Geek's Advice

KOOM ransomware is a computer virus that functions as a virtual extortion tool

KOOM ransomware is a computer virus who aims to encrypt all files on the target Windows system. It is a new variant of the infamous STOP/DJVU ransomware. After being launched on computer, it starts scanning all directories and turning files inaccessible thanks to RSA Salsa20 crypto-algorithm and appends .koom extension to full file name. For example, a file prior to the attack called 1.jpg appears as 1.jpg.koom once modified by the virus. The sole aim of data encryption in this case is virtual victim’s extortion, therefore the ransomware drops ransom notes (_readme.txt) in every folder to inform the computer user about the attack and what the cybercriminals want from the victim. According to the note, the criminals expect the user to pay a ransom in order to get KOOM file decryption tool. The price of it depends on how fast the victim contacts the attackers via provided emails (manager@mailtemp.ch, managerhelper@airmail.cc) and pays the ransom. If done within 72 hours, the price would be $490, otherwise – $980 in Bitcoin.

KOOM ransomware virus locks victim’s personal files such as images, videos, documents, archives and other data formats with sole aim to restrict user’s access to them and force to pay a ransom for their decryption. The way this virus functions is that once on the victim’s computer, it checks for Internet connection and if it is available, it connects to its Command&Control server to get a unique generated encryption key for the host machine. If the connection fails, the virus uses a hardcoded offline encryption key instead.

During data encryption, the malware only affects the first 150 KB of each file to finish the attack process sooner. This is enough to make data inaccessible, although it also allows the victim to repair certain file formats with some data loss as explained in this guide. For example, a repaired audio file might miss some seconds of the recording in the beginning of it.

Cyber criminals behind KOOM virus know that the victim needs to recover files as soon as possible because these are important to one as personal memories or are work or study related. Therefore, they present a solution in the _readme.txt note. According to the message left in it, the attackers expect the victim to pay a ransom to them to get the decryption key and software. They also offer a 50% discount from the initial decryption price (which is $980) if the victim writes to the given email addresses and settles an agreement within 3 days. In this case, the attackers promise to provide required tools for $490.

In addition, the note suggests that the computer user can send one encrypted file to them via email so that the attackers could demonstrate the effectiveness of the tools and provide a decrypted version of it. This way, they simply try to encourage the victim to “trust” them and pay as soon as possible.

However, according to cybersecurity experts worldwide and Geek’s Advice team, paying a ransom is NOT a recommended option. Here are some reasons why you shouldn’t do as cybercriminals command you to do:

• Cybercriminals can disappear the minute you make the transaction to them. In other words, paying doesn’t mean that you will recover your files successfully.
• After receiving the ransom, the criminals might start demanding for more money from you.
• Don’t sponsor malware: paying them means giving them income that allows funding further operations. Each year, ransomware operators collect millions of US Dollars. This also attracts other people to join them and as a result, expand the malware reach.
• Paying the ransom might be illegal in the country you live in.

In addition, viruses from STOP/DJVU ransomware family often drop AZORULT Trojan, an information-stealer on infected systems. This threat can collect information that can be used to blackmail you further , steal your personal accounts or even cause financial loss.

REMOVE MALWARE & REPAIR VIRUS DAMAGE

Ransomware modus operandi explained

Victim’s typically download KOOM ransomware virus via infected software cracks or other illegal torrent downloads. The ransomware first launches a fake executable file called winupdate.exe which displays a deceptive Windows update prompt on the screen. It has a process bar on it and pretends that some essential operating system updates are being installed. The purpose of it is to deceive the victim and make one ignore the unexpected system slowdown.

However, at the same time, the ransomware executable named build.exe starts its operation. It identifies victim’s computer’s geolocation because such viruses are often programmed to cease the operation if the geolocation matches countries from the exception list. The process also captures various computer-related details, such as admin’s name, installed software list, browsing history and similar.

As mentioned earlier, the virus first decides whether to use online or offline encryption key and victim’s ID (the latter usually ends in t1). The virus saves the encryption key used and victim’s personal ID to C:\Users\admin\AppData\Local\bowsakkdestx.txt and also saves the ID to C:\SystemID\PersonalID.txt.

Then the malware begins scanning the system and encrypting files, plus dropping ransom notes in every directory. Once files are locked, the ransomware deletes Volume Shadow Copies from the computer by running a Command Line task:

^{vssadmin.exe Delete Shadows /All /Quiet}

Deleting VSS prevents the victim from restoring files using System Restore points (if any were created prior to the attack). In some cases, the ransomware also modifies Windows HOSTS file by adding a list of various computer-related self-help websites, public forums and tech news sites and mapping them to localhost IP. This causes DNS_PROBE_FINISHED_NXDOMAIN error to appear for the user when trying to access them. In other words, the virus attempts to block websites that could provide valuable information for a victim of ransomware attack.

Finally, some STOP/DJVU variants silently drops AZORULT Trojan on the system. This threat is capable of collecting sensitive data from the victim’s computer and transmitting it to the criminal. Besides, criminals can use it as a Remote Access Tool and perform the following tasks without physical access to the compromised computer:

• Download various computer malware and running it;
• Take various login credentials, such as those of Telegram, Steam and other programs and send them to criminals;
• View or delete files on the victim’s computer;
• Steal cryptocurrency wallets and their contents;
• Steal browser-saved passwords, browser cookies, browsing history and more.

Needless to say, keeping such dangerous threats on your computer can lead to disastrous consequences. For this reason, our team recommends to remove KOOM ransomware virus along other residing malware as soon as you can. Typically, we do not suggest trying to eliminate computer viruses manually – unless you are a cybersecurity professional. For this task, we recommend you to follow the guide given below the article and use a robust antivirus such as INTEGO Antivirus to clean the infection automatically. In addition, we suggest downloading RESTORO to repair virus damage caused for Windows OS files.

