Cyber Security Center

Remove Kasp ransomware


Yet another Djvu/STOP ransomware version has been released, this one is called Kasp ransomware. It adds the .kasp file extension to encrypted files, drops a _readme.txt ransom note and demands users pay $980 for file decryption.

 

Kasp ransomware noteKasp ransomware is one of the hundreds of ransomware from the Djvu/STOP malware family. All of the ransomware from this family are more or less the same. This ransomware is called Kasp because it adds the .kasp file extension to encrypted files. A file named image.jpg would become image.jpg.kasp. Once the ransomware is done encrypting files, it will drop the _readme.txt ransom note, which asks that victims pay $980 for a decryption tool. A 50% discount would supposedly be given to victims who contact the cyber crooks behind this ransomware within 72 hours.

However, paying the ransom or even contacting these cyber crooks is not a good idea. While paying the ransom may seem like the best option for users who have no backup, it should be mentioned that paying will not necessarily get the desired outcome. Cyber criminals have nothing to lose by not sending the decryption tool once the ransom has been paid, and they have done so numerous times in the past. It’s also possible victims would be sent faulty decryptors, though malware researchers can sometimes help make it work. Nonetheless, paying the ransom is risky. It also supports the future criminal activity of these cyber criminals, encouraging them to continue.

Unfortunately, backup is currently the only free way to recover files. Users who backed up files prior to their computers getting infected can start file recovery as soon as they remove Kasp ransomware. If the malware is still present when backup is accessed, files in it may become encrypted as well.

We should also mention that decryptors are released for free by malware researchers who want to help victims. Some versions of Djvu/STOP ransomware are decryptable with Emsisoft’s decryptor but it does not work for newer versions. Currently, there is no free decryptor for Kasp ransomware available. If one was to be released, Emsisoft and NoMoreRansom are the safest sources to get it.

Ransomware distribution methods

Ransomware mostly spreads on torrent sites and forums, via email attachments and malicious ads. Generally, users who have good browsing habits can avoid the majority of malware infections.

It’s no secret that torrent sites are very much full of malware. Pirating popular content is quite dangerous because loads of malware is disguised as movies, episodes of TV series, games, etc. Same goes for forums and sites promoting software cracks. Users who download pirated content are not only essentially stealing but also putting their computers in danger.

Engaging with malicious ads could also lead to a serious infection. High-risk websites often have many questionable ads, which if clicked could take users to dangerous sites promoting malware. When visiting adult sites, streaming pages, etc., it’s highly recommended to have adblocker installed as it would block pop-ups and redirects.

But the most common way users pick up ransomware is via email attachments. If a user’s email address has been leaked by some service, there is a high chance that it would be used in a spam email campaign at some point. Cyber criminals purchase thousands of email addresses from hacker forums and then proceed to send malicious or scam emails to them. Fortunately, as long as users are attentive, they should be able to recognize dangerous emails. They’re usually sent from silly or nonsense email addresses despite senders claiming to be from legitimate companies or organizations. Furthermore, those emails are usually full of grammar and spelling mistakes. It’s recommended that users always scan unsolicited email attachments with anti-malware software or VirusTotal.

Is it possible to decrypt Kasp ransomware files?

The ransomware will immediately start encrypting files. It primarily targets documents, videos, photos, etc., and once the files are encrypted, the file extension .kasp is added to them. Files with that extension will not be openable, unless users decrypt them with a special decryptor. Once files are encrypted, the ransomware will drop a ransom note _readme.txt. The note is identical to the ones dropped by other Djvu ransomware versions.

Here’s the full Kasp ransomware note:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-ccUfUrQOhF
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

Victims are offered to buy the decryption tool for $980, or $490 if they make contact within 72 hours. As we said above, paying the ransom is quite risky because there are no guarantees that victims will be sent a decryptor. Victims should keep in mind that they are dealing with cyber criminals who are not likely to feel any kind of obligation to help victims. But unfortunately, there currently is no free way to recover files. There may be scammers claiming to be able to decrypt files for a smaller price but users should be skeptical. Users should also be very careful about where they download decryptors from, as there currently is a trend of disguising malware as ransomware decryptors.

Kasp ransomware removal

It’s best to use anti-malware software to delete Kasp ransomware, as that is the safest way. Users should not attempt to manually remove Kasp ransomware, as that could cause even more damage. Once users remove Kasp ransomware, they can access their backup.

Kasp ransomware is detected as:

  • TR/AD.InstaBot.rfupu by Avira
  • A Variant Of Win32/Kryptik.HFYV by ESET
  • Trojan.MalPack.GS by Malwarebytes
  • Exploit.Win32.Shellcode.toq by Kaspersky
  • Ursnif-FSNX!9315770175BE by McAfee
  • Trojan:Win32/Ymacco.AA7D by Microsoft
  • Packed.Generic.525 by Symantec