Kromber Ransomware - How to remove

Kromber ransomware is a computer virus that’s an important part of an extortion scheme. It locks your files and then demands money for them. Kromber is based on Matrix, but it’s new, only discovered a few days ago, on July 12, by Amigo-A. Even though the Matrix predecessor has a decryption tool developed for it, Kromber hasn’t been cracked yet, so it’s a real threat to people online.

The virus works by going through the files on a computer and modifying them with a cryptographic algorithm. Just like regular encryption can make data unreadable to everyone who doesn’t have a password or a decryption key, illegal file encryption makes the files essentially broken for their user until Kromber’s developers send over the decryption keys.

The extension that Kromber uses to mark the encrypted files is “.[[email protected]]”. It includes one of the email addresses ([email protected], [email protected], and [email protected]) that are listed in the ransom note #_#ReadMe#_#.rtf.

Your documents, databases, backups, network folders and other important files are encrypted with RSA-2048 and AES-128 ciphers.

More information about the RSA and AES can be found here:
http://en.wikipedia.org/wiki/RSA_(cryptosystem)
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

It mеаns thаt yоu will nоt bе аblе tо аccеss thеm аnуmоrе until thеу аrе dесrуptеd with yоur pеrsоnаl dесrуptiоn kеy! Withоut уоur pеrsоnаl kеy аnd sреciаl sоftwаrе dаtа rеcоvеrу is impоssiblе! If yоu will fоllоw оur instruсtiоns, wе guаrаntее thаt yоu cаn dесryрt аll yоur filеs quiсkly аnd sаfеly!

=====================================================================
Уоu rеаlу wаnt tо rеstоrе yоur filеs? Plеаsе writе us tо thе е-mаils:

[email protected]
[email protected]
[email protected]

It’s true that ransomware encrypts user-created files (the operating system’s files are left alone), as well as that the decryption keys are unique to each victim. This means that if someone was able to buy a Kromber decryption, it won’t work for the other victims.

The Kromber ransom note goes on to describe how the criminals wish to be paid — they want cryptocurrency. While cryptocurrency is legitimate, it has been often used by criminals thanks to its anonymity, decentralization, and the ability to automate it. Likely, it’s also good for them that people can’t take back the money they paid, or complain to their bank.

Please, write us in English or use a professional translator!

If you want to restore your files, you have to pay for decryption in Bitcoins or with other top cryptocurrency. The price depends on how fast you write to us!

Your message will be as confirmation you are ready to pay for decryption key. After the payment you will get the decryption tool with instructions that will decrypt all your files including network folders.

To confirm that we can decrypt your files you can send us up to 3 files for free decryption. Please note that files for free decryption must NOT contain any valuable information and their total size must be less than 5Mb.

You have to respond as soon as possible to ensure the restoration of your files, because we wont keep your decryption keys at our server more than one week in interest of our security.

Note that all attempts of decryption by yourself or using third party tools will result only in irrevocable loss of your data.

As you can see, the people behind Kromber try to scare their victims into acting quickly and without consideration by promising a cheaper decryption price to faster responders. They don’t list the ransom prices, but generally, they vary between a few hundred and a few thousand dollars. And though the criminals sometimes keep their promise and send the decryption keys after being paid (other times they just demand more money), and even when the key works (it doesn’t always), paying is the last thing you should consider, as it would be supporting criminal activity and encouraging the people behind Kromber to continue distributing it.

Luckily, criminals occasionally get caught, even the ones who use Bitcoin.

How does Kromber spread?

Kromber likely spreads through RDP, so you might not even notice when it gets installed. You don’t need to do anything other than have remote desktop accessible to anyone. If the connection is not protected properly, the password could be guessed and allow criminals to break into the system and do whatever they wanted (which was to install Kromber, disable your antivirus, etc.).

Matrix, which Kromber and another variant, PEDANT, is based on, was also distributed using malicious advertising. This is common with a few recent ransomware viruses. Criminals can infect ads which are served even on reputable websites, and computers that are exposed to those ads are checked for available vulnerabilities. Those using outdated software, like a too old version of their browser or media player, might have an unpatched security flaw that allows an exploit kit to infect their computer with a Kromber. Matrix used this method of distribution in the past, with the help of the RIG exploit kit.

Infected emails can spread ransomware, too — usually with the help of Macro viruses. Relock, another version of Matrix, is thought to have been distributed that way. Infected spam emails are sent out in bulk, without targeting anyone specific (though targeted phishing exists, too), hoping that some of the recipients will open the files and enable macros.

To protect your system against Kromber and other viruses:

• Update your browser, media players, antivirus, etc., or at least install the security patches.
• Secure your browsing.
• Backup your data.
• Don’t open or run files that weren’t scanned.

How to remove Kromber

Kromber can be removed with the help of a strong antivirus program, like Spyhunter If Kromber got on your computer by being installed through RDP, your installed antivirus program probably had its settings altered to stop it from being able to detect Kromber, so it’s important to fix that and whatever other harm the virus might have caused. Update your software and review your settings to check that they’re as you want them.

After Kromber is gone from your system, time to try out your file recovery options. If you don’t have a backup of your data, the options listed below (shadow copies, data recovery) might help you get back your data, or some of it.

Automatic Malware removal tools

How to recover Kromber Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Kromber Ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Kromber Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Kromber Ransomware. You can check other tools here.  

Step 3. Restore Kromber Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Kromber Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Kromber Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.