Krusop Ransomware - How to remove

Krusop is a new edition of Djvu/STOP ransomware. The name is based on the extension that the virus appends to the names of the victim’s computer files. A cryptographic algorithm is used by the virus to lock those files and the victim is offered by the virus to get back their data in exchange for s substantial sum of money. So, not only can Krusop cost you your personal files, but you might also lose a lot of money if you decide to pay the criminals.

It’s not yet clear whether you can restore the files for free, but there are definitely options that you should look into instead of contacting the extortionists right away. Not to mention that viruses spread in groups — the developers of Krusop left you a not, _readme.txt, asking you to pay them money, but they forgot to mention that a lot of STOP ransomware variants are distributed together with a password-stealer, which is just waiting for you to connect to your bank account or a crypto wallet so that it can send your credentials to criminals.

Other malware should have also infected your system since most malicious programs use similar methods to spread. That’s why it’s important to not just remove the virus and fix the damage, but also to reinforce and improve the security of your system so that future problems can be avoided or, at least, reduced.

How does Krusop work?

Krusop uses cryptography to change the contents of the files or portions of their contents to ciphertext. The ciphertext is generated from the files’ original contents but, after the encryption, it looks like nonsense to your computer programs. There is a way to reverse this — it’s just math, after all — but you need the decryption key (and it’s too complex to guess). The virus is genuinely secure and hasn’t been completely cracked, except for some earliest versions of Krusop’s predecessors in the STOP family. Unfortunately, the criminals have improved the design since then and Krusop has fewer weaknesses than those earlier infections.

Besides being secure, Krusop is a fast virus. It might display a fake Windows Update pop-up while it contacts the Command & Control server to download the encryption keys for the files and encrypts the files it finds on your machine. If it can’t connect to the server, it still encrypts the files, though using a hardcoded key this time. Krusop is named after the locked files:

picture.jpg -> picture.jpg.krusop

Of course, removing the extension doesn’t do anything to restore the functionality of the files. They’re broken — can’t be opened, can’t be viewed.

_readme.txt is the message from Krusop’s creators. The extortionists instruct you to send them a file to test that they really can decrypt the files and to contact them for payment information. This note is almost the same among other Stop variants, like Roland and Kroput, though the email addresses are different: this time, they’re [email protected] and [email protected]. To stop you from looking for help online, Krusop changes your settings to stop you from visiting some websites.

So, Krusop infects your machine, locks the files, throws away the key, and the criminals then offer you to sell your data to you. This scheme isn’t unique — ransomware is a real threat to individual users of personal computers, as well as institutions, businesses, and organizations and their systems. Krusop is designed to target the former, and the ransom is appropriately small, but this is still a crime and should be reported when possible.

Krusop ransom note

How to remove Krusop and restore the files

Your system should be scanned and the files should be removed, which can be done with the help of a professional antivirus tool, such as Spyhunter. It can also be done manually if you know where the files are, but it’s still beneficial to scan your system afterward. After all, if the ransomware isn’t removed, it could re-encrypt everything. If the password-stealer isn’t gone, it could hack your accounts.

This can’t help the locked files, of course. There is no certain way of restoring the data encrypted by Krusop (unless you have a backup), but there are options:

  • Restore from a backup.
  • Buy decryption from the criminals.
  • Wait for a free decrypter.
  • Use data recovery tools.

While restoring from backup is the ideal way to deal with a ransomware virus (though you should remove Krusop first), it’s not always possible because not everyone keeps a backup. Having secure, up-to-date backups is a must for anyone who wants to absolutely protect their data. Hard disks and solid-state drives fail, so it’s not even necessary for a virus like Krusop to attack in order for you to lose your data.

Paying the criminals is not advised as they are unreliable. However, some people feel like it’s their only option and, in that case, just make sure to not reveal your passwords and other private data to any criminals.

A cybersecurity researcher who volunteers to help the victims of various ransomware, Demonslay335, has developed a program called STOPDecrypter which can unlock the files encrypted with a hardcoded key, and he regularly updates it if he finds the keys of new Djvu strains. If he updates it to support Krusop, it’s possible that some of your files could get decrypted — without a need to contact the criminals.

Data recovery and the other options listed below are available but the results will depend on your individual circumstances. Before you do anything drastic, you might want to make sure that you’ve backed your encrypted Krusop files somewhere so that you don’t accidentally edit them and deny yourself a chance to decrypt them in the future.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,



How to recover Krusop Ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Krusop Ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Krusop Ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Krusop Ransomware. You can check other tools here.  

Step 3. Restore Krusop Ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Krusop Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Krusop Ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Leave a Reply

Your email address will not be published. Required fields are marked *