.Kkll file extension ransomware (Kkll File Recovery Guide)

Kkll file extension

.Kkll file extension is a filename extension that is used by a malware belonging to the family STOP (Djvu) ransomware to mark files that have been encrypted. The Kkll ransomware is a malware that encrypts victims’ files and thus locks up the information contained in them. The ransomware developers demand a ransom in exchange for a decryptor and a key, which are necessary for decrypting the files. Fortunately, since Kkll is one of the variants of STOP (djvu) ransomware, in some cases you can use the free STOP (Djvu) decryptor as a Kkll File Decrypt Tool. More details about the Kkll File Decrypt Tool, as well as other ways of recovering encrypted files, will be discussed in this article below.

Kkll ransomware

Kkll ransomware is malware that is the 230th variant of STOP (DJVU) ransomware. Like other variants of this ransomware, it is distributed through key generators, cracked software, adware and torrents web-sites. Upon execution, Kkll creates a folder in the Windows system directory and copies itself there. Then the virus collects information about the victim’s computer and changes some Windows OS settings so that it starts automatically every time the PC is turned on or restarted.

Having collected information about the victim’s computer, the Kkll ransomware tries to establish a connection with its command-and-control server (C&C). If the connection has been established, the virus receives a key (so called ‘online key’) from the command server that will be used to encrypt files. In addition, Kkll virus may receive additional commands and files that will be executed on the victim’s computer. If the ransomware could not connect to the command server, then it uses a fixed key, which the security researchers called ‘offline key’.

There is a significant difference between ‘online key’ and ‘offline key’. The online key is unique for each victim, that is, the key from one victim will not help decrypt the files of the other victim. The offline key is the same for all victims. Thus, it can be used to decrypt files regardless of where they were encrypted.

Having a key to encrypt files, the Kkll ransomware proceeds directly to the process of encrypting files. It encrypts file-by-file, so that all files of the victim will be encrypted. It doesn’t matter where the files are located, on the internal drive, flash drive, external media, cloud storage, all of them can be encrypted. There is a small exception, the virus does not encrypt files located in the Windows system directories, files with the extension from the list ‘.lnk, .bat, ini, .sys, .dll’ and files with the name ‘_readme.txt’. Thus, almost all of the victim’s data will be encrypted, including documents, pictures, databases, archives and other types of files, such as:

.xpm, .zif, .ods, .wbc, .cr2, .lvl, .sav, .sid, .pdd, .pkpass, .das, .ptx, .yml, .mpqge, .esm, .webdoc, .rb, .pptx, .p12, .fpk, .snx, .txt, .odm, .arw, .blob, .sis, .eps, .syncdb, .docm, .sidd, .t12, .wpd, .srf, .ai, .rim, .bkf, .wbmp, .wmv, .x3d, .wsd, .itdb, .wp4, .dxg, .jpg, .xls, .yal, .wmd, .hkx, .odt, .xdb, .wpg, .wp, .wdb, .mov, .3dm, .lrf, .doc, .wps, .sidn, .csv, .litemod, .psk, .z3d, .cer, .ztmp, .wpe, .2bp, .accdb, .wsh, .gdb, .xml, .rtf, .sr2, .pak, .x3f, .xxx, .gho, .wpa, .dbf, .zabw, .ncf, .xy3, .hplg, .slm, .wsc, .map, .re4, .xx, .cas, .tor, .bc6, .mdf, .jpeg, .r3d, .ppt, .xbplate, .png, .desc, .mdb, .apk, .itl, .p7c, .x, .mef, .jpe, .erf, .ysp, .srw, .vtf, .odp, .1, .flv, .m2, .cfr, .js, .asset, .rofl, .m3u, .pst, .wdp, .vfs0, .upk, .xbdoc, .ybk, .dwg, .iwi, .rar, .xar, .ibank, .wp5, .hvpl, .pem, .ntl, .mddata, .mcmeta, .zip, .xlsx, .qdf, .arch00, .vdf, .hkdb, .qic, .orf, .rwl, .zip, .wp7, .icxs, .webp, .odc, .xlgc, .ltx, .bkp, .raf, .xlk, .wpd, .wps, .wbd, .wot, .crw, .wotreplay, .wm, .wbm, .bay, .wmf, .sb, .wav, .m4a, .d3dbsp, .vpp_pc, .rgss3a, wallet, .lbf, .wcf, .xll, .zdb, .xlsx, .der, .dng, .big, .bsa, .fos, .vcf, .y, .pef, .db0, .xdl, .indd, .layout, .xf, .xld, .bc7, .1st, .wpw, .mrwref, .xyw, .rw2, .z, .x3f, .3fr, .fsh, .sql, .wmo, .wn, .ff, .wri, .wp6, .vpk, .ws, .dazip, .mdbackup, .odb, .3ds, .pptm, .py, .sie, .wire, .css, .pfx, .wpb, .kf, .docx, .xwp, .p7b, .xyp, .dcr, .0, .sum, .dmp, .xls, .bar, .7z, .itm, .mlx, .cdr, .xlsb, .wpl, .wbz, .zdc, .wpt, .t13, .zi, .avi, .pdf, .kdc, .wma, .crt, .zw, .w3x, .xmind, .mp4, .wgz, .raw, .psd, .wma, .nrw, .wmv, .xlsm, .wb2, .wbk, .xlsm, .forge, .menu, .svg, .xmmap, .kdb, .epk, .dba, .bik, .tax

