Kuub Files Locker - How to remove

Kuub is file-encrypting ransomware. One of its most obvious symptoms is that many files can’t be opened and they appear to have been converted to the KUUB type, marked with the “.kuub” suffix on their names.

Kuub is the newest known incarnation of the Djvu ransomware, following Boot, Nesa, and Karl. They are very similar to each other, but definitely improved since Djvu’s early versions.

Kuub usually places the “_readme.txt” ransom note in most of the affected folders. This file has a message from the developers of the ransomware. They basically tell you to send them money and give their email addresses — [email protected] and [email protected].

The text of the ransom note reads:

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
…

It’s a bad idea to contact those people — even though they promise to fix your files, they’re the ones responsible for the Kuub ransomware encrypting them in the first place. They might send you a working decrypter, or they might take the money and leave you out in the cold.

Kuub is a part of a horrible and destructive extortion scheme and the people who made it should not be trusted. Instead, the ransomware should be deleted as quickly as possible:

Kuub distribution	Pirated files and software Free programs downloaded from unreliable websites
Consequences	Locked files with the “kuub” extension Broken antivirus software Blocked cybersecurity websites Stolen passwords from your browser
Remove Kuub	Use anti-malware tools (SpyHunter) in safe mode Change online passwords Update all software
Restore the files	Use system restore, shadow volume copies Use data recovery Wait for a free decrypter

How Kuub spreads

This ransomware isn’t one that attacks big businesses or governments. Kuub is targeted at normal people, the ones who have their school projects and personal photos on their computer, or who are using a work-issued laptop to download programs for personal use.

So Kuub is mostly spread by uploading it online and making it available to download for free. The ransomware might be made to look like or infect a variety of free files:

• Activators and key generators for expensive programs.
• Cracks.
• “Free” commercial programs and software suites.
• Books, films, and other pirated files.
• Free programs shared on spoofed or infected websites.

Nearly anyone could accidentally get infected by Kuub or a similar virus. You might be able to catch it if you scan each and every downloaded file before you run it, but when a threat is new, like Kuub, not all anti-malware tools can recognize it right away. By the way, this is why it’s important to regularly update your antivirus program.

How Kuub works

When Kuub first runs, it breaks the installed anti-malware program. You will need to repair it after removing the ransomware.

Restore points and backup file copies of the files are also deleted, provided the ransomware didn’t malfunction. This makes recovering the files difficult.

The ransomware modifies your hosts file and blocks a long list of cybersecurity-focused websites, including ours, to make it harder for the victims to find information on the ransomware. There are some instructions below on how to fix the hosts file.

Kuub also installs a password stealer, a trojan called Azorult. Some victims of Djvu ransomware report that their online accounts were hacked soon after the files-locker infection. For example, if you had passwords saved in your browser, the stealer could get that data and relay it to whoever is responsible for the infection. They might sell these accounts, or use saved credit card information to make purchases.

Be safe online. At least, make sure to not use the infected computer for anything to do with money. Set up 2-factor authentication, that should make it harder (though not impossible) to steal online accounts. One person said that their cryptocurrency wallet that they had ready to pay the ransom was hacked and the money was stolen — hundreds of dollars. No money and no decryption.

Speaking of, the way that Kuub makes your files unopenable is by encrypting them. You can use encryption yourself to password-protect your files and folders so that they remain visible to everyone, but can only be opened by those who have the password. Kuub is doing that, but hiding the passwords from you.

The Kuub encryption is very fast. Bigger files are only partially encrypted, but they’re still broken enough that you can’t usually recover the data. No use removing the extensions — encrypted files are edited to turn their content into random-looking nonsense.

Cryptography is really useful because, though everyone knows how it works, it can’t be broken. You need the unique decryption key to recover the data, and in the case of Kuub ransomware, only the criminals who spread it have the key.

Kuub isn’t perfect — based on how the previous versions of this ransomware work, when it’s forced to run in the offline mode, it uses hardcoded keys which are not hidden properly. Because Kuub runs multiple times to encrypt all the files, some of which might happen to be offline. Some of the files of any given victim might be encrypted this way.

Remove Kuub and fix the files

At the moment, there is no way to decrypt Kuub files without contacting the criminals. There are some researchers who work on Djvu and who might find the offline keys used by this ransomware. If that happens, a fraction of Kuub victims will be able to decrypt their files — if they don’t delete or edit those files first. I’ll try to update this article if Kuub is supported.

Edit: the offline Kuub key has been released and you can try running the decrypter on your files, just follow the instructions in the link.

The last section of this article has a few ways to recover lost data. These ways don’t attempt to decrypt your locked files, but instead treat them like they’re corrupted. Another way to get your data back is by restoring it from backups — you should always have your most important files saved on more than one storage device, never all on the same computer.

First, though, it’s necessary to remove Kuub ransomware, the spyware trojan, and any other malware that might be on your computer. You can use any competent anti-malware tool, but preferably one that runs in Safe Mode, like SpyHunter.

Important -- edit the hosts file to unblock security websites

TL DR : The hosts file is edited to block security sites Before the virus can be removed, it's necessary to fix the hosts file (the file which controls which addresses connect to which IPs). That is the reason the majority of security websites is inaccessible when infected with this particular parasite. This infection edits this file to stop certain websites, including anti-malware download sites, from being accessed from the infected computer, making browsers return the "This site can't be reached" error. Luckily, it's trivial to fix the file and remove the edits that were made to it.

Find and edit the hosts file

The hosts file can be found on C:/Windows/System32/Drivers/etc/hosts. If you don't see it, change the settings to see hidden files.

1. In the Start Menu, search for Control Panel.
2. In the Control Panel, find Appearance and Personalization.
3. Select Folder Options.
4. Open the View tab.
5. Open Advanced settings.
6. Select "Show hidden files...".
7. Select OK.

Open this file with administrator privileges.

1. Open the Start Menu and enter "notepad".
2. When Notepad shows up in the result, right-click on it.
3. In the menu, choose "Run as administrator"
4. File->Open and browse for the hosts file.

The hosts file should look like this: Delete additional lines that they connect various domain names to the wrong IP address. Save the file.

Download and run the antivirus program

After that, download antivirus programs and use them to remove the ransomware, the trojan, and other malware. Spyhunter (https://www.2-viruses.com/reviews/spyhunter/dwnld/).

Automatic Malware removal tools

How to recover Kuub Files Locker encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Kuub Files Locker has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Kuub Files Locker

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Kuub Files Locker. You can check other tools here.  

Step 3. Restore Kuub Files Locker affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Kuub Files Locker tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Kuub Files Locker encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.