Contents
KOOM ransomware is a computer virus who aims to encrypt all files on the target Windows system. It is a new variant of the infamous STOP/DJVU ransomware. After being launched on computer, it starts scanning all directories and turning files inaccessible thanks to RSA Salsa20 crypto-algorithm and appends .koom extension to full file name. For example, a file prior to the attack called 1.jpg appears as 1.jpg.koom once modified by the virus. The sole aim of data encryption in this case is virtual victim’s extortion, therefore the ransomware drops ransom notes (_readme.txt) in every folder to inform the computer user about the attack and what the cybercriminals want from the victim. According to the note, the criminals expect the user to pay a ransom in order to get KOOM file decryption tool. The price of it depends on how fast the victim contacts the attackers via provided emails (manager@mailtemp.ch, managerhelper@airmail.cc) and pays the ransom. If done within 72 hours, the price would be $490, otherwise – $980 in Bitcoin.
KOOM ransomware virus locks victim’s personal files such as images, videos, documents, archives and other data formats with sole aim to restrict user’s access to them and force to pay a ransom for their decryption. The way this virus functions is that once on the victim’s computer, it checks for Internet connection and if it is available, it connects to its Command&Control server to get a unique generated encryption key for the host machine. If the connection fails, the virus uses a hardcoded offline encryption key instead.
During data encryption, the malware only affects the first 150 KB of each file to finish the attack process sooner. This is enough to make data inaccessible, although it also allows the victim to repair certain file formats with some data loss as explained in this guide. For example, a repaired audio file might miss some seconds of the recording in the beginning of it.
Cyber criminals behind KOOM virus know that the victim needs to recover files as soon as possible because these are important to one as personal memories or are work or study related. Therefore, they present a solution in the _readme.txt note. According to the message left in it, the attackers expect the victim to pay a ransom to them to get the decryption key and software. They also offer a 50% discount from the initial decryption price (which is $980) if the victim writes to the given email addresses and settles an agreement within 3 days. In this case, the attackers promise to provide required tools for $490.
In addition, the note suggests that the computer user can send one encrypted file to them via email so that the attackers could demonstrate the effectiveness of the tools and provide a decrypted version of it. This way, they simply try to encourage the victim to “trust” them and pay as soon as possible.
However, according to cybersecurity experts worldwide and Geek’s Advice team, paying a ransom is NOT a recommended option. Here are some reasons why you shouldn’t do as cybercriminals command you to do:
In addition, viruses from STOP/DJVU ransomware family often drop AZORULT Trojan, an information-stealer on infected systems. This threat can collect information that can be used to blackmail you further , steal your personal accounts or even cause financial loss.
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
Victim’s typically download KOOM ransomware virus via infected software cracks or other illegal torrent downloads. The ransomware first launches a fake executable file called winupdate.exe which displays a deceptive Windows update prompt on the screen. It has a process bar on it and pretends that some essential operating system updates are being installed. The purpose of it is to deceive the victim and make one ignore the unexpected system slowdown.
However, at the same time, the ransomware executable named build.exe starts its operation. It identifies victim’s computer’s geolocation because such viruses are often programmed to cease the operation if the geolocation matches countries from the exception list. The process also captures various computer-related details, such as admin’s name, installed software list, browsing history and similar.
As mentioned earlier, the virus first decides whether to use online or offline encryption key and victim’s ID (the latter usually ends in t1). The virus saves the encryption key used and victim’s personal ID to C:\Users\admin\AppData\Local\bowsakkdestx.txt and also saves the ID to C:\SystemID\PersonalID.txt.
Then the malware begins scanning the system and encrypting files, plus dropping ransom notes in every directory. Once files are locked, the ransomware deletes Volume Shadow Copies from the computer by running a Command Line task:
vssadmin.exe Delete Shadows /All /Quiet
Deleting VSS prevents the victim from restoring files using System Restore points (if any were created prior to the attack). In some cases, the ransomware also modifies Windows HOSTS file by adding a list of various computer-related self-help websites, public forums and tech news sites and mapping them to localhost IP. This causes DNS_PROBE_FINISHED_NXDOMAIN error to appear for the user when trying to access them. In other words, the virus attempts to block websites that could provide valuable information for a victim of ransomware attack.
Finally, some STOP/DJVU variants silently drops AZORULT Trojan on the system. This threat is capable of collecting sensitive data from the victim’s computer and transmitting it to the criminal. Besides, criminals can use it as a Remote Access Tool and perform the following tasks without physical access to the compromised computer:
Needless to say, keeping such dangerous threats on your computer can lead to disastrous consequences. For this reason, our team recommends to remove KOOM ransomware virus along other residing malware as soon as you can. Typically, we do not suggest trying to eliminate computer viruses manually – unless you are a cybersecurity professional. For this task, we recommend you to follow the guide given below the article and use a robust antivirus such as INTEGO Antivirus to clean the infection automatically. In addition, we suggest downloading RESTORO to repair virus damage caused for Windows OS files.
