How to remove KOOK ransomware and recover files

Kook ransomware is one of the many versions of the Djvu/STOP ransomware family. It encrypts files and demands money for their recovery.


Kook ransomware noteKook ransomware is one of the hundreds of versions that has came out of the Djvu ransomware family. Versions with very little changes are being released left and right, and Djvu has become of the most notorious ransomware families today. The majority of its versions are almost identical, with different file extensions added to encrypted files. We’ve already reported on Kuus ransomware, another almost identical version. This version adds the .kook file extension to encrypted files, hence why it’s known as Kook ransomware. As is usual for ransomware, it targets photos, videos, documents, etc., essentially files that users would be most likely to pay for.

A ransom note will be dropped once the encryption process is complete, and it will demand that users pay $980 to get the decryptor. The thing about paying the ransom is that it does not guarantee file decryption. It’s not uncommon for ransomware operators to just take off without sending a decryptor once they get the money. Thus, users are usually discouraged from paying the ransom.

Whether it’s possible to decrypt Kook ransomware encrypted files is probably the most important question on victims’ minds. Unfortunately, the only sure way to recover files is via backup. If users have backed up files prior to getting infected, they can safely start file recovery once they remove Kook ransomware from the computer. For users who have no backup, waiting for malware researchers to release a free decryptor may be the only option.

Ransomware distribution methods

There is nothing unusual about how Kook ransomware is distributed. It’s commonly spread via malicious emails or torrents, as well as pirated content download websites.

Spam email campaigns are one of the most common ways cyber criminals spread malware. They buy bulks of email addresses originating from data breaches, and send emails with malicious files attached to them. The emails are rarely sophisticated and are mostly quite obvious. They often claim to be some kind of official correspondence from known companies, goverment organizations or institutions like the bank. The attached file is supposedly some kind of important document that needs to be reviewed immediately, and when users open it they are asked to enable macros. If they do, the malware will be able to launch and start encrypting files. Because emails carrying malicious files are quite common and are sometimes able to bypass the security measures email providers have, it’s important to know at least the most obvious signs that an email may be malicious. The signs usually include a lot of grammar and spelling mistakes in what’s supposed to be official correspondence, and a random looking sender’s email address. And as a precaution, it’s a good idea to scan all unsolicited email attachments with anti-malware software or VirusTotal.

It’s also not uncommon to pick up various malware infections from torrents and other sites hosting pirated content. Those sites are largely unregulated and just about anyone could upload anything. It’s pretty common for malware to be disguised as a popular movie, TV series, game, software, etc. Pirating is highly discouraged because is not only essentially stealing content, it’s also dangerous for the computer.

Can Kook ransomware files be decrypted

When users open the malicious file and enable the macros, the malware will then start the encryption process. Like we mentioned above, it targets the files users would find most important. All encrypted files will have the .kook file extension, and users will not be able to open them. A ransom note _readme.txt will also be dropped. The note is completely identical to the one dropped by all other Djvu versions.

It goes as follows:


Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

Victims are offered to buy the decryption tool for $490 if they send an email to the provided email address within 72 hours. Otherwise, the sum is $980. Victims can also decrypt a file for free, provided it does not contain any important information. Presumably this is done to prove to the victims that they can indeed decrypt files.

Users are always discouraged from paying the ransom, no matter how small the sum is, as it does not guarantee file decryption. There’s nothing stopping cyber criminals from simply taking the money. Furthermore, paying also acts as an encouragement for cyber criminals to continue their malicious activity. As long as victims pay, ransomware will be a prominent threat.

If users are out of options, they can only wait for malware researchers to develop and release a free decryption tool. Many Djvu ransomware versions are already decryptable with Emsisoft’s decryptor for STOP Djvu. Users should back up encrypted files and wait for a free tool to be released. It’s not guaranteed but it may happen in the future.

Kook ransomware removal

Ransomware is a complicated infection, and users should only delete Kook ransomware with anti-malware software. If users attempt manual Kook ransomware removal, they may end up doing even more damage. And once the ransomware is no longer present, users can access their backup to start recovering files that have been encrypted.