The _readme.txt note contains explanation of what happened to the victim’s computer-stored files and cybercriminals’ proposal on how they can be recovered. The note suggests that all files, including images, videos, databases and documents were encrypted with strongest algorithm and unique key. According to the ransomware analysis, the currently used encryption mode combines Salsa20 and RSA-2048 algorithms. The message left by the attackers explains that there is no other way to recover files except of paying a ransom; if the victim plans to do so, one can contact the attackers via provided emails – support@sysmail.ch and supportsys@airmail.cc. Going further into the ransom note contents, we can see that the criminals suggest testing the decryption service. They recommend sending one small encrypted file to them (preferably one that doesn’t contain valuable information) via email and also include the victim’s Personal ID which is provided in each _readme.txt file. The attackers promise to reply with a decrypted file version to prove that they can recover all of victim’s files. On top of that, they explain that the decryption tool price depends on how fast the victim gets in touch with the criminals. If the victim writes to the provided emails within 72 hours from the infection date, the decryption costs $490. If the victim hesitates for any longer, the price will rise to $980. Victims of ransomware attacks lose the most valuable data in such events. Naturally, we keep personal memories, work or study files in our computers, and suddenly losing access to them can have disastrous consequences that can affect not only you, but your clients’ files as well (if you use your computer for work, for example). That said, paying a ransom might seem tempting. However, we strongly advise you NOT TO PAY THE RANSOM. The same idea is supported by the official FBI’s advisory for ransomware victims. First of all, not all ransomware victims recover their data after paying a ransom. Moreover, paying a ransom is wrongful because it funds criminal operations, for instance, money allows them to employ more people, more skilled developers and distributors. Finally, if you decide to comply with criminals’ demands, you will be identified as a victim who is willing to pay up and possibly will be targeted again. Data encryption isn’t the only malicious activity carried out by STOP/DJVU ransomware. Beware that this notorious malware travels along with Azorult or Vidar Trojans, both known for their capabilities to steal information from victim’s computer (for instance, your browser-saved passwords, cryptocurrency wallets, browsing history, cookies, etc). Moreover, they’re classified as Remote Access Trojans (RATs), which means that the attackers can control them remotely and perform activities such as viewing, deleting your files or downloading something to your computer (such as more malware). All things considered, you should take action to remove KXDE ransomware virus and related threats from your computer to ensure your privacy is not at risk anymore. Therefore, we have prepared in-detail instructions on how to boot your PC in Safe Mode with Networking and start your chosen antivirus software from there. If you haven’t decided on one that you wish to use, we recommend relying on INTEGO Antivirus. Additionally, we advise downloading RESTORO and running a full system scan to identify which virus-affected system files can be repaired.
Ransomware Summary
REPAIR VIRUS DAMAGE
Ransomware distribution techniques
Malware variants from the STOP/DJVU ransomware family, including KXDE virus, are known to hide in pirated software versions advertised online. The victims typically stumble upon them when looking for ways to illegally activate full versions of paid software. They can be found in rogue websites or downloaded via torrents. Unfortunately, such downloads often carry a malicious payload inside of them, resulting in a full data encryption on a computer. Victims who have been exposed to variants of STOP/DJVU variants report falling into a trap after downloading software cracks supposed to activate full versions of these popular programs:
KMSPico (illegal Windows activation tool).Fifa 20;Tenorshare 4ukey;AutoCad;Opera browser;Corel Draw;Nero Burning ROM;VMware Workstation;Cubase;Adobe Illustrator;League of Legends;Microsoft Visio PRO;Internet Download Manager;Adobe Photoshop.
If you still have a bad habit of using pirated software versions, we recommend that you quit such activities for your own safety. When in need for a specific software, visit its official website or a confirmed partner’s site for deals and discounts and get a legitimate license key from there. This way, you won’t expose your computer to risks that come with illegal software versions. Remember that legitimate software subscriptions are never greater in cost than hefty ransoms that cybercriminals demand, not even to mention additional damages associated with private data loss. The message typically contains typo mistakes and the sender doesn’t know your real name, so the scammer greets the recipient using the email address username. For example, if your email address is Eduard123@example.com, the scammer might use Dear Eduard123 as the greeting line. Most of the time, these emails are composed using automatic programs. However, the attackers also tend to use email spoofing techniques to display a different sender’s email address for the victims, so we strongly recommend that you read this article on how to identify spoofed email addresses. Finally, victims of STOP/DJVU ransomware should stay away from suspicious online resources and people promising you decryption solutions. You should rely on trustworthy cybersecurity blogs only, and if these clearly state that there are no ways to decrypt files, it is that way. Do not fall into a trap of scammers who suggest you to download tools that can decrypt all versions of STOP/DJVU – these can hide additional malware. Moreover, watch out for scammers claiming they can recommend a “hacker” who can decrypt your files, and even worse, do not pay them if they ask you to do so. The only tools that can help victims of STOP/DJVU at the moment are created by Emsisoft and DiskTuna, and you can read more about them here.
