinLocker for example, but KingOuroboros is not that destructive and even if 72 hours passed you should still keep the files meanwhile the cyber specialists are working on the decryption tool.

According to the VirusTotal KingOurobos has been noticed in the virtual wild spreading as a Java Update Scheduler or jusched.exe, JAVA_UPDATER.EXE files. Also, this ransomware is made using AutoIT and after the infection runs a script with the help of Windows services like rundll32.exe, therefore, becomes really hard to detect for the antivirus programs.

Using flexible sly methods KingOuroboros overcomes the security protection and starts running as a background process scanning the system and looking for files with the certain extensions which are .jpg, .png, .doc, .mp3, .mp4 and etc. Then it uses the AES-256 cipher to encrypt them. To make the encryption faster the ransom virus usually targets the files that are less than 30mb size and after locks, them marks with the extension .king_ouroboros. The media file video.mp4 turns into video.king_ouroboros.mp4.

The encryption processes affect not only files that are kept in the internal disks, but connected external disks, USB drives, Network drives, File storing services that at the moment of the infection are installed on the compromised system like DropBox, GoogleDrive and etc. Regardless, you should worry only about the personal files like movies, books, pictures, documents, because King Ourobos virus encrypts only data that would be precious to the user and would not completely ruin the machine.

Once King Ouroboros is done with the encryption processes it is ready to make an appearance to the victim by displaying the ransom note named Delta. Unlike the other viruses, this ransom message didn’t come as a .text file but in its exe. The message from the crooks announces:

Your files have been safely encrypted

The only way you can recover your files to buy a decryption key
The payment method is: Bitcoin. The price is: $ 50 = Bitcoins
After buying the amount of bitcoins send an email
to [email protected] Your ID: xxxxxxx
We will provide you with payment address and your decryption key.
You have 72 Hours to complete the payment otherwise your key will be deleted.

Malicious virus creators ask for $50 to be sent in the form of cryptocurrency (0,0080 Bitcoin) to their [email protected] email. As you can see KingOuroborps ransomware is a pretty tough cookie, compared to the other malware like browser hijackers or adware which can be deleted with a few clicks. For this reason, you should avoid getting KingOuroboros virus at all costs. For your convenience, we have put together the whole article on how to stay safe from the ransomware while searching online.

How can KingOuroboros distribute

Majority of the ransomware viruses tend to spread via infected email file attachments or various downloadable files from suspicious websites (torrents, free music, videos and etc.). King Ouroboros is not an exception, but judging from the executable file’s name it most likely camouflages itself as a Java Update Scheduler and tries to get into the targeted victims’ system as a voluntarily downloaded program or at least not to create any suspicion if it is bundled with other software.

We are so used to the Java updates that the offer to install a java related tool doesn’t even make us think twice. Although KingOuroboros uses Java as a disguise, in reality, it doesn’t have anything in common with the programming language and the company itself. Therefore don’t just cancel all the updates, yet. Instead, keep reading on how to solve the misfortunate infection.

How to remove the King Ouroboros virus and get your files back

There is no doubt that KingOuroboros malware requires the thorough system scan to be fully removed from your PC. That is not an easy task to perform manually, especially knowing how sneaky this virus is, the best way to delete KingOuroboros is to trust it to the automatic removal tool like SpyHunter, Malwarebytes. These anti-spyware programs will detect all the related files and the parasite file itself and after the scan will offer the removal options.

KingOuroboros can be really stubborn and try blocking any file installation and download. In this case, you should try writing the automatic malware removal software onto the USB on a clean computer and then launch it on a compromised one. Mind you, the virus removal programs do not restore the encrypted files, but you must take care of the active threat before taking any further steps.

Automatic Malware removal tools

As for the locked .king_ourobos files, the ransom-demanding virus, deletes the shadow volume copies completely during the execution, and rewrites them several times just like CryptoWire, therefore the file recovery with the System Restore won’t work. At this point, your data recovery is a true challenge here. However, as the cyber expert M. wrote on the same Tweet, mentioned above, that this ransom cipher has a potential to be decrypted.

Since we cannot offer the official decryptor yet or promise an actually working manual removal you should keep an eye on the crypto-extortionists decryptor list here on 2-viruses or on HeimdalSecurity. All in all but meanwhile you can try some file restore programs like Data Recovery Pro. In many cases it is impossible to restore data files affected by modern ransomware, thus we recommend using decent cloud backup like Carbonite, Backblaze, CrashPlan or Mozy Home.