This week, cyber security researchers has received reports of yet another ransomware named ‘Krusop virus‘. This ransomware spreads via spam emails and malware files and appends the .krusop file extension to encrypted files. Read below a brief summary of information related to this ransomware and how to restore or decrypt .krusop files for free.
Krusop ransomware is a new generation of ransomware virus which encrypts documents, photos and music on harddisks and attached network drives, then requires cryptocurrency (Bitcoins) for payment to decrypt them . It has the ability to encrypt almost all types of files, including common as:
.mdb, .vdf, .srw, .wps, .xls, .xyp, .wmv, .gho, .kf, .wpd, .p7c, .x3d, .wdb, .raf, .apk, .xld, .cfr, .iwd, .dxg, .dng, .wire, .p12, .w3x, .hkx, .mdf, .xls, .vcf, .wav, .xpm, .bar, .wma, .js, .xlsm, .py, .y, .map, .sum, .m4a, .ppt, .itl, .xx, .pak, .menu, .mp4, .gdb, .sis, .bc6, .wb2, .upk, .bc7, .mef, .rwl, .2bp, .wsh, .yal, .sie, .wpl, .ibank, .re4, .xlsx, .wri, .ods, .slm, .rar, .dazip, .x, .cdr, .desc, .wp, .wp6, .z3d, .fsh, .ltx, .3dm, .mlx, .xbplate, .wn, .sql, .dbf, .xlsb, .tax, .raw, .wpe, .zif, .mcmeta, .webp, .kdb, .webdoc, .syncdb, .dwg, .docm, .wpg, .wps, .vtf, .ntl, .bsa, .db0, .zabw, .x3f, .xbdoc, .doc, .cas, .zw, .ncf, .xar, .svg, .odc, .mrwref, .vfs0, .asset, .icxs, .wpa, .ff, .sb, .jpg, .docx, .xwp, .wgz, .ztmp, .forge, .wbz, .x3f, .lbf, .vpp_pc, .nrw, .arch00, .indd, .zip, .iwi, .3ds, .tor, .wdp, .odb, .eps, .pfx, .wsc, .avi, .jpeg, .ai, .csv, .sidd, .mddata, .das, .ysp, .dcr, .sr2, .wpt, .d3dbsp, .wmf, .big, .1st, .flv, .bkf, .srf, .0, .dba, .bik, .wmd, .rofl, .pptm, .sidn, .xlsx, .wm, .bay, wallet, .hplg, .blob, .wpw, .rtf, .esm, .1, .xf, .kdc, .xdb, .wmo, .mpqge, .yml, .m3u, .arw, .pptx, .fpk, .zdc, .hkdb, .orf, .rb, .xyw, .wma, .mov, .der, .wbk, .pst, .t12
When encrypting a file it will append the .krusop extension to each encrypted file name to identify that the file has been encrypted. For example, a file called sample.doc would be encrypted and renamed to sample.doc.krusop.
When the encryption procedure is finished, the malware leaves a ransom message named ‘_readme.txt’ with instructions on how to purchase a private key to decrypt all documents, photos and music. You can see an one of the variants of the ransom message below:
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-p1HwbAuGCw Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: gorentos@bitmessage.ch Reserve e-mail address to contact us: gorentos2@firemail.cc
Threat Summary
Name | Krusop |
Type | Ransomware, Crypto virus, Filecoder, File locker, Crypto malware |
Encrypted files extension | .krusop |
Ransom note | _readme.txt |
Contact | gorentos@bitmessage.ch |
Ransom amount | $980 in Bitcoins |
Symptoms | Your documents, photos and music fail to open. You get an error message like ‘Windows can’t open this file’, ‘How do you want to open this file’. Files named like ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file. |
Distribution ways | Phishing Emails that is carefully made to trick a victim into opening an attachment or clicking on a link that contains a harmful file. Drive-by downloads (ransomware can infect the PC system simply by visiting a website that is running harmful code). Social media, like web-based instant messaging applications. USB key and other removable media. |
Removal | To remove Krusop ransomware use the removal guide |
Decryption | To decrypt Krusop ransomware use the steps |
Use the step-by-step tutorial below to remove ransomware and try to restore encrypted photos, documents and music for free.
