KXDE ransomware uses encryption to lock all files on a computer
Contents
KXDE ransowmare is a malicious data-encrypting computer virus that originates from the infamous STOP/DJVU ransomware gang. It scans all computer folders and encrypts files found in them, then marks each of them with additional .kxde extension. To illustrate, a file originally named 1.jpg becomes 1.jpg.kxde and so on. To provide the victim with information on what happened during the cyberattack, the ransomware drops _readme.txt notes in several folders. The message left in these notes suggests that the only possible way to decrypt all files is by using KXDE decryption tool, which the victim can get after paying a ransom to cybercriminals.
The _readme.txt note contains explanation of what happened to the victim’s computer-stored files and cybercriminals’ proposal on how they can be recovered. The note suggests that all files, including images, videos, databases and documents were encrypted with strongest algorithm and unique key. According to the ransomware analysis, the currently used encryption mode combines Salsa20 and RSA-2048 algorithms. The message left by the attackers explains that there is no other way to recover files except of paying a ransom; if the victim plans to do so, one can contact the attackers via provided emails – support@sysmail.ch and supportsys@airmail.cc.
Going further into the ransom note contents, we can see that the criminals suggest testing the decryption service. They recommend sending one small encrypted file to them (preferably one that doesn’t contain valuable information) via email and also include the victim’s Personal ID which is provided in each _readme.txt file. The attackers promise to reply with a decrypted file version to prove that they can recover all of victim’s files. On top of that, they explain that the decryption tool price depends on how fast the victim gets in touch with the criminals. If the victim writes to the provided emails within 72 hours from the infection date, the decryption costs $490. If the victim hesitates for any longer, the price will rise to $980.
Victims of ransomware attacks lose the most valuable data in such events. Naturally, we keep personal memories, work or study files in our computers, and suddenly losing access to them can have disastrous consequences that can affect not only you, but your clients’ files as well (if you use your computer for work, for example). That said, paying a ransom might seem tempting. However, we strongly advise you NOT TO PAY THE RANSOM. The same idea is supported by the official FBI’s advisory for ransomware victims.
First of all, not all ransomware victims recover their data after paying a ransom. Moreover, paying a ransom is wrongful because it funds criminal operations, for instance, money allows them to employ more people, more skilled developers and distributors. Finally, if you decide to comply with criminals’ demands, you will be identified as a victim who is willing to pay up and possibly will be targeted again.
Data encryption isn’t the only malicious activity carried out by STOP/DJVU ransomware. Beware that this notorious malware travels along with Azorult or Vidar Trojans, both known for their capabilities to steal information from victim’s computer (for instance, your browser-saved passwords, cryptocurrency wallets, browsing history, cookies, etc). Moreover, they’re classified as Remote Access Trojans (RATs), which means that the attackers can control them remotely and perform activities such as viewing, deleting your files or downloading something to your computer (such as more malware).
All things considered, you should take action to remove KXDE ransomware virus and related threats from your computer to ensure your privacy is not at risk anymore. Therefore, we have prepared in-detail instructions on how to boot your PC in Safe Mode with Networking and start your chosen antivirus software from there. If you haven’t decided on one that you wish to use, we recommend relying on INTEGO Antivirus. Additionally, we advise downloading RESTORO and running a full system scan to identify which virus-affected system files can be repaired.
Ransomware Summary
Name | KXDE Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | STOP/DJVU |
Encryption type | RSA 2048 + Salsa20 |
Previous versions | KAAA, BGJS, BGZQ (find full list here) |
Version | 433rd |
Extension | .kxde |
Cybercriminal emails | support@sysmail.ch and supportsys@airmail.cc |
Additional malware dropped | Azorult or Vidar Trojan |
Damage | The ransomware is designed to encrypt all files and mark their original filenames with an additional .kxde extension. The malware drops _readme.txt ransom note in every computer folder. This threat usually installs VIDAR Stealer alongside it, deletes Volume Shadow Copies and modifies Windows HOSTS file to restrict computer user’s access to cybersecurity-related websites online. |
Ransom note | _readme.txt |
Ransom demand | $490-$980 in Bitcoin |
Distribution | Victims often download this ransomware along illegal torrent downloads, cracked software, activators, key generators or tools like KMSPico. |
Known software cracks to contain this malware | Corel Draw, Tenorshare 4ukey, Adobe Photoshop, Cubase, Adobe Illustrator, Internet Download Manager, Tally, League of Legends. |
Detection names | Ransom:Win32/StopCrypt.PAL!MTB (Microsoft), Trojan.Crypt (A) (Emsisoft), HEUR:Trojan-Ransom.Win32.Stop.gen (Kaspersky), Trojan.GenericKD.47850419 (BitDefender), Trojan.MalPack.GS (Malwarebytes), ML.Attribute.HighConfidence (Symantec) see all detection name variations on VirusTotal |
Removal | Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO. |
REPAIR VIRUS DAMAGE
Scan your system for FREE to detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically. Includes Avira spyware/malware detection & removal engine.
