.Kodg file extension is an extension that uses the newest variant of STOP (djvu) ransomware to mark files that have been encrypted. Ransomware is malware created by criminals that restricts access to the victim’s files by encrypting them and demands a ransom for a pair of key-decryptor, necessary for decrypting files. Files encrypted with .kodg extension become useless, their contents cannot be read without the key that the criminals have.
Kodg virus is the latest version of STOP ransomware, which was discovered by security researchers some days ago. This is already the is the 185th variant (v0185) of STOP ransomware. Like other variants, it encrypts all files on the computer and then demands a ransom for decryption. This virus encrypts files using a strong encryption method, which eliminates the possibility of finding a key in any way. For each victim, Kodg uses a unique key with a small exception. If the virus cannot establish a connection with a command and control server (C&C) before starting the encryption process, then it uses an offline key. This key is the same for different victims, which makes it possible in some cases to decrypt files that were encrypted during the ransomware attack.
Kodg has the ability to encrypt files of any type, regardless of what is in them. But it skips files with the extension: .dll, .lnk, .ini, .bat, .sys and files named ‘_readme.txt’. Thus, the following common file types can be easily encrypted:
.sum, .xwp, .kf, .m3u, .ppt, .bkf, .raf, .zi, .dbf, .p12, .x, .asset, .rar, .txt, .jpeg, .cfr, .orf, .xmmap, .mef, .fos, .fsh, .indd, .zdb, .wotreplay, .xbdoc, .odt, .xdl, .docm, .wmv, .7z, .cdr, .js, .cer, .m2, .mrwref, .mp4, .xxx, .pem, .snx, .desc, .wps, .wpl, .wmo, .wma, .wbmp, .vpk, .mdbackup, .wpt, .wp4, .xls, .mdb, .zabw, .ws, .wbc, .pfx, .epk, .accdb, .hkdb, .z, .yal, .rofl, .0, .qic, .doc, .sql, .wpd, .fpk, .xy3, .gdb, .pptm, .esm, .xf, .xlgc, .qdf, .mdf, .wav, .apk, .srw, .pak, .svg, .kdb, .r3d, .ptx, .dba, .ff, .xx, .bc6, .sr2, .ztmp, .raw, .bay, .wcf, .xdb, .wps, .xar, .xll, .sid, .docx, .wri, .vfs0, .x3f, .wp5, .d3dbsp, .odc, .xlsm, .ysp, .xyw, .bar, .rgss3a, .nrw, wallet, .upk, .w3x, .jpe, .das, .ods, .bik, .py, .dng, .ai, .p7b, .wpg, .yml, .xbplate, .png, .sidd, .wpa, .wdp, .wp7, .big, .mpqge, .wpb, .wgz, .xld, .wpd, .ntl, .pdd, .jpg, .mlx, .xlsm, .vcf, .sidn, .wire, .avi, .wbm, .psd, .mddata, .pst, .dxg, .p7c, .t12, .mov, .arch00, .bc7, .lrf, .m4a, .tor, .arw, .gho, .ibank, .rw2, .slm, .layout, .tax, .lvl, .webdoc, .wmv, .xlsb, .wn, .psk, .cr2, .sie, .zip, .xmind, .odp, .pkpass, .ncf, .forge, .rwl, .wp6, .srf, .itdb, .2bp, .dwg, .wmd, .wsh, .rtf, .bkp, .sav, .sis, .ybk, .dcr, .xls, .erf, .x3f, .vdf, .wb2, .crt, .1st, .vpp_pc, .xlsx
Each file that has been encrypted will be renamed. This means the following. If the file was called ‘image.jpg’, then after encryption, it will be named ‘image.jpg.kodg’. Kodg virus can encrypt files located on all drives connected to the computer. Therefore, files located in network attached storage and external devices can also be encrypted. It encrypts file by file, when all the files in the directory are encrypted, it drops a new file in the directory, which is called ‘_readme.txt’. Below is the contents of this file.
All directories with encrypted files have this file. But the contents of this file are the same everywhere. This file contains a message from Kodg creators. In this message, the criminals report that all the files were encrypted and the only way to decrypt them is to buy a decryptor and key. Attackers demand a ransom of $490, if the victim does not pay the ransom within 72 hours, then the ransom will double to $980. Kodg authors left two email addresses that the victim must use to contact them. To confirm the possibility of decryption, criminals offer to decrypt one file that does not contain important information for free. But it’s obvious that there is no guarantee that even by paying the ransom, the victim will be able to decrypt all files that have been encrypted.
|Type||Ransomware, Crypto malware, Filecoder, File locker, File virus|
|Encrypted files extension||.kodg|
|Detection Names||MalwareWin32.Ransom, TrojanEncoder, TrojanRansom: Crypted, UDSDangerous.Object MultiGeneric, TrojanWin.32.Kryptik, File.Rep.Malware, TR.CryptAgent|
|Symptoms||Files encrypted with .kodg extension. Files won’t open. Files called such as ‘_readme.txt’, or ‘_readme’ in each folder with at least one encrypted file.|
|Distribution ways||Phishing email scam. Adware. Drive-by downloads from a compromised web-site. Torrents websites. Social media. Activators&Cracks. Malicious ads.|
|Removal||Kodg virus removal guide|
|Decryption||Free Kodg Decryptor|
Kodg authors claim that it is impossible to decrypt files that have been encrypted. Until recently, this was so. At the moment, with the advent of STOP (Kodg) decryptor, in some cases you can decrypt files. This means that files can be decrypted if they are encrypted with the offline key that we talked about earlier. In all remaining cases, decryption is not yet possible. But there are several alternative ways that can allow everyone to recover the contents of encrypted files.
If your files were encrypted with Kodg virus, we recommend using the following action plan, which will allow you to remove the ransomware and decrypt (restore) the encrypted files. Read this entire manual, then open it on your smartphone or print it. So it will be more convenient for you to carry out all the necessary actions.
Remove Kodg ransomware virus
It is not recommended to immediately start decrypting or restoring files, this will be your mistake. This way is wrong. The best way is to go step by step: scan your computer for ransomware, detect and remove Kodg virus, decrypt (restore) files. To search for ransomware, we recommend using free malware removal tools. It is very important to use multiple malware removal tools to identify and remove Kodg. Each of the used tools should be based on a different anti-virus (anti-malware) engine. This is the only way to make sure that the ransomware was found and completely removed.
Remove Kodg ransomware with Zemana
We recommend that you start the process of finding and removing Kodg ransomware from a program called Zemana Anti-Malware. It is a malware removal tool, which is widely known among security experts and is often recommended by them. Zemana Anti-Malware is small in size, easy to use and can quickly scan your computer, find and remove ransomware, adware, trojans, worms, and other security threats. Immediately after the end of the scan, you can remove all found malware for free by simply clicking one button.
- Download Zemana on your Microsoft Windows Desktop from the link below.
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
- Run the downloaded file and follow the prompts.
- Once installed, click the “Scan” button. Zemana AntiMalware will start scanning the whole machine to find out Kodg crypto virus related folders,files and registry keys.
- In order to remove all found malware, simply press “Next” button.
Remove Kodg virus with MalwareBytes
Another malware removal tool that we recommend using to remove Kodg virus is MalwareBytes. After the tool is installed on the computer, you cann immediately check the computer, find and remove ransomware. As with Zemana Anti-Malware, MalwareBytes allows you to remove all found malware for free.
- Click the link below, then press the ‘Download’ button in order to download the latest version of MalwareBytes.
Category: Security tools
Update: July 25, 2019
- After the downloading process is finished, close all windows on your PC, start the downloaded file named MBsetup.
- Follow the prompts and do not make any changes to default settings.
- Click the “Scan Now” button to scan through the whole system for Kodg ransomware virus.
- Once MalwareBytes completes the scan, it will display a list of detected threats.
- Click “Quarantine Selected” button.
To learn more about How to use MalwareBytes to remove Kodg virus, we recommend that you read the following guide: How to use MalwareBytes Anti-malware.
Remove Kodg virus with Kaspersky virus removal tool
Kaspersky virus removal tool (KVRT) is the third utility that we recommend using to check your computer for ransomware and make sure that Kodg virus is removed. It is a completely free utility that is based on the core of the famous antivirus created by Kaspersky Lab. KVRT can detect and remove a variety of malware, including ransomware, trojans, worms, adware, spyware, browser hijackers and so on.
- Download Kaspersky virus removal tool from the following link.
Kaspersky virus removal tool
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
- Run the downloaded file.
- Click Start scan button to start scanning your computer for Kodg crypto malware and other malicious applications.
- Once the scan get completed, KVRT will show a scan report.
- You may remove all found malware by simply press on Continue button.
To learn more about How to use Kaspersky virus removal tool to remove Kodg virus, we recommend that you read the following guide: How to use Kaspersky virus removal tool.
