Kristina Ransomware Virus - How To Remove?

-
 0
Type: Ransomware
 

Kristina infection is listed as a ransomware due to several obvious reason – it is looking infect computers and encrypt files stored on a hard drive. Then the owned of infected computer is notified about the situation and asked to pay the ransom to receive unique key which would allow to decrypt locked files.

What’s interesting with this particular ransomware infection – it can’t automatically encrypt all of your files. It looks like some sort of toolkit that can be used to infect a computer and then hackers manually and remotely select which drive and files stored in it they want to select. This malware might be not completed yet or this feature was made on purpose for some reason. Either way, it is really dangerous and can cost you all kind of problems.

Kristina Ransomware virus remove

Kristina virus will lock your personal files

We have already mentioned that this infection is not automated, so cyber criminals behind it has to perform all processes manually. First of all, a malicious .zip file needs to be infiltrated to your computer. We have tested KristinaCS.exe ransomware (main file in the .zip folder) file with VirusTotal scanner and 36 our of 68 Anti-virus programs detected it as a trojan. That means it is already included in the database of viruses.

This file can be infiltrated into your computer in a several different ways. Most often ransomware like this is traveling as an attachment to the email. Cyber criminals just launch spam emails campaign and hope that some users will open the attachment.

Once the file is inside your computer, hackers will be able to remotely execute it and begin the encryption process. Interesting fact – they get to choose which hard disk image they want to encrypt. So possibly, Kristina ransomware can encrypt just one of your disks or all of them at once.

When the encryption process is over, all files stored on particular directory will be encrypted and an appendix [id]=hernansec@protonmail.ch.crypt12 will be added to the end of every single one of them. From this moment forward, you will be not able to open any of those files – they are encrypted.

Immediately after that you will notice a new file on your desktop. It is so-called ransom note. Usually it provides detailed information about your current situation and what you should do next (pay the ransom). However, in this case, you will only get a few sentences and incomplete instructions. Original text of the message:

Your files Have Been Crypted email to: hernansec@protonmail.ch for instructions

You are asked to contact this e-mail in order to receive further instructions. We do not recommend to do that, because you will be only asked to pay a certain amount of money (probably around $500) in order to receive unique key which would allow you to unlock encrypted files.

As you have noticed, all files are locked with unique id, thus you need an unique key to unlock them. However, even if you pay the ransom, there are no guarantees that your files will be unlocked and you will receive that key – never trust and support cyber criminals.

The infection was originally discovered by malware researcher S!Ri and published on Twitter yesterday, thus this infection is relatively new. Unfortunately, there is no way to decrypt those files encrypted by Kristina ransomware at the moment. Moreover, we don’t even know what cryptography is used by this infection.

In case you have a backup of your hard drive that was made before the date of infection, you can restore your files from there following this tutorial.  Regardless the fact that your files might be lost for ever, you should still make sure to remove the actual infection from your computer. It can be easily done with anti-malware software, such as Reimage or SpyHunter. Either one of those applications should be able to detect and remove Kristina virus with no problems.

How to recover Kristina ransomware virus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again. CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Kristina ransomware virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of Kristina ransomware virus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Kristina ransomware virus. You can check other tools here.


Step 3. Restore Kristina ransomware virus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Kristina ransomware virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.

Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.

a) Native Windows Previous Versions

Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.


Previous version
b) Shadow Explorer

It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Kristina ransomware virus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download Data Recovery Pro (commercial)
  • Install and scan for recently deleted files. Data Recovery Pro

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Manual removal

 

Important Note: Although it is possible to manually remove Kristina ransomware virus, such activity can permanently damage your system if any mistakes are made in the process, as advanced spyware parasites are able to automatically repair themselves if not completely removed. Thus, manual spyware removal is recommended for experienced users only, such as IT specialists or highly qualified system administrators. For other users, we recommend using Reimage or other tools found on 2-viruses.com.

Processes:
Files:
Extensions:
External decryptor:
     
 

About the author

 - Main Editor

I have started 2-viruses.com in 2007 after wanting to be more or less independent from single security program maker. Since then, we kept working on this site to make internet better and safer place to use.

 
November 3, 2017 12:07, November 3, 2017 12:09
 
   
 

Leave a Reply

Your email address will not be published. Required fields are marked *