Cyber Security Center

How to remove K2 ransomware


K2 ransomware is file-encrypting malware. If files on the computer have .[Helpforfiles@xmpp.es][unique ID].k2 attached to them, users’ computers are infected with K2 ransomware. It comes from the VoidCrypt ransomware family.

 

Ransomware image

K2 ransomware is malware that encrypts files, it comes from the VoidCrypt ransomware family. Can be identified by the .k2 file extension added to encrypted files. Users will not be able to open any encrypted files until they are decrypted with a special decryptor, which the cyber crooks behind this ransomware will try to sell to victims. However, buying the decryptor is not a good idea because not only does it not guarantee file decryption, it also encourages the cyber crooks behind this ransomware to continue their malicious activities.

At this moment, only users who have backup can recover files for free. However, if users do have backup, they first need to remove K2 ransomware from their computers. Otherwise, the ransomware will encrypt files in backup as well. For users who don’t have backup, backing up the encrypted files and waiting for a free decryptor to become available is perhaps the only option left. Malware researchers do release free decryptors when it’s possible so one for K2 ransomware may be released in the future as well. One is not currently available so users should be careful with questionable sites promising it. There may be fake decryptors promoted on questionable sites, which could result in additional malware installed on the computer. There are legitimate sources like NoMoreRansom that will have actual decryptors, so if one for K2 ransomware is released, it would be posted on NoMoreRansom.

How does ransomware spread?

Ransomware usually spreads via email attachments, torrents, malicious sites, etc. Essentially, users end up infecting their computers because they have bad browsing habits. Developing better habits can help avoid a lot of malware infections.

Malspam is one of the most common ways users pick up ransomware infections. Cyber crooks buy email addresses from hacker forums to launch malspam campaigns which distribute malware. Fortunately for users, the emails containing malware are usually quite obvious. They are sent from random email addresses, contain loads of grammar and spelling mistakes, and pressure users into opening the attachments by claiming they’re important files. The emails are usually made to look like they’re from legitimate companies or government organizations, as that lowers users’ guard. While most malspam will be quite obvious, there may be more sophisticated attempts. Thus, it’s strongly recommended to scan all unsolicited email attachments with anti-virus software or VirusTotal before opening them.

Users who use torrents to pirate copyrighted content are also at increased risk of picking up some kind of infection. Torrent sites are not regulated properly and are full of malware. Torrent for popular movies, TV shows, games, software, etc., often have malware. The more popular some entertainment content is, the more likely a torrent for it will contain malware.

It’s also highly recommended to install security updates as they come out. Updates patch known vulnerabilities in the system, which can be used by malware to get in, thus updates are very important.

What does the ransomware do?

When ransomware infects a computer, it immediately starts encrypting files. Users will know when it’s done that because files will have .[Helpforfiles@xmpp.es][unique ID].k2 added them. Users will not be able to open files with that extension until they are decrypted first. The ransomware will also drop a !INFO.HTA ransom note. The note will explain that files have been encrypted and that the only way to recover them is to buy the decryptor. Users are also informed that they can decrypt a couple of files for free, provided they don’t contain any sensitive information. The price is not mentioned but the note claims that if the money is not paid within 48 hours, the price would double.

Whatever the price may be, we don’t recommend paying, mainly because it doesn’t guarantee that files will be decrypted. There are no guarantees that the cyber crooks behind this ransomware will send the decryptor once the payment is made since they can just take the money. Furthermore, as long as users continue paying the ransom, ransomware will be an issue.

Below is the text from the ransom note dropped by the K2 ransomware:

!!! Your Files Has Been Encrypted !!! your files has been locked with highest secure cryptography algorithm
there is no way to decrypt your files without paying and buying Decryption tool
but after 48 hour decryption price will be double
you can send some little files for decryption test
test file should not contain valuable data
after payment you will get decryption tool ( payment Should be with Bitcoin)
so if you want your files dont be shy feel free to contact us and do an agreement on price
!!! or Delete you files if you dont need them !!!
Your ID :-
our Email :Helpforfiles@xmpp.es
In Case Of No Answer :Helpforfiles@cock.li

Unfortunately, only users who have backup can recover files for free. But users should first take care to fully delete K2 ransomware from the computer before accessing backup.

K2 ransomware removal

The recommended way to delete K2 ransomware is to use anti-virus software because that is easiest and safest. If users try to remove K2 ransomware manually, they could end up causing even more damage. Once the ransomware is no longer present, users can access their backup to start file recovery. However, removing the ransomware does not decrypt files.

K2 ransomware is detected as:

  • Win32:RansomX-gen [Ransom] by Avast/AVG
  • DeepScan:Generic.Ransom.AmnesiaE.A68B8C6 by Emsisoft
  • HEUR:Trojan-Ransom.Win32.Generic by Kaspersky
  • Ransom:Win32/Spade.DB!MTB by Microsoft
  • ML.Attribute.HighConfidence by Symantec
  • Ransom.VoidCrypt by Malwarebytes
  • GenericRXMJ-AK!7287C273733C by McAfee
  • DeepScan:Generic.Ransom.AmnesiaE.A68B8C69 by BitDefender