How to decrypt .kodg files
All files with the ‘.kodg’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. To decrypt .kodg files, you need a decryptor. Fortunately, Emsisoft has created a free decryptor called STOP Djvu decryptor.
To decrypt .kodg files, use free STOP (Kodg) decryptor
- Download STOP (Djvu) decryptor from the following link.
STOP Djvu decryptor
- Scroll down to ‘New Djvu ransomware’ section.
- Click the download link and save the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe, read the license terms and instructions.
- On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
- Click the ‘Decrypt’ button.
STOP (Kodg) decryptor is a free tool that allows everyone to decrypt .kodg files for free. At the moment, the decryptor can only decrypt files that have been encrypted with an offline key. Unfortunately, if the files were encrypted with an online key, then the free decryptor is completely useless.
How to find out which key was used to encrypt files
Since STOP (Kodg) decryptor only decrypts files encrypted with the offline key, each Kodg’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.
First of all, you can look at the personal ID that is given in the ‘_readme.txt’ file (ransom note).
Another way, look on disk ‘C’ for ‘SystemID\PersonalID.txt’ file. This is a file in which Kodg ransomware stores the Personal IDs used for encryption.
The ‘Perosnal ID’ is not a key, it is a set of characters by which everyone can find out which key was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, then Kodg used an online key. If you could not understand which key was used to encrypt the files, then we can help you. Just write a request in the comments below.
What to do if STOP (Kodg) decryptor says “Error: Unable to decrypt file with ID”
If during decryption of .kodg files the decryptor reports ‘Error: Unable to decrypt file with ID’, skips files without decrypting them, then two cases are possible why this happens:
- files are encrypted with an ‘online key’, in this case, you need to use alternative methods to restore the contents of encrypted files;
- files are encrypted with an ‘offline key’, but the key itself has not yet been found by security researchers, in this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data;
How to restore .kodg files
As we already said, STOP (Kodg) decryptor can only decrypt files encrypted using the so called ‘offline key’. What to do when files were encrypted with an online key? Even in this case, everyone has a chance to recover the contents of encrypted files. This is possible due to the existence of several alternative ways to restore files. Each of these methods does not require a decryptor and a unique key, which is in the hands of criminals. The only thing we strongly recommend that you perform (if you have not already done so) is to perform a full scan of the computer. You must be 100% sure that Kodg virus has been removed. To find and remove ransomware, use the free malware removal tools.
Restore .kodg encrypted files using Shadow Explorer
The Windows OS (10, 8, 7 , Vista) has one very useful feature, it makes copies of all files that have been modified or deleted. This is done so that the user can recover, if necessary, the previous version of accidentally deleted or damaged files. These copies of the files are called ‘Shadow copies’. One tool that can help you recover files from the Shadow copies is ShadowExplorer. It is very small tool and easy to use. Unfortunately, ransomware often delete Shadow copies, thus blocking this method of recovering encrypted files. Nevertheless, be sure to try this method.
Please go to the link below to download the latest version of ShadowExplorer for MS Windows. Save it on your Microsoft Windows desktop.
Category: Security tools
Update: September 15, 2019
When the download is done, extract the downloaded file to a folder on your PC. This will create the necessary files as on the image below.
Run the ShadowExplorerPortable program. Now choose the date (2) that you want to recover from and the drive (1) you wish to recover files (folders) from as displayed below.
On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and press the Export button as displayed in the following example.
And finally, specify a directory (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.
Use PhotoRec to recover .kodg files
Another alternative way to recover encrypted files is to use data recovery tools. We recommend using a program called PhotoRec. This tool is free and does not require installation. Below we will show in detail how to use it to restore encrypted files.
Download PhotoRec on your computer by clicking on the following link.
Category: Security tools
Update: March 1, 2018
Once the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.
Double click on qphotorec_win to run PhotoRec for MS Windows. It will open a screen as shown in the figure below.
Choose a drive to recover as displayed in the figure below.
You will see a list of available partitions. Choose a partition that holds encrypted files as on the image below.
Click File Formats button and choose file types to restore. You can to enable or disable the recovery of certain file types. When this is complete, press OK button.
Next, click Browse button to select where restored photos, documents and music should be written, then press Search.
Count of restored files is updated in real time. All restored photos, documents and music are written in a folder that you have chosen on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is done, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as on the image below.
All recovered files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your restored files by extension and/or date/time.
To sum up
This guide was created to help all victims of Kodg ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .kodg files; how to recover files, if STOP (Kodg) decryptor does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.
If you have questions, then write to us, leaving a comment below. If you need more help with Kodg related issues, go to here.