Each file that has been encrypted by the Kkll ransomware will be renamed. It will append the extension ‘.kkll’ at the end of the name of the affected file. Thus, a file named ‘image.jpg’, after it is encrypted, will receive the name ‘image.jpg.kkll’. To encrypt as many files as possible in the minimum time, the virus does not encrypt the entire file, but only its initial part in the amount of 154 kb. The Kkll ransomware encrypts files sequentially, when all files in the directory are encrypted, it places a new file in it. This file is called ‘_readme.txt’ and its contents are shown below.

The ‘_readme.txt’ file is a ransom note that is a message from Kkll creators. In this message, the criminals report that the victim’s files are encrypted and there is only one way to decrypt them – purchase the key and the decryptor from them. Attackers set the price for the key and decryptor at $980. If the victim pays the ransom within 72 hours, then Kkll authors agree to make a discount of half the ransom, that is, reduce the size of the ransom to $490. Criminals offer to decrypt one file for free. To do this, the victim needs to send this file to one of the email addresses listed in the ransom demand message. But successful decryption of one file does not guarantee the possibility of decryption of files even after payment of the ransom.

Threat Summary

Name	Kkll Ransomware, Kkll File Virus
Type	Crypto virus, Ransomware, File locker, Filecoder, Crypto malware
Encrypted files extension	.kkll
Ransom note	_readme.txt
Contact	helpmanager@mail.ch, restoreadmin@firemail.cc
Ransom amount	$490,$980 in Bitcoins
Detection Names	Riskware.Win32.Malicious.1!c, Trojan.TR/AD.InstaBot.jhp, W32/Kryptik.HDVD!tr, Trojan:Win32/DanaBot.GB!MTB, Generic/Trojan.BO.942, Malware.Obscure!1.A3BB (CLOUD), UDS:DangerousObject.Multi.Generic, Win32/GenKryptik.ELVU
Symptoms	When you try to open your file, Windows notifies that you do not have permission to open this file. Your files have new extension appended at the end of the file name. Files called like ‘_readme.txt’, ‘#_README_#’, ‘_DECRYPT_’ or ‘recover’ in each folder with at least one encrypted file. Desktop is locked with a message about How to pay to unlock your system.
Distribution methods	Phishing email scam that attempts to scare users into acting impulsively. Drive-by downloads from a compromised web page. Social media, like web-based instant messaging applications. Remote desktop protocol (RDP) hacking.
Removal	Kkll ransomware removal guide
Decryption	Kkll File Decrypt Tool

 

In the ransom note, the Kkll authors report that it is impossible to decrypt files without a key and a decryptor. In general, this is true; to decrypt .kkll files, you must use the key and the decryptor. This is confirmed by the security researchers.

As we reported at the very beginning of this article, there is a free Kkll File Decrypt Tool, which in some cases can decrypt .kkll files. In the case when it could not decrypt the files, there are several more methods, each of which can help the victim restore the files encrypted by Kkll ransomware. These methods do not require the use of a key and decryptor, and therefore are suitable for all victims.

How to remove Kkll ransomware, Recover, Decrypt .kkll files for free

If you are a victim of ransomware, your files have been encrypted, then we recommend that you follow the simple steps described above. These steps will help you remove Kkll ransomware, and decrypt .kkll files. Moreover, we will also show you how to recover encrypted files if the decryption of the files was unsuccessful. Read the entire manual carefully. To make it easier for you to follow the instructions, we recommend that you print it or open it on your smartphone.

1. How to remove Kkll ransomware
2. How to decrypt .kkll files
3. How to restore .kkll files
4. How to protect your system from Kkll ransomware

How to remove Kkll ransomware

The first thing you need to do before decrypting .kkll files is to make sure that Kkll ransomware is no longer active, as well as find all its components and remove them. An active ransomware is very dangerous because it can encrypt all files that were recovered during decryption. Therefore, you need to scan your computer for ransomware and other malware. To do this, we recommend using free malware removal tools that will find Kkll virus and remove it for free.

It is very important to scan your computer for malware, as security researchers report that along with ransomware, another malware (spyware) is often installed on the computer that steals the user’s personal information, such as passwords, logins, contact details, etc. If you have any difficulty removing the Kkll ransomware, then let us know in the comments, we will try to help you.