Ransomware distribution techniques
Malware variants from the STOP/DJVU ransomware family, including KXDE virus, are known to hide in pirated software versions advertised online. The victims typically stumble upon them when looking for ways to illegally activate full versions of paid software. They can be found in rogue websites or downloaded via torrents. Unfortunately, such downloads often carry a malicious payload inside of them, resulting in a full data encryption on a computer. Victims who have been exposed to variants of STOP/DJVU variants report falling into a trap after downloading software cracks supposed to activate full versions of these popular programs:
- KMSPico (illegal Windows activation tool).
- Fifa 20;
- Tenorshare 4ukey;
- AutoCad;
- Opera browser;
- Corel Draw;
- Nero Burning ROM;
- VMware Workstation;
- Cubase;
- Adobe Illustrator;
- League of Legends;
- Microsoft Visio PRO;
- Internet Download Manager;
- Adobe Photoshop.
If you still have a bad habit of using pirated software versions, we recommend that you quit such activities for your own safety. When in need for a specific software, visit its official website or a confirmed partner’s site for deals and discounts and get a legitimate license key from there. This way, you won’t expose your computer to risks that come with illegal software versions. Remember that legitimate software subscriptions are never greater in cost than hefty ransoms that cybercriminals demand, not even to mention additional damages associated with private data loss.
Another common ransomware distribution method that is also related to STOP/DJVU and other malware families is malicious email spam. Cybercriminals send out thousands of email messages to potential victims and attach a maliciously modified file to them, usually a document in DOCX, PDF or XLS formats. These scam emails usually follow a similar pattern – the sender claims to be someone from a well-known company, such as DHL, UPS, eBay, Amazon, or other, and invites the user to open the attached file as soon as possible and reply to the sender. Most of the time, the attachments are named as invoices, order summaries, parcel tracking details and so on.
The message typically contains typo mistakes and the sender doesn’t know your real name, so the scammer greets the recipient using the email address username. For example, if your email address is Eduard123@example.com, the scammer might use Dear Eduard123 as the greeting line. Most of the time, these emails are composed using automatic programs. However, the attackers also tend to use email spoofing techniques to display a different sender’s email address for the victims, so we strongly recommend that you read this article on how to identify spoofed email addresses.
Finally, victims of STOP/DJVU ransomware should stay away from suspicious online resources and people promising you decryption solutions. You should rely on trustworthy cybersecurity blogs only, and if these clearly state that there are no ways to decrypt files, it is that way. Do not fall into a trap of scammers who suggest you to download tools that can decrypt all versions of STOP/DJVU – these can hide additional malware. Moreover, watch out for scammers claiming they can recommend a “hacker” who can decrypt your files, and even worse, do not pay them if they ask you to do so. The only tools that can help victims of STOP/DJVU at the moment are created by Emsisoft and DiskTuna, and you can read more about them here.
How this ransomware operates
If you’re interested in modus operandi of KXDE ransomware virus, continue reading. This computer virus typically operates under its main process which is typically named with 4 random characters, for instance, 1GB6.exe or 9HN6.exe, but it also downloads some helper processes which are usually named as build.exe, build2.exe or build3.exe. Sometimes, it also downloads and runs a process under a name of winupdate.exe to display a fake Windows update screen for the victim while the main process is encrypting victim’s files.
Before starting the data encryption procedure, this ransomware performs a geolocation check first. An interesting detail about this virus is that it doesn’t encrypt files in computers located in several countries, including Ukraine, Russian Federation, Syria, Armenia, Tajikistan, Kazachstan, Kyrgyzstan, Belarus, and Uzbekistan. To check what is the infected computer’s geolocation, the ransomware requests a response from https[:]//api.2ip.ua/geo.json and saves it into geo.json file. This file contains details such as PC’s IP address, country, city, timezone, and more. You can see two different examples of how this file appears in the screenshot provided below.
