KUUS ransomware distribution accelerates in July
- KUUS ransomware distribution accelerates in July
- Criminals disguise malware as fraudulent Adobe Flash update pop-ups or software cracks
- KUUS ransomware virus removal guide
- Decrypt KUUS files
- Frequently Asked Questions
KUUS ransomware is categorized as a version of the file-encrypting STOP/DJVU virus. The malicious program is created lock victim’s personal or work files stored on the system, marking them with .kuus file extension. After the successful data encryption process, victims see a _Readme.txt file that is purposed to be a ransom-demanding message. Attackers demand to pay a specific amount of money to decrypt files and reach out via new emails: email@example.com, firstname.lastname@example.org for further instructions.
This cyber threat acts similarly to its precursors, such as REPL, MAAS, ZIDA, ERIF, and others. All of the versions of this ransomware family use a disguise to hide their presence at first. Usually, the encryption process is hidden by opening a fraudulent Windows Update screen to stop people from interfering with the encryption procedure. Victims of KUUS ransomware see a legitimate-looking OS update window and are tricked to believe that their systems are not infected. Although, at that time this file-encrypting virus is locking all data on the affected computer.
Later, it drops a ransom note (_Readme.txt) where the cybercriminals explain what is file encryption and indicate that a strong cryptographic algorithm was used that cannot be broken. In other terms, victims are not able to use or open almost all data on the computer, including videos, images, documents, etc.
Attackers offer a 50% discount within the first 72 hours of the infection. During this time, users must pay $490, and later the price increases to $980 in Bitcoins for the KUUS file decryption tool. The ransom must be transferred in cryptocurrency to a specific account given via e-mails.
Some technical virus details: It is known that the current version of STOP/DJVU was first compiled and planned for distribution in 2019-04-24. The malware targets computers with Intel 386 or later processors and compatible processors. The program type itself is executable (Win32).
Alternative ways to decrypt locked data
Even though cybercriminals claim that there is no other way to restore victim’s files, our security researchers do not recommend collaborating with them. There are alternative methods to decrypt affected files. Use the STOP/DJVU decryption guide to find out more. Although, you should stay away from suspicious free decryption tools offered online unless they are verified by security researchers. Many other cybercriminals try to trick confused people into downloading malware disguised as so-called tools to decrypt .kuus files.
Before you try to get back your data you must remove KUUS ransomware virus from your computer. Since it has numerous components located and hidden in various directories on the system, we suggest the easiest way to uninstall all of them at once is using anti-malware software of your choice. In addition, we recommend using RESTORO. It is a professional system repair tool that can help you to repair virus damage on the system.
You should start KUUS file virus removal by running an entire system scan to allow the software locate all elements related to the virus. Once this security software scans your system, it puts malicious components into quarantine to stop the activities causing computer damage. Later, it carefully uninstalls ransomware files and ensures that the PC is malware-free. You will find detailed instructions on how to start the elimination procedure at the end of this article.
Main Threat Features
|Type||File-encrypting virus, Crypto-malware, File locker|
|Other variants||ZIPE, PEZI, NLAH, VAWE, ZIDA, REPL, MAAS, NILE, OONN, VARI|
|Name of malicious executable||6AEC.tmp.exe, c7c6.tmp.exe or similar (source VirusTotal)|
|Amount of money demanded||From $490 to $980 (lower if paid within 3 days)|
|Distribution||Fake Adobe Flash Player update pop-ups, software cracks, illegal downloads and activators like KMSPICO|
|Symptoms||Encryption process starts by displaying an imitation of Windows Update screen; Later, files are appended with the file extension and can no longer be accessible|
|Damage||Experts warn that this cyber threat not only locks important data but also installs AZORULT password-stealing Trojan, in addition, it maliciously modifies HOSTS file to prevent Internet access to particular websites|
|Decryption||Those who store backup copies on the Cloud can easily restore encrypted data. For others, please follow the data decryption/recovery instructions provided below this article|
|Removal||The safest method to uninstall ransomware viruses is to use anti-malware programs. For virus damage repair, run RESTORO.|
Name: KUUS ransomware virus
Description: KUUS ransomware is a highly malicious file-encrypting computer virus that is the 241st version of STOP/DJVU. The program behaves like a file-encrypting process that drops a message from cybercriminals in _readme.txt file. After a successful attack, all victims files can no longer be opened or modified and are marked with .kuus file extension.
Offer price: 980
Operating System: Windows
Application Category: Ransomware
Author: STOP/DJVU authors
User Review( votes)
Live demonstration of KUUS ransomware encrypting our test file folder:
Criminals disguise malware as fraudulent Adobe Flash update pop-ups or software cracks
The majority of ransomware victims got their computers infected by clicking on the fake Adobe Flash Player update pop-up that appears while browsing on suspicious websites. Criminals have designed the advertisement to look exceptionally legit and many people have felt for this popular trick to distribute file-encrypting viruses.
Attackers create a pop-up that resembles update notifications coming from the official Adobe Player software on the computer. Although, it appears on the browser rather than on the system itself. Unfortunately, people do not investigate the pop-up before clicking on the update button once it appears on the screen. As a result, the button triggers the automatic download and installation of a ransomware executable file and runs it right away.
In addition, STOP/DJVU distributors tend to create fake software cracks which people download through peer-to-peer file sharing agents in order to activate software licenses illegally. Victims of KUUS ransomware have been spotted to be attacked via Adobe Photoshop cracks, GTA cracks and similar game or software activators. Please, refrain yourself from downloading illegal software copies – it is utterly dangerous!
