Geek's Advice

Kkll ransomware virus infects computers to encrypt files on them

KKLL ransomware is a file-encrypting virus which belongs to STOP/DJVU malware family. This virus is designed to encrypt victim’s files on the targeted Windows computer and make them inaccessible. The cyber threat attaches .kkll extension to the corrupted files and leaves _readme.txt file as a ransom note in every modified folder. Victims are asked to contact the attackers via helpmanager@mail.ch or restoreadmin@firemail.cc e-mail address. Like that would not be enough damage, the ransomware also drops AZORULT, a password-stealing malware, payload on the system.

Alternatively called Kkll file virus, this particular cyber threat is highly dangerous as it installs malicious codes that prevent users from accessing security tools. Later, the virus displays an imitation of Windows update screen (winupdate1.exe process) while encrypting data. It targets all files on the computer, including photos, videos, documents and other data.

After successful encryption, the victims receive a ransom note in a form of a text file. Cyber criminals explain that the information on the attacked computer is no longer accessible, unless users can unlock them with a decryption tool. It is a unique sequence of characters and numbers that cannot be duplicated. Thus, Kkll ransomware developers ask to purchase it.

Users are demanded to pay $490 in Bitcoins within 72 hours. The transaction must be made in cryptocurrency in order to avoid the identification of the attackers. After the 72 hour period, the price doubles to $980. Cybercriminals promise to give the decryption key after the payment. However, our experience with previous versions (PEZI, ZIPE, NLAH) of this ransomware shows differently.

Many users whose computers got infected with Kkll file-encrypting virus report that even if they agreed to pay, attackers refused to send the decryption tool or asked for more money. Therefore, our security team highly advises to not make deals with cybercriminals under any circumstances.

Instead, people should immediately start Kkll virus removal after the first symptoms. We understand that this cyber threat might frighten regular computer users. Thus, we recommend getting a reputable malware removal software right away. We like using RESTORO, as it is expert-approved and robust enough to kill all ransomware remains and reverse damage on certain files.

Keep in mind that when you remove Kkll ransomware, the files will remain encrypted. There are multiple ways how you can recover them without agreeing to pay up for the attackers. One of the best methods is to use the latest backup from the Cloud. If you do not store backups, you can try alternative recovery methods that are explained in STOP/DJVU decryption article.

Summary of the threat

Name	Kkll ransomware
Type	File-encrypting virus
Family	STOP/DJVU ransomware
Version	230th
Latest variants	NLAH, ZIPE, PEZI, COVM, MZLQ, SQPC
Extension	.kkll
Ransom note	_readme.txt
Contact e-mails	helpmanager@mail.ch, restoreadmin@firemail.cc
Amount of the ransom	50% off within the first 72 hours of infection, $490-$980
Spread	Lures users into installing the ransomware themselves via fake software uploads on peer-to-peer (P2P) networks or fraudulent Adobe update pop-ups
Symptoms	Users can no longer access security websites or in-built security tools, like Windows Defender; Malware displays a deceptive Windows update screen while encoding data
Damage	All files on the computer are corrupted and inaccessible; Virus additionally installs a password stealer, named AZORULT. Victim can no longer access certain websites due to the virus-affected Windows HOSTS file.
Removal	You can kill ransomware remains with RESTORO or other professional malware removal software

People are tricked to install the ransomware themselves

Cybercriminals employ well-developed deceptive techniques that are designed to lure people into downloading the ransomware on their own. Most of the time, Kkll virus’ victims claim to have found the malware in software crack they recently downloaded via P2P file sharing networks.

Illegal software copies are distributed altogether with tools to bypass the licensing part of the installation, and this is where the attackers place the ransomware-starting file. Therefore, any time you open a keygen or similar tool supposed to let you “crack” the software, you might activate a ransomware payload on your computer.

Avoid malicious downloads by staying away from illegal program copies. If you need a specific software, consider downloading it from official vendor’s website – they often offer free trials, too. It is always better to support software developers than ransomware criminals, who push malware through illegal downloads daily.

Ransomware-type threats are also often distributed as malicious email attachments. Criminals compose realistic-looking messages and send such emails for a bunch of people at one time. Deceptive messages often inform about missed or received payments, tax returns or very important reports that the victim should open as soon as possible.

The phishing message frequently urges the victim to reply back after opening the attachment. Inexperienced computer users who aren’t aware of such hackers’ techniques might fall for the trap and do as told, therefore opening a malicious file-encrypting payload.

Remove KKLL virus and decrypt your files

You should remove Kkll ransomware virus safely, meaning that the malware remains cannot interfere with the security programs you’re about to deploy. Therefore, we recommend starting your computer in Safe Mode with Networking first. This mode will allow you to run your malware/spyware removal software and eliminate the discussed ransomware along with password-stealer it installed on your system. We recommend using RESTORO afterward to scan for potential virus damage on the system.

Remember that straight after Kkll file virus removal, you must change all of your passwords. We recommend doing so because of the password-stealer’s activity on your computer. Simply go through the saved passwords list in your browser, visit those sites and change your password on them before the cyber attackers can use them.

For now, concentrate on the malware removal. You will find the file recovery guide below these instructions.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.

Alternative software recommendations

Malwarebytes Anti-Malware

Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense

If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

How to decrypt .kkll files (File Recovery Explained)

Once you perform KKLL file virus removal, you can start testing file-decryption tools available today, or use your data backups. One of such decryption tools is Emsisoft STOP Decrypter. Howevever, we want to inform you that it will only be capable of decrypting files locked by offline DJVU encryption.

You can read more about it here, although the easiest way to identify offline encryption is to open C:/SystemID/PersonalID.txt file created after the attack. It contains an ID, which should end in t1 if you’re subject to offline encryption. In every other case, online encryption is used.

A quick guide how to use STOP Decryptor, which you can download here.

1. Once you download the decryptor, run it and check whether you agree to its Terms and conditions.
2. No that you have agreed to the terms, add a folder to decrypt, as shown in the picture. Then hit decrypt and be patient until the tool finishes its work. If your files can’t be decrypted, you will receive a message from the tool.

NOTE. The KKLL decryption tool might show certain responses informing about the chances of file recovery. One of the possible scenarios is when the decryptor shows the following message:

Result: No key for new variant offline ID: [ID]
This ID appears be an offline ID. Decryption may be possible in the future.

If you receive this message, it means that your files were affected by OFFLINE KKLL ransomware encryption, which means that your encryption/decryption pair matches with any other victim affected by offline encryption.

In other words, offline encryption is used when the virus fails to obtain individual, and unique key pair from its command&control server. Therefore, once one victim pays the ransom and shares the obtained key with Emsisoft’s researchers, the decryptor will be updated. In short, if you received this message, do not delete your files and stay patient. Check for updates every week here and see when the tool becomes capable of decrypting your files.

Decryption is impossible: an online key is used.

If you see the following message in the decryptor, it means that your files were affected by an online encryption, meaning that no one else has the same encryption/decryption key pair. In such case, chances to recover files without paying are extremely low. In fact, the only possible scenario is if the criminals get caught and their computers/servers seized; or if they disclose the decryption keys willingly. None of these scenarios are likely to happen. Therefore, online encryption victims should rely on data backups only.

Frequently Asked Questions