To remove Kkll ransomware, use the steps below:

1. Kill the Kkll ransomware process
2. Disable the Kkll ransomware Start-Up
3. Delete the Kkll ransomware Task
4. Scan computer for malware

Kill the Kkll ransomware process

Press CTRL, ALT, DEL keys together.

Click Task Manager. Select the “Processes” tab, look for something suspicious that is the Kkll ransomware then right-click it and select “End Task” or “End Process” option.

A process is particularly suspicious: it is taking up a lot of memory (despite the fact that you closed all of your programs, its name is not familiar to you (if you are in doubt, you can always check the program by doing a search for its name in Google, Yahoo or Bing).

Disable the Kkll ransomware Start-Up

Select the “Start-Up” tab, look for something similar to the one shown in the example below, right click to it and select Disable.

Close Task Manager.

Delete the Kkll ransomware Task

Type “Task Scheduler” in the search bar. Click Task Scheduler app in the search results. Click “Task Scheduler Library” in the left panel. On the right panel, right-click to “Time Trigger Task” and select Delete.

Close Task Scheduler.

Scan computer for malware

Zemana Free is a free malware removal utility. Currently, there are two versions of the utility, one of them is free and second is paid (premium). The principle difference between the free and paid version of the utility is real-time protection module. If you just need to scan your PC for malicious software and remove Kkll ransomware virus, other kinds of potential threats like malicious software and trojans, then the free version will be enough for you.

Visit the page linked below to download Zemana Free. Save it on your MS Windows desktop.

Once downloading is done, launch it and follow the prompts. Once installed, the Zemana Free will try to update itself and when this task is finished, click the “Scan” button for checking your machine for the Kkll ransomware virus and other security threats.

This task can take some time, so please be patient. While the Zemana Free program is checking, you can see number of objects it has identified as threat. When you’re ready, press “Next” button.

The Zemana Free will start to remove Kkll ransomware virus related folders,files and registry keys.

If you have already used some malware removal tools, they found and removed malicious software, then in order to be 100% sure that the computer no longer has the Kkll ransomware virus, we recommend using the Kaspersky virus removal tool (KVRT). It is a free portable program that scans your PC system for spyware, ransomware, adware, potentially unwanted software, trojans, worms, malicious software and allows delete them easily. Moreover, it’ll also help you delete any other security threats for free.

Download Kaspersky virus removal tool (KVRT) by clicking on the link below.

When the download is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you will see the KVRT screen as on the image below.

Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button for checking your system for the Kkll ransomware virus and other trojans and malicious apps. This procedure can take some time, so please be patient. While the utility is checking, you can see how many objects and files has already scanned.

When Kaspersky virus removal tool completes the scan, KVRT will create a list of unwanted applications and crypto virus as displayed on the image below.

When you’re ready, press on Continue to start a cleaning process.

How to decrypt .kkll files

To decrypt .kkll files, you need to use a unique key and decryptor. Security researchers confirm that it is impossible to access the contents of encrypted files without decryption. Renaming the affected files, changing their extension cannot help the victim, the files will still remain encrypted. Fortunately, Emsisoft created a free decryptor, which in some cases can decrypt .kkll files.

To decrypt .kkll files, use Kkll File Decrypt Tool

• Download Kkll File Decrypt Tool from the following link.
  STOP Djvu decryptor
• Scroll down to ‘New Djvu ransomware’ section.
• Click the download link and save the decrypt_STOPDjvu.exe file to your desktop.
• Run decrypt_STOPDjvu.exe, read the license terms and instructions.
• On the ‘Decryptor’ tab, using the ‘Add a folder’ button, add the directory or disk where the encrypted files are located.
• Click the ‘Decrypt’ button.

Kkll File Decrypt Tool is a free decryptor that can decrypt files only in some cases, when the files were encrypted with an ‘offline key’. If the files were encrypted with an ‘online key’, then they cannot be decrypted. The reason for this is that the ‘online key’ is in the hands of criminals and this key can not be determined. But even in this case, there is a chance to restore the contents of encrypted files, we will talk about this in section “How to restore .kkll files” of this article.

This video step-by-step guide will demonstrate How to remove KKLL ransomware and Decrypt .kkll files.

How to find out which key was used to encrypt files

Since Kkll File Decrypt Tool only decrypts files encrypted with the offline key, each Kkll’s victim needs to find out which key was used to encrypt the files. Determining the type of key used is not difficult. Below we give two ways. Use any of them.

Find out the type of key using ‘_readme.txt’ file

• Open the ransom demand message (‘_readme.txt’ file).
• Scroll down to the end of the file.
• There you will see a line with the text ‘Your personal ID’.
• Below is a line of characters that starts with ‘0230’ – this is your personal id.