You can protect your computer from such malware infiltration attempts by avoiding to visit questionable sites. It includes illegal video streaming and file-sharing networks, various unofficial gaming sites, and others. Note that file-encrypting viruses might appear as ads while browsing. Therefore, you should stop clicking on promotional content online as well.
KUUS ransomware virus removal guide
It is essential to mention that KUUS ransomware removal is a highly complicated procedure. This file-encrypting virus is designed to modify Windows hosts file to disrupt the connection to security websites and certain antivirus tools. Likewise, you might struggle to download and install the malware removal software or browse the Internet for help. Although, you can learn how to reset Windows hosts file back to default in case you cannot access security programs.
Another method to circumvent the virus is to reboot your computer into Safe Mode. This way you will be able to use your chosen security software to run a full system scan. Automatic elimination helps to remove KUUS ransomware virus and all of its components from the system. In other terms, the infection will not reappear to damage your computer further. The instructions below will show how to start malware removal. Afterward, you can use the latest backup copy to restore encrypted information. Additionally, we recommend scanning with RESTORO to eliminate virus damage on OS files.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
KUUS ransomware virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove KUUS ransomware virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube.
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove KUUS ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Compatibility: Microsoft Windows
See Full Review
RESTORO is a unique PC Repair Tool which comes with an in-built Avira scan engine to detect and remove spyware/malware threats and uses a patented technology to repair virus damage. The software can repair damaged, missing or malfunctioning Windows OS files, corrupted DLLs, and more. The free version offers a scan that detects issues. To fix them, license key for the full software version must be purchased.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10/11 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt KUUS files
Fix and open large KUUS files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
- Create a copy of encrypted file to a separate folder using Copy > Paste commands.
- Now, right-click the created copy and choose Rename. Select the KUUS extension and delete it. Press Enter to save changes.
- In the prompt asking whether you want to make the changes as file might become unusable, click OK.
- Try opening the file.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. KUUS ransomware virus is considered the new STOP/DJVU variant, just like KCVP, KCBU, TCBU, UYRO, ZATP, ZATE (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie.
Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible.
In order to test the tool and see if it can decrypt KUUS files, follow the given tutorial.
- Download the decryption tool from Emsisoft.
- Click the little arrow next to your download and choose Show in Folder.
- Now, right-click the file and choose Run as Administrator. If asked, enter administrator's password.
- In UAC window, click Yes.
- Click Yes to agree to software terms in both windows.
- The tool will automatically include C:// disk as a location to decrypt. The file recovery tool will prepopulate the locations to scan, including connected data storage drives or network drives. Click Add folder if you wish to add additional locations.
In Options tab, you can choose to keep encrypted file copies. We recommend leaving this option selected, especially if you do not know if the decryption tool will work.
- Click Decrypt to start restoring KUUS files. You will see the progress in the Results tab. Here, you can see messages from the tool, such as whether the decryption procedure is successful, or you need to wait for an update.
You might also be informed that online key was used to encrypt your files. In such case, the decryption tool won't work for you, and the only way to recover your files is to use a data backup.
Meanings of decryptor's messages
The KUUS decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages:
Error: Unable to decrypt file with ID: [example ID]
This message typically means that there is no corresponding decryption key in the decryptor's database.
No key for New Variant online ID: [example ID]
Notice: this ID appears to be an online ID, decryption is impossible
This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible.
Result: No key for new variant offline ID: [example ID]
This ID appears to be an offline ID. Decryption may be possible in the future.
If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn't available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your KUUS extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of KUUS ransomware virus should report the Internet crime incident to the official government fraud and scam website according to their country:
- In the United States, go to the On Guard Online website.
- In Australia, go to the SCAMwatch website.
- In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.
- In Ireland, go to the An Garda Síochána website.
- In New Zealand, go to the Consumer Affairs Scams website.
- In the United Kingdom, go to the Action Fraud website.
- In Canada, go to the Canadian Anti-Fraud Centre.
- In India, go to Indian National Cybercrime Reporting Portal.
- In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can't find an authority corresponding to your location on this list, we recommend using any search engine to look up "[your country name] report cyber crime". This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities.
Another recommendation is to contact your country's or region’s federal police or communications authority.
Frequently Asked Questions
You can only open KUUS files if you have the decryption key, or if you were affected by offline encryption type.
To figure out whether you were affected by offline encryption, please go to C:/SystemID/PersonalID.txt and see if the string inside of it ends in t1. You can also try using Emsisoft Decryptor for STOP/DJVU.
Please follow the guidances provided by the official KUUS decryption tools and believe what they say. If they say it is impossible to decrypt, it really is so. There is no magic tool or human capable of decrypting your files hiding somewhere. Encryption is a technique created to be nearly impossible to decrypt without a special private key (held by the criminals).
We advise scanning with anti-virus, anti-malware, malware removal tools or software like RESTORO to eliminate virus damage on the system. If you do not trust using a single tool, try running one after another. However, we do not recommend keeping several security programs on a computer at once as they can interfere with each other's work.
Beware of fake KUUS decryption tools circulating around the web. Cyber criminals are uploading them to various shady websites, also might be promoting them via suspicious Youtube videos. These programs can infect your computer even more heavily (Trojans, miners, etc.). We suggest being extremely cautious around the web. If there will be an official STOP/DJVU decryption tool available, it will be widely discussed in public media.
Scott Bolton is a senior content strategist in our Geek’s Advice team. He is exceptionally passionate about covering the latest information technology themes and inspire other team members to follow new innovations. Despite the fact that Scott is an old-timer among the Geeks, he still enjoys writing comprehensive articles about exciting cybersecurity news or quick tutorials.