Ransomware Summary

Name	KOOM Ransomware Virus
Type	Ransomware; Crypto-malware; Virtual Extortion Virus
Family	STOP/DJVU
Encryption type	RSA Salsa20
Previous versions	VYIA, QBAA, FOPA, VTYM, KQGS, XCBG, BPQD (find full list here)
Version	329th
Extension	.koom
Dropper	SmokeLoader (see VirusTotal details)
Damage	The ransomware turns personal files stored on a computer inaccessible by encrypting them with military-grade encryption algorithm. The affected files can be recognised from additional .koom extension appended to their original names. The virus also leaves _readme.txt notes in every system directory. The ransomware deletes Volume Shadow Copies to prevent easy data recovery and adds a list of blocked domain names to Windows HOSTS file. Some variants drop AZORULT Trojan on the system.
Ransom note	_readme.txt
Ransom demand	$490-$980 in Bitcoin
Distribution	Victims often download this ransomware along illegal torrent downloads, cracked software, key generators or tools like KMSPico.
Detection names	Trojan:Win32/Glupteba (Microsoft), VHO:Trojan-Spy.Win32.Stealer.gen (Kaspersky), Gen:Variant.Graftor.974954 (BitDefender), ML.Attribute.HighConfidence (Symantec), W32.Trojan.Gen (Webroot) see all detection name variations on VirusTotal
Removal	Remove ransomware and related malware from your PC using professional software of your choice. We highly recommend using INTEGO Antivirus. To repair virus damage on Windows OS files, consider scanning with RESTORO.

REMOVE MALWARE & REPAIR VIRUS DAMAGE

How ransomware-type threats are distributed

Ransomware type threats coming from STOP/DJVU family are usually distributed in a form of malicious downloads, mostly those that are distributed via peer-to-peer file sharing networks. Many victims who have reported getting infected with KOOM, WIOT or other versions said that the infection came from cracks used to activate the following software:

• Adobe Photoshop;
• Tenorshare 4ukey;
• League of Legends;
• Corel Draw;
• Cubase;
• Adobe Illustrator;
• Windows activation tools such as KMSPico.

Cybercriminals prey on computer users and gamers who seek to get pirated software copies, movies and other content and bypass license or streaming fees. Sadly, non-genuine software often comes packed with additional apps, malicious scripts or malware such as ransomware. However, the worst part is that users try so hard to get paid content for free that they even willingly choose to ignore their security software alerts. Most of the time, they believe that antivirus programs flag any type of “crack” download as insecure, therefore they proceed to make an exception for it and open it anyway. This can result in an immediate computer infection, although you might not notice it instantly. In case of ransomware, your files can get encrypted (remember that the most noticeable location – desktop gets compromised last), although you can get infected with not-so-noticeable malware such as crypto-mining software or Trojans as well.

Remember that if you want to obtain a genuine and secure software copy, you should always choose legitimate sources to download it. We also want to add our two cents and mention that software license prices hardly ever surpass hefty ransoms demanded by cybercriminals.

Another very popular method to distribute ransomware is to inject its download and execution script into a document (DOCX, XLS, PDF or another format), attach it to a phishing email and send it to thousands of recipients. For example, the attachment might be called an “Invoice”, “Order details” or “Tracking information” and come in a .ZIP or .RAR format. This archive might contain a PDF or Word document that prompts the computer user to enable Macros (this feature is disabled by default). Once enabled, Macros can download the ransomware executable and run it.

For this reason, we strongly recommend you to avoid interacting with email attachments if the email message or the sender seems at least a bit suspicious. For example, scammers tend to send messages with grammar errors and insert well-known company logos that are poorly edited. However, experienced attackers are harder to spot as they try to make no mistakes and even use email spoofing techniques (which help to display a different sender’s email address than the original one that was used to send the email). We recommend avoiding interaction with email attachments or links included if:

• You sense that the sender urges you to open the attachments or links immediately;
• The email contains spelling and grammar mistakes;
• Your email server marks it as spam or blocks images included;
• The email message comes from a sender that you did not expect to contact you;
• The message starts with an unfamiliar or weird greeting;
• The email message seems to be too good to be true.

Finally, STOP/DJVU ransomware victims should beware that scammers are trying to lure already-infected computer users with fake decryption tools. For example, ZORAB ransomware operators used such fake decryption tools as a bait to infect victims with a second payload. As a result, victim’s files would get double-encrypted.

Remove KOOM Ransomware Virus and Decrypt .koom Files

If your files were encrypted by the described ransomware, we recommend you to take action and free the computer system from threats as soon as possible. Keeping viruses on the system leaves it vulnerable to further attacks. Therefore, we strongly advise to read the guidelines given below on how to remove KOOM ransomware virus and other threats from your Windows PC safely. Once you boot your computer in Safe Mode with Networking, use recommended security software – INTEGO Antivirus to scan the system and eliminate malware automatically. Additionally, you might want to download RESTORO to repair virus damage on Windows OS files.

After a successful KOOM virus removal, take the following actions:

• Register cybercrime incident to your local authority responsible for handling such cases. You can find some links to official cybersecurity authorities for different countries below the article.
• Use a data backup (if you had it), but only after you remove all malware from the system.
• See these instructions to decrypt or repair files affected by STOP/DJVU versions.
• We also recommend changing your passwords, especially for websites that you save login credentials for in your browser.

OUR GEEKS RECOMMEND

Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:

GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.