Jump to content

.kroput new ransomware attack

Recommended Posts

Files encrypted with the .kroput extensions is the newest variant of STOP (DJVU) Ransomware.

You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the malware developer to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. This is a service that helps identify what ransomware may have encrypted your files.

Please read here for a summary of this infection, it's variants and possible decryption solutions with instructions (including what to do if the decrypter does not work).

Link to post
Share on other sites

STOPDecrypter was updated to include support for the .kroput variant if you were hit by the OFFLINE KEY - "upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1" as explained in here.

Please read the instructions here (including what to do if the decrypter does not work).

Demonslay335 (Michael Gillespie) is the creator of STOPDecrypter. He is a trusted Security Colleague (Expert) here at Emsisoft, a ransomware researcher/analyst with the MalwareHunterTeam, the creator of ID Ransomware (IDR).

Link to post
Share on other sites
  • 2 weeks later...

Pls..i have also been affected by the .kroput ransomeware and all efforts to decrypt the files i have  has been futile..but i have downloaded malwarebyte and used it to scan the system but i don't think the system is clean yet..but will be glad if i can get any suggestion from you...and yes please i will love it if you can you can assist me with the decrypting of this files... Please find attached the corrupt files sample



hen 3d.rar.kroput _readme.txt

Link to post
Share on other sites
6 hours ago, Israel said:

Pls..i have also been affected by the .kroput ransomeware and all efforts to decrypt the files i have  has been futile..

Did you run the STOPDecrypter as quietman7 recommended? If so, what did it tell you?

Link to post
Share on other sites

hi GT500.... thanks for the other time...but the STOPDecryptor cant decrypt some files... its giving me message like it could not generate the key for its ID which is (  ÍD:  upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1 )... any suggestion...can i brute force it or not...

Link to post
Share on other sites
5 hours ago, Israel said:


This is a new offline ID that is in the latest version of STOPDecrypter (published today). Redownload it, and any files that use that ID should be decryptable.


3 hours ago, Israel said:


This is almost certainly an online key, which means files that have this ID will more than likely not be decryptable.

Michael Gillespie (the guy who made STOPDecrypter) will need the MAC address of the effected computer in order to archive this in case he can figure out the private key later. It should be in STOPDecrypter's logs when you run it on the computer to decrypt the files.


5 hours ago, Israel said:

can i brute force it or not...

It's technically possible, if you don't mind waiting for a few thousand years for it to finish.

In general, if brute forcing a key for encrypted files is viable (as in it will finish in a reasonable amount of time), then we'll release a decryption tool that is capable of doing it.

Link to post
Share on other sites

If the identifier of the encrypted files is still changing, then perhaps the malicious file is still in the system. Moreover it is necessary to check and reset the host-file. All known STOP-Djvu variants of the Promo subgroup modify it.

Most of the known STOP ransomware attacks occurred due to the use of broken or repackaged installers of well-known programs, ranging from MS Office to large application programs.

Link to post
Share on other sites

It's simple, but I am not a support representative.
According to the rules of any forum, only support representatives should do this. 

How to check the PC for the presence of an active infection you will be advised by the forum support service representatives.


Link to post
Share on other sites

The full list of addresses is in my article about STOP Ransomware under the spoiler - Update of March 1, 2019.
But the list may change.
You can check for a modified file by trying to open these sites.
www.emsisoft.com - this you have already opened, if still here.

If all these sites open in your browser, then the host-file has not been modified.


This image is only part of an extensive list. At the beginning of March there were 502 addresses with repetitions with www and without www. I checked the file from yesterday's variants with the extension .proden. This host-file has not changed.
But there are already new variants. I have not received any samples yet. This infection is very active. Extortionists act brazenly and are not afraid of anything.

Perhaps now something else will add.

Link to post
Share on other sites

This STOP Ransomware has a special file delself.bat for self-deletion after encryption, but there may be several active malware on the PC, including different versions and different types. We observed a case of how three different Crypto-Ransomware worked simultaneously. Just a victim without thinking about the situation launched various hacked programs and they at a real time encrypted the files each according to his plan. 

As a result, all files were encrypted several times and had different extensions with repetitions.

is it necessary to say that deciphering such a "crypto porridge" is unrealistic.

Link to post
Share on other sites

In regards to the possibility of the ransomware still being active on the system, please follow the instructions at this link for posting in our Help, my PC is infected! section, and one of our malware removal specialists will assist you with making sure that your computer is clean.

They will be able to help you with any bad HOSTS file entries as well.

Link to post
Share on other sites
  • 6 months later...

We have a new decryption service for STOP/Djvu available. There's more information and instructions on how to use it at the following links:

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...