How this ransomware operates
If you’re interested in modus operandi of KXDE ransomware virus, continue reading. This computer virus typically operates under its main process which is typically named with 4 random characters, for instance, 1GB6.exe or 9HN6.exe, but it also downloads some helper processes which are usually named as build.exe, build2.exe or build3.exe. Sometimes, it also downloads and runs a process under a name of winupdate.exe to display a fake Windows update screen for the victim while the main process is encrypting victim’s files. Before starting the data encryption procedure, this ransomware performs a geolocation check first. An interesting detail about this virus is that it doesn’t encrypt files in computers located in several countries, including Ukraine, Russian Federation, Syria, Armenia, Tajikistan, Kazachstan, Kyrgyzstan, Belarus, and Uzbekistan. To check what is the infected computer’s geolocation, the ransomware requests a response from https[:]//api.2ip.ua/geo.json and saves it into geo.json file. This file contains details such as PC’s IP address, country, city, timezone, and more. You can see two different examples of how this file appears in the screenshot provided below. Next, the ransomware creates a file named information.txt, which contains details about the computer’s hardware, installed software and actively running processes at the time of the attack. The ransomware also takes a screenshot of the desktop and sends them both to the Command&Control server. An example of information.txt contents are presented in the image below. Next, the ransomware attempts to request an online encryption key from its server. If this fails, the virus switches back to offline encryption mode and uses a hardcoded key instead. It saves the encryption key along with victim’s Personal ID to bowsakkdestx.txt file, and the ID separately to PersonalID.txt file. Both of these are displayed below. Speaking of SSOI ransomware encryption modes, they are divided into two – online and offline modes. When it comes to the online encryption type, it means that the malware has successfully obtained a unique encryption key and ID for the victim, which makes data recovery chances slim. Speaking of offline encryption mode, it indicates that the virus failed to obtain an encryption key from its server (for instance, due to Internet connectivity issues or if the server was down at the time of the request). Those subject to the offline encryption will typically notice t1 characters at the end of their PersonalID (a file located in C:\SystemID) and this indicates that there’s a possibility to recover all data in the future. Read more on how and when you can decrypt/repair STOP/DJVU encrypted data here. After saving the encryption key, the ransomware begins encrypting all of victim’s computer files using a combination of Salsa20 and RSA-2048 algorithms. During this process, each affected file will be marked with an additional .kxde extension as shown in the screenshot below. The virus also drops a copy of _readme.txt in every folder. Finally, the ransomware alters Windows HOSTS file by adding a list of websites to block on victim’s PC. As a consequence, victim’s attempts to visit them will be unsuccessful. The web browser may respond with DNS_PROBE_FINISHED_NXDOMAIN or similar error.
Remove KXDE Ransomware Virus and Decrypt Your Files
In an unfortunate event of becoming victim of a ransomware attack, the most important step is to erase all traits of the malware that compromised your computer. That said, we encourage you to follow the steps given below to remove KXDE ransomware virus safely. If you’re unsure which antivirus solution you can rely on, our team strongly recommends INTEGO Antivirus. Additionally, we suggest downloading RESTORO to repair virus damage inflicted on Windows OS files. After KXDE ransomware removal, you may want to take these recommendations into consideration:
Report cybercrime incident to a local law enforcement agency.Use data backups to restore some of your files.Find out ways STOP/DJVU-encrypted files could be decrypted or repaired.Change all passwords used on the infected computer.
OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Method 1. Enter Safe Mode with Networking
Before you try to remove KXDE Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove KXDE Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Decrypt KXDE files
Fix and open large KXDE files easily:
It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.
STOP/DJVU decryption tool usage guide
STOP/DJVU ransomware versions are grouped into old and new variants. KXDE Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt KXDE files, follow the given tutorial.
Meanings of decryptor’s messages
The KXDE decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your KXDE extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.
Report Internet crime to legal departments
Victims of KXDE Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:
In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.
If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.