Kraken ransomware - How to remove

Kraken is a peculiar name, selected for a recently detected crypto-ransomware example. Variants of these viruses are emerging one after another and IT specialists have to always be prepared to provide adequate information about each of them. Complexity of this goal of informing society about newly-released infections prevails as many ransomware samples differ from their ancestors. However, technical details about Kraken ransomware appear to be recognizable from previously examined infections. It exploits a strong algorithm for encryption and with this cipher, encodes files so they would no longer normally launch. Encrypted executables have their names scrambled to base64 format so you will no longer be able to distinguish which files are which. To transform files even further, .kraken extension replaces the original one. Kraken virus does not seem to leave a .txt file with instructions, but creates an .html file which will be opened in one of the user’s browsers. This website will contain comprehensive information about the files, meaning of bitcoins and other peculiar statements. Read the whole article to find out how vile Kraken virus is.

Analysis of Kraken ransomware

Upon Kraken virus successful implantation into your device, it will not hesitate and turn to scanning for files and their encryption. The exact cipher for encoding is not determined yet but our bets go on RSA or AES algorithms that are the most prevalent selections for ransomware infections. The primary message in the “_help_your_files.html” executable is going to be short. Kraken virus will declare that “documents, photos, databases and other important files have been encrypted!”.

Ransomware infection also indicates the number of executables that are appended with the .kraken extension. Our guess is that the size of ransom fluctuates for separate victims. It is very likely that the fee changes according to the number of encrypted files. For example, if over 300 executables are encoded by Kraken virus, then it is possible that hackers are going to demand 2 BTC (about 1556.66 US Dollars). In addition to that, fee is supposed to increase after the given amount of time reaches zero. Infected people will witness a section “decryption program price doubles in” and it is going to contain a decreasing amount of time. The peculiar aspect about this clock is that is is not going to freeze if your device is off. This means that there is no way of stopping the timer from reaching zero by the time that it is supposed to. No matter how desperately you need to retrieve your files, paying the creators of Kraken virus is an awful solution. You might receive an useless program for decryption that won’t return your files to the original state. In addition to that, you are going to become a sponsor for hackers and your money might be utilized as a fund for a new ransomware infection. NEVER send letters to these email addresses: [email protected], [email protected], [email protected]. The following image contains a shortened version of the instructions.

Strategy for distribution that Kraken ransomware has selected

Kraken virus travels as an attachment to email letters. Users have reported to receive frightening messages that their various accounts are about to deleted, that their banking accounts have been invaded, that their licenses have expired, and many different misleading statements. Supposedly, the urgency of these letters should convince you to open them and download attachments with more information. In reality, all that you will receive is going to be a payload of a ransomware which will soon begin to make modifications to your Windows Registry keys until finally, the encryption is completed.

Can documents, photos, databases that are encrypted by Kraken ransomware be restored?

It is a little bit too early to speak about a free decryption tool. We are certain that security researchers are trying to crack the encryption of Kraken virus and will generate an appropriate program for file restoration. For now, we advise you to destroy this infection from your device. You can do this with reliable malware removers like Spyhunter or Malwarebytes. After the infection is eliminated, you can attempt to restore your files with universal file-recovery programs. You can find more information about possible methods for decryption below.

How to recover Kraken ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Kraken ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Kraken virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Kraken ransomware. You can check other tools here.  

Step 3. Restore Kraken ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Kraken virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Kraken ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *