Cyber security professionals discovered a new ransomware virus. It is called ‘Kuub ransomware‘ and used malware to infect Windows PCs. It encrypts files, adding the kuub file extension to the names of all encrypted files, on all attached data storage a short time after the PC has been infected.
The Kuub file virus is developed to lock files on the computer. It belongs to the list of ransomware. Such as other ransomware, it is able to encrypt files like drawings, photos, web application-related files, movies, documents, databases and archives, and other files that are important to the victim and stop the operation of which is unacceptable to him. The user will not be able to use them even if he tries to do it through various applications. Kuub ransomware virus locks up almost of files, including common as:
.bkp, .wbd, .rar, .wpb, .xyw, .wma, .wbc, .wpw, .p12, .txt, .gho, .bc6, .pak, .erf, .3ds, .syncdb, .bik, .0, .mddata, .3dm, .sb, .xlsx, .wsh, .css, .wpt, .cr2, .psk, .xf, .xld, .indd, .big, .vfs0, .t13, .epk, .cdr, .mdbackup, .odm, .sid, .lbf, .xlsx, .wsc, .orf, .eps, .wmo, .xar, .wp6, .crt, .xml, .cas, .pptm, .sidd, .dazip, .jpeg, .png, .sis, .zabw, .sav, .avi, .icxs, .py, .layout, .3fr, .xxx, .z3d, .dng, .wpg, .wcf, .qdf, .pkpass, .mef, .sr2, .lvl, .nrw, .wdb, .yml, .vpp_pc, .dwg, .docm, .ibank, .ncf, .upk, .yal, .xlk, .forge, .bc7, .wb2, .xmind, .m2, .rgss3a, .mlx, .mrwref, .ltx, .pst, .psd, .wma, .itl, .w3x, .wp, .ztmp, .hkdb, .desc, .wpd, .wps, .lrf, .fsh, .fpk, .m3u, .iwi, .das, .sie, .pptx, .asset, .srw, .svg, .hplg, .wbm, .xls, .bsa, .slm, .bay, .mp4, .wm, .webdoc, .cer, .ysp, .odb, .mcmeta, .pdf, .xwp, .xmmap, .xx, .wbk, .rw2, wallet, .xbdoc, .xls, .z, .ptx, .pef, .ybk, .dmp, .csv, .rwl, .ai, .mdb, .tor, .menu, .pfx, .sum, .blob, .pdd, .ws, .jpe, .js, .wmd, .vtf, .x3f, .zw, .kdc, .bkf, .m4a, .wire, .ntl, .xy3, .wri, .ff, .rtf, .wbmp, .1, .webp, .ppt, .xdl, .wot, .raf, .hvpl, .zdc, .wav, .y, .arw, .wmv, .pem, .wsd, .vdf, .snx, .crw, .zip, .xlsm, .xlgc, .re4, .zdb, .accdb, .wpl, .zip, .x3d, .vpk, .sql, .sidn, .mpqge, .rim, .doc, .2bp, .litemod, .map, .odc, .odp, .wpe, .xpm, .wps, .gdb, .rofl, .bar, .tax, .qic, .wpd, .esm
Kuub virus, getting into the user’s PC system, blocks various files such as video materials, tables, archives, documents and photos and other important data. All these files after the attack by this ransomware become encrypted and the user can not open them, as a result of infection, they get the Kuub extension (e.g., ‘document.doc is renamed to ‘document.doc.kuub’), and the victim understands that the only way to decrypt them and make them work again is to pay cyber frauds a ransom. Sometimes fraudsters reduce the size of the requested amount, but in this case, the user must transfer the money to the fraudsters within 48 or 72 hours to obtain a code which will allow decrypt files affected by the Kuub virus using strong encryption.
ATTENTION! Don't worry, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-JeLOm18e5g Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.
Threat Summary
| Name | Kuub |
| Type | Crypto virus, Crypto malware, Ransomware, File locker, Filecoder |
| Encrypted files extension | kuub |
| Ransom note | _readme.txt |
| Contact | gorentos@bitmessage.ch |
| Ransom amount | $980 in Bitcoins |
| Symptoms | Unable to open photos, documents and music. Your photos, documents and music have a wrong name, suffix or extension, or don’t look right when you open them. Files called such as ‘_readme.txt’, ‘READ-ME’, ‘_open me’, _DECRYPT YOUR FILES’ or ‘_Your files have been encrypted” in every folder with an encrypted file. |
| Distribution ways | Spam mails that contain malicious links. Exploit kits (cybercriminals use crypto virus packaged in an ‘exploit kit’ that can find a vulnerability in MS Windows operating system, Adobe Flash Player, Internet browser, PDF reader). Social media, such as web-based instant messaging applications. Cybercriminals use misleading ads to distribute malicious software with no user interaction required. |
| Removal | To remove Kuub ransomware use the removal guide |
| Decryption | To decrypt Kuub ransomware use the steps |
This article is designed for those who are looking for a way to completely uninstall Kuub virus from the computer, and for those who want to learn as much as possible about how decrypt encrypted files. We hope you will find answers to all your questions in this article.
Quick links
How to remove Kuub crypto virus
Manual removal does not always help to completely uninstall the Kuub ransomware, as it is not easy to identify and delete components of crypto malware and all malicious files from hard disk. Therefore, it is recommended that you run malware removal utility to completely delete Kuub ransomware virus off your system. Several free malware removal utilities are currently available that may be used against the crypto virus. The optimum way would be to use Zemana Anti-malware, Malwarebytes Free and Kaspersky Virus Removal Tool.
Use Zemana Anti Malware to delete Kuub virus
Zemana is a complete package of anti-malware utilities that can help you delete Kuub ransomware virus. Despite so many features, it does not reduce the performance of your PC system. Zemana can be used to remove almost all the types of ransomware including ransomware virus, trojans, worms, adware software, hijacker infections, potentially unwanted apps and other malware. Zemana Free has real-time protection that can defeat most malicious software and crypto virus. You can run Zemana Anti-Malware (ZAM) with any other antivirus software without any conflicts.
- Download Zemana Anti-Malware by clicking on the link below. Save it on your Microsoft Windows desktop or in any other place.
Zemana Anti Malware download - When downloading is complete, close all windows on your PC system. Further, launch the install file named Zemana.AntiMalware.Setup.
- It will display the “Setup wizard” which will help you install Zemana Free on the PC system. Follow the prompts and do not make any changes to default settings.
- Once installation is done successfully, Zemana Anti Malware (ZAM) will automatically start and you can see its main window.
- Next, click the “Scan” button to start scanning your personal computer for the Kuub crypto malware, other kinds of potential threats like malicious software and trojans. A system scan can take anywhere from 5 to 30 minutes, depending on your personal computer. During the scan Zemana Anti Malware (ZAM) will scan for threats present on your personal computer.
- Once Zemana Free has completed scanning your personal computer, you’ll be displayed the list of all detected threats on your PC. Review the report and then press “Next” button.
Run MalwareBytes Anti-Malware to remove Kuub ransomware virus
We suggest using the MalwareBytes. You can download and install MalwareBytes AntiMalware (MBAM) to look for and delete Kuub ransomware virus from your PC system. When installed and updated, this free malicious software remover automatically searches for and deletes all threats present on the PC.
- Click the following link to download the latest version of MalwareBytes for Microsoft Windows. Save it on your Desktop.
Malwarebytes Anti-Malware - When downloading is done, close all windows on your system. Further, start the file named mb3-setup. If the “User Account Control” dialog box pops up like below, click the “Yes” button.
- It will show the “Setup wizard” that will help you install MalwareBytes on the computer. Follow the prompts and do not make any changes to default settings.
- Once install is done successfully, click Finish button. Then MalwareBytes will automatically start and you can see its main screen.
- Next, click the “Scan Now” button . MalwareBytes utility will begin scanning the whole machine to find out Kuub crypto virus and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your personal computer and the speed of your computer. When a malware, adware software or potentially unwanted software are detected, the number of the security threats will change accordingly. Wait until the the scanning is complete.
- Once MalwareBytes has finished scanning, the results are displayed in the scan report. Review the results and click “Quarantine Selected” button.
Scan your system and remove Kuub with KVRT
KVRT is a free portable program that scans your computer for adware software, PUPs and ransomware viruss such as Kuub and allows delete them easily. Moreover, it will also help you uninstall any malicious browser extensions and add-ons.
- Download Kaspersky virus removal tool (KVRT) by clicking on the following link. Save it on your Desktop.
Kaspersky virus removal tool - After the download is finished, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is complete, you’ll see the KVRT screen.
- Next press Start scan button . Kaspersky virus removal tool utility will begin scanning the whole personal computer to find out Kuub crypto virus and other known infections. A system scan may take anywhere from 5 to 30 minutes, depending on your machine. While the KVRT program is scanning, you can see how many objects it has identified as threat.
- Once KVRT completes the scan, Kaspersky virus removal tool will display a list of detected items.
- When you’re ready, press on Continue to start a cleaning process.
How to decrypt kuub files
To decrypt kuub files, we recommend that you use the free decryptor created by Emsisoft. This decryptor will allow decrypting files that were encrypted with different versions of Stop (djvu) ransomware, including ‘Kuub’ variant.
Emsisoft decryptor for stop djvu
How to use Stop (djvu) decryptor to decrypt kuub files
- Visit the page linked below to download Mosk decryptor
STOP Djvu decryptor - Scroll down to ‘New Djvu ransomware’ section.
- Download the ‘decrypt_STOPDjvu.exe’ file to your desktop.
- Run decrypt_STOPDjvu.exe
- Select the directory or drive where the encrypted files are located.
- Click the Decrypt button.
Unfortunately, it does not always help to decrypt files. If Stop (djvu) decryptor skips files without decrypting them, then we advise you to use alternative methods, which are listed below.
How to restore kuub files
Fortunately, there is little opportunity to restore personal files which have been encrypted by the Kuub ransomware. Data recovery tools can help you! Many victims of various ransomware infections, using the steps described below, were able to recover their files. In our tutorial, we suggest using only free and tested software named PhotoRec and ShadowExplorer. The only thing we still want to tell you before you try to restore encrypted kuub files is to check your machine for active malicious software. In our post we gave examples of which malware removal applications can find and uninstall the Kuub ransomware.
Recover kuub files with ShadowExplorer
If automated backup (System Restore) is enabled, then you can use it to recover all encrypted files to previous versions.
Download the program using the link that you can find below. We recommend that you save the downloaded file to your desktop, so you can easily find it after the download is complete.
When the program download is complete, you will see a file called ShadowExplorer-0.9-portable.zip. The utility is in the archive, so you need to unzip the archive before starting the program. Right-click on this file and select the option called Extract All. Now open folder ShadowExplorerPortable.
In the list of files, find the ShadowExplorerPortable program and run it.
The main program window will open before you, as in the following example. The main window is divided into two parts – left and right. In the left part of the window, select the drive on which the encrypted files are located and select the date closest to the moment when the virus attacks your computer, encrypts the files and has changed the file extension to ‘kuub’. In the right part of the window, select the file you want to restore, then right-click on it.
A small pop-up menu will open before you, select Export in it. In the next window, select the directory where the recovered files will be saved.
What else do I want to say about the process of recovering encrypted files using the ShadowExplorer tool. Unfortunately, very often ransomware disable the Windows Previous Versions function and delete all saved copies of files. Therefore, after starting the ShadowExplorer, you may find that it is impossible to recover files. In this case, use another method of recovering encrypted kuub files, which is given below.
Recover kuub files with PhotoRec
Before a file is encrypted, the Kuub crypto virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file restore applications like PhotoRec.
Use the link below to download PhotoRec.
When the file is downloaded, in the folder where you saved it you will see a file with the name ‘testdisk-7.0.win_.zip’. This file is the archive that contains the PhotoRec. To use the PhotoRec, this archive must be unzipped. Right-click on the file and select the item called Extract All. Open the folder with the name testdisk-7.0, you will see a list of files similar to the one below.
In the contents of the directory that opens, find the file with the name QPhotoRec_Win and run it. You will be shown a window similar to the one in the following figure. This is the main PhotoRec window.
Here you need to select the physical disk and the disk partition (disk name) where the encrypted kuub files are located. Note that in section ‘File System Type’, option ‘FAT/NTFS’ must be selected. Now select the folder where the recovered files will be written. We recommend using a partition or drive that does not contain encrypted files. It is better to use external media. It is very important! Since the PhotoRec restores files that were deleted by the Windows OS, if you restore them to the same drive on which you are trying to find them, a situation may occur when the Windows simply physically overwrites them and you can no longer recover such files.
Next, at the bottom of the window, click File Formats. A small window opens that lists the types of files that the PhotoRec can find and restore.
Leave only those file types that you need to recover selected. For example, if you want to restore images of ‘jpg’ format, then select the file type ‘jpg’. Having decided which files to recover, click OK button.
Having completed the steps listed above, you have made all the settings necessary to search and restore encrypted kuub files. It remains only to click on the Search button. The process of searching and restoring files can take a very long time, be sure not to turn off the computer or restart it. During this process, the program will show the current search location (disk sector), how many and which files were found and restored.
When the file recovery process is complete, click the Quit button. Then open the directory that you previously selected as the place where the recovered files will be written.
Here you will see one or more directories with the name recup_dir (recup_dir.1, recup_dir.2, …). Check these folder to find the files you need. The file name may not be restored, so to find what you need, use file sorting, as well as the standard Windows OS search by file contents.
I hope this information helped you remove Kuub ransomware virus and restore the encrypted files. If you have any questions or you have information that will help readers of this article, then please add your comment below.