Name | KOOM Ransomware Virus |
Type | Ransomware; Crypto-malware; Virtual Extortion Virus |
Family | STOP/DJVU |
Encryption type | RSA Salsa20 |
Previous versions | VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here) |
Version | 329th |
Extension | .koom |
Dropper | SmokeLoader (see VirusTotal details) |
Damage | The ransomware turns personal files stored on a computer inaccessible by encrypting them with military-grade encryption algorithm. The affected files can be recognised from additional .koom extension appended to their original names. The virus also leaves _readme.txt notes in every system directory. The ransomware deletes Volume Shadow Copies to prevent easy data recovery and adds a list of blocked domain names to Windows HOSTS file. Some variants drop AZORULT Trojan on the system. |
Ransom note | _readme.txt |
Ransom demand | $490-$980 in Bitcoin |
Distribution | Victims often download this ransomware along illegal torrent downloads, cracked software, key generators or tools like KMSPico. |
Detection names | Trojan:Win32/Glupteba (Microsoft), VHO:Trojan-Spy.Win32.Stealer.gen (Kaspersky), Gen:Variant.Graftor.974954 (BitDefender), ML.Attribute.HighConfidence (Symantec), W32.Trojan.Gen (Webroot) see all detection name variations on VirusTotal |
Removal | Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO. |
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
Ransomware type threats coming from STOP/DJVU family are usually distributed in a form of malicious downloads, mostly those that are distributed via peer-to-peer file sharing networks. Many victims who have reported getting infected with KOOM, WIOT or other versions said that the infection came from cracks used to activate the following software:
Cybercriminals prey on computer users and gamers who seek to get pirated software copies, movies and other content and bypass license or streaming fees. Sadly, non-genuine software often comes packed with additional apps, malicious scripts or malware such as ransomware. However, the worst part is that users try so hard to get paid content for free that they even willingly choose to ignore their security software alerts. Most of the time, they believe that antivirus programs flag any type of “crack” download as insecure, therefore they proceed to make an exception for it and open it anyway. This can result in an immediate computer infection, although you might not notice it instantly. In case of ransomware, your files can get encrypted (remember that the most noticeable location – desktop gets compromised last), although you can get infected with not-so-noticeable malware such as crypto-mining software or Trojans as well.
Remember that if you want to obtain a genuine and secure software copy, you should always choose legitimate sources to download it. We also want to add our two cents and mention that software license prices hardly ever surpass hefty ransoms demanded by cybercriminals.
Another very popular method to distribute ransomware is to inject its download and execution script into a document (DOCX, XLS, PDF or another format), attach it to a phishing email and send it to thousands of recipients. For example, the attachment might be called an “Invoice”, “Order details” or “Tracking information” and come in a .ZIP or .RAR format. This archive might contain a PDF or Word document that prompts the computer user to enable Macros (this feature is disabled by default). Once enabled, Macros can download the ransomware executable and run it.
For this reason, we strongly recommend you to avoid interacting with email attachments if the email message or the sender seems at least a bit suspicious. For example, scammers tend to send messages with grammar errors and insert well-known company logos that are poorly edited. However, experienced attackers are harder to spot as they try to make no mistakes and even use email spoofing techniques (which help to display a different sender’s email address than the original one that was used to send the email). We recommend avoiding interaction with email attachments or links included if:
Finally, STOP/DJVU ransomware victims should beware that scammers are trying to lure already-infected computer users with fake decryption tools. For example, ZORAB ransomware operators used such fake decryption tools as a bait to infect victims with a second payload. As a result, victim’s files would get double-encrypted.
If your files were encrypted by the described ransomware, we recommend you to take action and free the computer system from threats as soon as possible. Keeping viruses on the system leaves it vulnerable to further attacks. Therefore, we strongly advise to read the guidelines given below on how to remove KOOM ransomware virus and other threats from your Windows PC safely. Once you boot your computer in Safe Mode with Networking, use recommended security software – INTEGO Antivirus to scan the system and eliminate malware automatically. Additionally, you might want to download RESTORO to repair virus damage on Windows OS files.
After a successful KOOM virus removal, take the following actions:
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
KOOM Ransomware Virus Removal Guidelines
Before you try to remove KOOM Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
Now, you can search for and remove KOOM Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus, which also includes data recovery software. For virus damage repair, consider using RESTORO.
Special Offer
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Instructions for Windows XP/Vista/7 users
Instructions for Windows 8/8.1/10/11 users
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU ransomware versions are grouped into old and new variants. KOOM Ransomware Virus is considered the new STOP/DJVU variant, just like VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt KOOM files, follow the given tutorial.
The KOOM decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your KOOM extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Victims of KOOM Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
You can only open KOOM files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official KOOM decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake KOOM decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…
This website uses cookies.
View Comments
Koom file extension can't able to decrypt by using EMSISOFT app. It's giving message as below:-
Error: No key for New Variant offline ID: 99p8vN1UYnRVfJrLk31VTLd69Ni5b0ex99QMQKt1
Notice: this ID appears be an offline ID, decryption MAY be possible in the future
You're affected by offline ID, it means decryption can be possible until someone shares KOOM decryption key with Emsisoft after paying the ransom. No one knows when this is going, if ever, happen. Please keep checking for updates every few weeks or so