Next, the ransomware creates a file named information.txt, which contains details about the computer’s hardware, installed software and actively running processes at the time of the attack. The ransomware also takes a screenshot of the desktop and sends them both to the Command&Control server. An example of information.txt contents are presented in the image below.
Next, the ransomware attempts to request an online encryption key from its server. If this fails, the virus switches back to offline encryption mode and uses a hardcoded key instead. It saves the encryption key along with victim’s Personal ID to bowsakkdestx.txt file, and the ID separately to PersonalID.txt file. Both of these are displayed below.
Speaking of SSOI ransomware encryption modes, they are divided into two – online and offline modes. When it comes to the online encryption type, it means that the malware has successfully obtained a unique encryption key and ID for the victim, which makes data recovery chances slim. Speaking of offline encryption mode, it indicates that the virus failed to obtain an encryption key from its server (for instance, due to Internet connectivity issues or if the server was down at the time of the request). Those subject to the offline encryption will typically notice t1 characters at the end of their PersonalID (a file located in C:\SystemID) and this indicates that there’s a possibility to recover all data in the future. Read more on how and when you can decrypt/repair STOP/DJVU encrypted data here.
After saving the encryption key, the ransomware begins encrypting all of victim’s computer files using a combination of Salsa20 and RSA-2048 algorithms. During this process, each affected file will be marked with an additional .kxde extension as shown in the screenshot below.
The virus also drops a copy of _readme.txt in every folder.
Finally, the ransomware alters Windows HOSTS file by adding a list of websites to block on victim’s PC. As a consequence, victim’s attempts to visit them will be unsuccessful. The web browser may respond with DNS_PROBE_FINISHED_NXDOMAIN or similar error.
Remove KXDE Ransomware Virus and Decrypt Your Files
In an unfortunate event of becoming victim of a ransomware attack, the most important step is to erase all traits of the malware that compromised your computer. That said, we encourage you to follow the steps given below to remove KXDE ransomware virus safely. If you’re unsure which antivirus solution you can rely on, our team strongly recommends INTEGO Antivirus. Additionally, we suggest downloading RESTORO to repair virus damage inflicted on Windows OS files.
After KXDE ransomware removal, you may want to take these recommendations into consideration:
- Report cybercrime incident to a local law enforcement agency.
- Use data backups to restore some of your files.
- Find out ways STOP/DJVU-encrypted files could be decrypted or repaired.
- Change all passwords used on the infected computer.
OUR GEEKS RECOMMEND
Our team recommends removing malware using a professional antivirus software.
REMOVE THREATS WITH ROBUST ANTIVIRUS
Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs.
Use INTEGO Antivirus to remove detected threats from your computer.
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
KXDE Ransomware Virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove KXDE Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove KXDE Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt KXDE files
Fix and open large KXDE files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
- Create a copy of encrypted file to a separate folder using Copy > Paste commands.
- Now, right-click the created copy and choose Rename. Select the KXDE extension and delete it. Press Enter to save changes.
- In the prompt asking whether you want to make the changes as file might become unusable, click OK.
- Try opening the file.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. KXDE Ransomware Virus is considered the new STOP/DJVU variant, just like KAAA, BGJS, BGZQ (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt KXDE files, follow the given tutorial.
- Download the decryption tool from Emsisoft.
- Click the little arrow next to your download and choose Show in Folder.
- Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
- In UAC window, click Yes.
- Click Yes to agree to software terms in both windows.
- The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work. - Click Decrypt to start restoring KXDE files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.
Meanings of decryptor's messages
The KXDE decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your KXDE extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of KXDE Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
- In the United States, go to the On Guard Online website.
- In Australia, go to the SCAMwatch website.
- In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
- In Ireland, go to the An Garda Síochána website.
- In New Zealand, go to the Consumer Affairs Scams website.
- In the United Kingdom, go to the Action Fraud website.
- In Canada, go to the Canadian Anti-Fraud Centre.
- In India, go to Indian National Cybercrime Reporting Portal.
- In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
Frequently Asked Questions
You can only open KXDE files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official KXDE decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake KXDE decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Leave a Reply