Kut ransomware is file-encrypting malware that belongs to the Dharma ransomware family. Adds the [firstname.lastname@example.org].kut extension to encrypted files, shows a pop-up ransom note, as well as drops a FILES ENCRYPTED.txt text one.
Kut ransomware is the newest member of the notorious Dharma ransomware family. It’s a dangerous piece of malicious software that encrypts files and demands that users pay for their decryption. The Dharma cyber gang has been releasing new versions on a regular basis, and we have reported on quite a few of them, including bH4T, LCK, Dme, and Cve.
Once the ransomware is initiated, it will encrypt photos, videos, documents, etc., in order to force the user into paying a ransom. However, the thing about ransomware is that even when users pay, there are no guarantees that files would be decrypted. Unfortunately, it’s not uncommon for cyber criminals to take the money but not send the decryptor. This has happened many times in the past with different ransomware, so paying the ransom is always a risk. The exact sum requested by Kut ransomware is not known, as it’s not mentioned in the pop-up or the text ransom notes. But it will likely be somewhere between $100 and $1000, as that is usually how much ransomware requests. Paying is not only not recommended because it’s risky, but also because it supports future criminal activity of these cyber crooks. Essentially, the more users pay the ransom, the more encouraged to continue cyber criminals will be.
If users have backup, they can access it as soon as they remove Kut ransomware from their computers. Users should make sure the ransomware is completely gone before accessing the backup, as otherwise, those files may become encrypted as well.
Users should be aware that while a decryptor for Dharma ransomware is available on NoMoreRansom, it will not work on its new versions. It should also be mentioned that there are many fake decryptors advertised on the Internet, and while some of them may be harmless, others could be malicious. Users should never download decryptors form unknown sources, as it’s likely that the supposed decryptor will turn out to be malware. A couple of trustworthy sources to download decryptors from are NoMoreRansom, Emsisoft, other anti-virus vendors, as well as malware researchers.
Ransomware spread methods
It’s very common for ransomware to be spread using spam email campaigns. Malicious files come attached to free software as extra offers, and when users open those files, they end up accidentally initiating the ransomware. Such emails are often quite recognizable because they are sent from questionable email addresses, contain an abundance of grammar and spelling mistakes, as well as just seem off somehow. In general, users should not be opening unsolicited emails with attachments, no matter who they’re from, without first making sure that everything checks out. And all unsolicited attachments should be scanned with anti-virus software or VirusTotal before they’re opened.
Ransomware, as well as other malware, can often be found in torrents, particularly in torrents for entertainment content, such as movies, games, TV shows, etc. This is especially the case with torrents for content that’s particularity popular at the time. For example, malware was often found in torrents for episodes of the popular fantasy TV series Game of Thrones back when the show was airing. This mainly happens because many torrent sites are not regulated properly, which cyber crooks take full advantage of. Users who pirate are at an increased risk of picking up some kind of malware accidentally, which is one of the reasons why pirating is discouraged.
Overall, users with bad browsing habits usually end up infecting their computers with something.
Is it possible to decrypt Kut ransomware encrypted files?
Kut ransomware is a fairy typical ransomware. It starts encrypting files as soon as it enters a computer and then demands that users pay for their decryption. This Dharma version can be differentiated from the other ones by the [email@example.com].kut extension added to encrypted files. Victim’s unique ID will also be part of the extension. For example, image.jpg would become image.jpg.unique ID.[firstname.lastname@example.org].kut. Users will not be able to open any of the files with that extension.
Once file encryption is complete, the ransomware will show a pop-up ransom note, as well as drop a FILES ENCRYPTED.txt text one. The pop-up one contains more information, though does not mention the price for the decryptor. Users who want to get the decryptor are asked to send an email to email@example.com or firstname.lastname@example.org with their unique ID, which is also included in the pop-up ransom note. However, we do not recommend contacting these cyber criminals. Whatever the decryptor price will be, paying will be risky. There really are no guarantees that the decryptor will actually be sent, or that it will work. Currently, backup is the only sure way recovering files.
Here is the text from the pop-up ransom note:
YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email email@example.com YOUR ID
If you have not been answered via the link within 12 hours, write to us by e-mail:firstname.lastname@example.org
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
Kut ransomware removal
When it comes to ransomware, using anti-malware software is a must. There are plenty of anti-virus programs that detect and delete Kut ransomware, so there should be no issues with that. Unfortunately, removing the ransomware does nothing to decrypt files, as the decryptor is necessary for that.
Kut ransomware is detected as:
- Trojan.Ransom.Crysis.E (B) by Emsisoft
- A Variant Of Win32/Filecoder.Crysis.P by ESET
- Trojan-Ransom.Win32.Crusis.to by Kaspersky
- Ransom.Crysis by Malwarebytes/Symantec
- Ransom:Win32/Wadhrama!hoa by Microsoft
- Ransom-Dharma!CD4CAAF3C2CE by McAfee