Find out the type of key using ‘PersonalID.txt’ file

• Open disk C.
• Open directory ‘SystemID’.
• Open file named ‘PersonalID.txt’. This file lists ‘Personal ID’s that match the keys that the Kkll ransomware used to encrypt files.

The ‘Personal ID’ is not a key, it is an identifier related to a key that was used to encrypt files. If the ID ends with ‘t1’, then the files are encrypted with an offline key. If the ID does not end with ‘t1’, Kkll virus used an online key. If you could not figure out how to determine which key was used to encrypt files, then we can help. Just write a request here or in the comments below.

Kkll File Decrypt Tool : “No key for New Variant offline ID”

If during decryption of .kkll files the Kkll File Decrypt Tool reports No key for New Variant offline ID, then this means the following: your files are encrypted with an ‘offline key’, but the key itself has not yet been obtained by security researchers. In this case, you need to be patient and wait a while, in addition, you can also use alternative ways for recovering encrypted data. We recommend to follow the news on our Facebook or YouTube channels. So you ‘ll know right away that it ‘s possible to decrypt .kkll files.

Kkll File Decrypt Tool : “No key for New Variant online ID”

If, when you try to decrypt .kkll files, the Kkll File Decrypt Tool reports No key for New Variant online ID, then this means that your files are encrypted with an ‘online key’ and their decryption is impossible, since only the Kkll authors have the key necessary for decryption. In this case, you need to use alternative methods listed below to restore the contents of encrypted files.

How to restore .kkll files

If the Kkll File Decrypt Tool did not help you, or your files are encrypted using an online key, then there is no need to panic! There are several other alternative methods that may help you to restore the contents of encrypted files. Once again, remember to be sure to check your computer for ransomware and malware using free malware removal tools. You must be sure that Kkll ransomware is completely removed.

Use ShadowExplorer to restore .kkll files

First of all, try to recover .kkll files from Shadow Volume Copies, which are automatically created by Windows OS. In order to recover photos, documents and music encrypted by Kkll virus from Shadow Volume Copies you can use a tool called ShadowExplorer. We recommend using this free utility because it is small in size, has a simple interface and does not require installation on a computer. Unfortunately, ransomware often removes all Shadow copies. Therefore, if Shadow Explorer cannot help you, then immediately proceed to the second method, which is given below.

Click the following link to download the latest version of ShadowExplorer for Microsoft Windows. Save it on your Desktop.

After downloading is done, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder like below.

Double click ShadowExplorerPortable to launch it. You will see the a window as shown in the following example.

In top left corner, choose a Drive where encrypted documents, photos and music are stored and a latest restore point as on the image below (1 – drive, 2 – restore point).

On right panel look for a file that you wish to recover, right click to it and select Export as shown below.

This video step-by-step guide will demonstrate How to recover .kkll files using Shadow Explorer.

Run PhotoRec to restore .kkll files

Another alternative way to recover .kkll files is to use data recovery software. This method requires a lot of time, but in most cases it allows you to recover part, and sometimes all, encrypted files. To restore .kkll files, use a free tool called Photo Rec. It has a simple interface and does not require installation.

Download PhotoRec on your computer from the following link.

After downloading is complete, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown on the screen below.

Double click on qphotorec_win to run PhotoRec for Windows. It will open a screen as shown in the following example.

Choose a drive to recover as shown on the image below.

You will see a list of available partitions. Choose a partition that holds encrypted documents, photos and music as shown on the screen below.

Press File Formats button and specify file types to restore. You can to enable or disable the restore of certain file types. When this is finished, press OK button.

Next, click Browse button to select where recovered files should be written, then click Search.

Count of restored files is updated in real time. All recovered documents, photos and music are written in a folder that you have chosen on the previous step. You can to access the files even if the recovery process is not finished.

When the recovery is complete, click on Quit button. Next, open the directory where recovered documents, photos and music are stored. You will see a contents as on the image below.

All restored documents, photos and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.

This video step-by-step guide will demonstrate How to recover .kkll files using PhotoRec.

How to protect your system from Kkll ransomware

Most antivirus apps already have built-in protection system against the crypto virus. Therefore, if your computer does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic utility to protect your PC system from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of MS Windows OS from MS Windows XP to Windows 10.

Download HitmanPro Alert by clicking on the link below.

After the downloading process is finished, open the folder in which you saved it. You will see an icon like below.

Double click the HitmanPro Alert desktop icon. After the utility is started, you’ll be displayed a window where you can choose a level of protection, as displayed in the figure below.

Now press the Install button to activate the protection.

Finish words

This guide was created to help all victims of Kkll ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to decrypt .kkll files; how to recover files, if Kkll File Decrypt Tool does not help; what is an online key and what is an offline key. We hope that the information presented in this manual has helped you.

If you have questions, then write to us, leaving a comment below. If you need more help with Kkll related issues, go to here.