Quick links
- How to remove Krusop ransomware virus
- How to decrypt .krusop files
- Krusop decryption tool
- How to restore .krusop files
- How to protect your computer from Krusop ransomware?
- To sum up
How to remove Krusop ransomware virus
Before you launch the process of recovering files which has been encrypted, make sure Krusop ransomware virus is not running. Firstly, you need to delete this crypto malware permanently. Luckily, there are several malware removal utilities which will effectively search for and delete Krusop crypto malware and other crypto virus malware from your PC.
Remove Krusop ransomware virus with Zemana
Zemana Free is a malware scanner that is very useful for detecting and removing Krusop ransomware virus. The steps below will explain how to download, install, and use Zemana AntiMalware (ZAM) to scan your personal computer and remove ransomware, malware, spyware, adware, worms, trojans for free.
Now you can install and use Zemana to uninstall Krusop ransomware from your browser by following the steps below:
Click the link below to download Zemana installer called Zemana.AntiMalware.Setup on your machine. Save it directly to your MS Windows Desktop.
163869 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Run the install package after it has been downloaded successfully and then follow the prompts to install this utility on your PC.
During setup you can change certain settings, but we suggest you don’t make any changes to default settings.
When installation is finished, this malicious software removal utility will automatically launch and update itself. You will see its main window as displayed below.
Now click the “Scan” button to start scanning your PC for the Krusop crypto malware, other kinds of potential threats such as malware and trojans. While the Zemana AntiMalware application is checking, you can see number of objects it has identified as threat.
Once that process is complete, Zemana AntiMalware (ZAM) will open a list of detected threats. Review the results once the tool has done the system scan. If you think an entry should not be quarantined, then uncheck it. Otherwise, simply click “Next” button.
The Zemana Free will begin to remove Krusop ransomware related files, folders and registry keys. When the cleaning process is finished, you can be prompted to reboot your computer to make the change take effect.
Use MalwareBytes Anti-Malware to uninstall Krusop virus
Remove Krusop crypto malware manually is difficult and often the ransomware virus is not completely removed. Therefore, we recommend you to run the MalwareBytes that are completely clean your PC. Moreover, this free application will allow you to remove malware, PUPs, toolbars and adware that your personal computer can be infected too.
Installing the MalwareBytes Free is simple. First you will need to download MalwareBytes Anti Malware on your Windows Desktop from the link below.
326191 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the download is complete, run it and follow the prompts. Once installed, the MalwareBytes Anti Malware (MBAM) will try to update itself and when this task is done, click the “Scan Now” button to scan for Krusop crypto malware and other security threats. While the MalwareBytes tool is checking, you can see count of objects it has identified as being infected by malware. When you are ready, click “Quarantine Selected” button.
The MalwareBytes Anti-Malware is a free application that you can use to remove all detected folders, files, services, registry entries and so on. To learn more about this malware removal utility, we recommend you to read and follow the few simple steps or the video guide below.
Scan your computer and remove Krusop virus with KVRT
If MalwareBytes anti-malware or Zemana anti malware cannot delete this ransomware virus, then we recommends to use the KVRT. KVRT is a free removal tool for ransomwares, adware, potentially unwanted software and toolbars.
Download Kaspersky virus removal tool (KVRT) on your Windows Desktop by clicking on the following link.
128994 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
When the downloading process is done, double-click on the KVRT icon. Once initialization procedure is complete, you’ll see the Kaspersky virus removal tool screen like below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button . KVRT application will scan through the whole personal computer for the Krusop crypto malware and other trojans and malicious apps. Depending on your personal computer, the scan can take anywhere from a few minutes to close to an hour. When a threat is found, the number of the security threats will change accordingly.
When the system scan is finished, KVRT will display a screen that contains a list of malicious software that has been found as shown in the figure below.
Make sure to check mark the threats that are unsafe and then press on Continue to begin a cleaning procedure.
How to decrypt .krusop files
The Krusop ransomware offers victim to contact it’s makers in order to decrypt all files. These persons will require to pay a ransom (usually demand for $980 in Bitcoins).
There is absolutely no guarantee that after pay a ransom to the makers of the Krusop crypto virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new crypto virus.
Free malware removal tools listed in this article has the ability to detect and remove ransomware and prevent any further damage. After that you can recover encrypted photos, documents and music from their Shadow Copies or using file restore tool.
Krusop decryption tool
With some variants of Krusop ransomware virus, it is possible to decrypt encrypted files using free tools listed below.
Michael Gillespie (@) released the Krusop decryption tool named STOPDecrypter. It can decrypt .Krusop files if they were locked by one of the known OFFLINE KEY’s retrieved by Michael Gillespie. Please check the twitter post for more info.
STOPDecrypter is a program that can be used for Krusop files decryption. One of the biggest advantages of using STOPDecrypter is that is free and easy to use. Also, it constantly keeps updating its ‘OFFLINE KEYs’ DB. Let’s see how to install STOPDecrypter and decrypt .Krusop files using this free tool.
- Installing the STOPDecrypter is simple. First you will need to download STOPDecrypter on your Windows Desktop from the following link.
download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip - After the downloading process is done, close all applications and windows on your machine. Open a file location. Right-click on the icon that’s named STOPDecrypter.zip.
- Further, select ‘Extract all’ and follow the prompts.
- Once the extraction process is finished, right click on STOPDecrypter, choose ‘Run as Admininstrator’. Select Directory and press Decrypt button.
If STOPDecrypter does not help you to decrypt .Krusop files, in some cases, you have a chance to restore your files, which were encrypted by ransomware. This is possible due to the use of the tools named ShadowExplorer and PhotoRec. An example of recovering encrypted files is given below.
How to restore .krusop files
In some cases, you can recover files encrypted by Krusop ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted files.
Use shadow copies to recover .krusop files
The Microsoft Windows has a feature called ‘Shadow Volume Copies’ that can allow you to restore .krusop files encrypted by the Krusop ransomware virus. The solution described below is only to recover encrypted photos, documents and music to previous versions from the Shadow Volume Copies using a free tool called the ShadowExplorer.
First, please go to the link below, then click the ‘Download’ button in order to download the latest version of ShadowExplorer.
438196 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
After the download is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the screen below.
Double click ShadowExplorerPortable to launch it. You will see the a window as shown on the screen below.
In top left corner, choose a Drive where encrypted documents, photos and music are stored and a latest restore point as displayed below (1 – drive, 2 – restore point).
On right panel look for a file that you want to restore, right click to it and select Export as on the image below.
Use PhotoRec to recover .krusop files
Before a file is encrypted, the Krusop ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your personal files using file restore applications such as PhotoRec.
Download PhotoRec by clicking on the link below. Save it to your Desktop so that you can access the file easily.
Once the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like the one below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen similar to the one below.
Select a drive to recover as displayed in the following example.
You will see a list of available partitions. Select a partition that holds encrypted files similar to the one below.
Click File Formats button and specify file types to recover. You can to enable or disable the restore of certain file types. When this is finished, click OK button.
Next, click Browse button to select where restored personal files should be written, then click Search.
Count of recovered files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the recovery process is not finished.
When the restore is done, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as displayed in the figure below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you are searching for a specific file, then you can to sort your restored files by extension and/or date/time.
How to protect your computer from Krusop ransomware?
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert.
Run HitmanPro.Alert to protect your personal computer from Krusop ransomware
HitmanPro.Alert is a small security utility. It can check the system integrity and alerts you when critical system functions are affected by malware. HitmanPro.Alert can detect, remove, and reverse ransomware effects.
HitmanPro.Alert can be downloaded from the following link. Save it on your Windows desktop.
When downloading is done, open the folder in which you saved it. You will see an icon like below.
Double click the HitmanPro.Alert desktop icon. Once the tool is opened, you’ll be shown a window where you can choose a level of protection, as displayed on the image below.
Now click the Install button to activate the protection.
To sum up
Now your PC system should be clean of the Krusop crypto virus. Remove KVRT and MalwareBytes Anti-Malware (MBAM). We recommend that you keep Zemana Anti-Malware (to periodically scan your PC system for new malicious software). Probably you are running an older version of Java or Adobe Flash Player. This can be a security risk, so download and install the latest version right now.
If you are still having problems while trying to delete Krusop ransomware from your machine, then ask for help here.