All the files in HDD extensions changed to .kvag

[ctytom]

Hi everyone,

I found that the hdd have been infected by virus or spyware something like that. All the files in storage data disk have been changed by adding the extension to ".kvag". e.g. the original file is "testing.xls", now changed to "testing.xls.kvag". However, the files still cannot be opened by deleting the .kvag extension. The files are important! How can I recover the files?

Thanks brothers !

[Ayrton]

I have the same ransomware, my files are all .kvag.
Does anyone have any solutions?

[Jksingh]

Same problem I have

[Tech2019]

Currently facing same issues today, started an hour ago. 

[James8989]

Hi! I have also have the same issue with regarding this. I am totally upset. 

[Tech2019]

1 hour ago, ctytom said:

Hi everyone,

I found that the hdd have been infected by virus or spyware something like that. All the files in storage data disk have been changed by adding the extension to ".kvag". e.g. the original file is "testing.xls", now changed to "testing.xls.kvag". However, the files still cannot be opened by deleting the .kvag extension. The files are important! How can I recover the files?

Thanks brothers !

I tried to convert some files earlier from .kvag to it's original file extension and it works. Unfortunately, it's not a permanent solution since there are tons of files to be fix.

[Ayrton]

7 minutes ago, Tech2019 said:

Eu tentei converter alguns arquivos anteriormente de .kvag para sua extensão de arquivo original e funciona. Infelizmente, não é uma solução permanente, pois há muitos arquivos a serem corrigidos.

I tried too... but it did not work.

[MAM]

Hello,

well i am not an expert here now, but for the first OVERVIEW, look https://id-ransomware.malwarehunterteam.com/index.php

Good Luck, in this issue!

@ Helper Team, SCNR.

MAM

 

Edited September 14, 2019 by MAM

[winwinwin]

SAME PROBLEM PLEASE HELP ME.

[exile360]

Greetings,

For anyone having this or any other malware related issue, please read and follow the instructions in this topic and then create a new topic in our malware removal area by clicking here and one of our malware removal specialists will assist you as soon as one becomes available.  I do not know if there will be any way to retrieve your files, however they should at least be able to eliminate the ransomware that encrypted them along with any other malware that may be part of the infection.

Good luck, and I hope that you are all able to somehow get your files back, however either way please consider keeping regular backups of your data in the future on a separate/external drive that you do not leave connected to your system (otherwise it does you no good as it would then be compromised/infected just as easily as the files on the drive in your system) if you are not doing so already.

Edited September 14, 2019 by exile360

[MarioZ97]

Tengo el mismo problema con mis archivos, si hay solución diganla porfa!

[Maurice Naggar]

To all posters here whose machines have files with extension .KVAG

Malwarebytes has no decrypter for any files that are encrypted.

I cannot find external references about the ".KVAG"

 

However, if your system has files with .kvag extension, you can upload one or two of your files for analysis only, so that you can perhaps get some information.

There is a community site you can use for that purpose.  At least see what the site reports ( after the upload).

https://id-ransomware.malwarehunterteam.com/

[Japirovsky]

Hello everybody! I was so pissed off when my onedrive files got blocked by this .kvag extension, luckly microsoft send me an email and i could recover them.. https://www.youtube.com/watch?v=09qhWQNtXWc&t=135s hope this helps to onedrive users

[Maurice Naggar]

Thank you for posting that.  I can understand that that would work for Onedrive & where Onedrive has older saved copies of the files.

Do you have encrypted files on your C drive ?

Can you locate one of the "ransom" note files on the Desktop, or Documents folder   and then do a upload one to ID-Ransomware ?

https://id-ransomware.malwarehunterteam.com/

That would be a help to the community.

Then post back a copy of the result back here.  That would be much appreciated.

 

Notes:  Ransomwares delete themselves after doing their deed.  They usually also disable the Windows System Restore and typically also delete all volume shadow copies.

You will want to turn System Restore back ON.

 

 

Edited September 14, 2019 by Maurice Naggar

[Japirovsky]

Hello my friend, I currently don’t have the encrypted files anymore, but before I was able to restore my files I tried that website, uploaded one of the files but it just returned an error.. there’s nothing about .kvag on the internet except a couple forum threads .. I think that soon a solution will roll out!  I’m so relieved now, I hope you guys will soon be relieved too..

[Maurice Naggar]

This .kvag issue seems to be a new ransomware variant that only just first appeared today.

I am hoping to get from one or more posters here to this thread ...a copy of a ransom note from their system.

Have you looked closely on your C drive for some TXT  file notes created September 14 ?

Can you look on your Desktop,  Documents, Downloads folders please?

[Japirovsky]

4 minutes ago, Maurice Naggar said:

This .kvag issue seems to be a new ransomware variant that only just first appeared today.

I am hoping to get from one or more posters here to this thread ...a copy of a ransom note from their system.

Have you looked closely on your C drive for some TXT  file notes created September 14 ?

Can you look on your Desktop,  Documents, Downloads folders please?

I’ll look , and post if I found something ! Good luck in the meantime 👍

[Sammy1]

Here's the ransom note.

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-JbqssVgS78
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
gorentos@bitmessage.ch

Reserve e-mail address to contact us:
gerentoshelp@firemail.cc

Anyone got a solution?

[Maurice Naggar]

Thank you for relaying that.

Sorry, there is not a solution.

Can you at least attach the physical note file itself ?   I can then take that and upload myself to ID-Ransomware.

.

Ransomwares delete themselves after doing their deed.   Malwarebytes has no decrypter for any encrypted file.

Ransomwares also disable System Restore and delete all system restore points.

They also delete volume shadow copies typically.

 

You may try what follows on some of your files with the .kvag   extension  to see if Windows "may" have a old copy.

  Pick one file.  you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up

see if yours shows a line entry with some old date prior to date of infection.

[Sammy1]

_readme.txt

[Maurice Naggar]

Thank you for that file.  From doing prior searches, it did seem that the bandits are using ransom notes previously seen on other variants of STOP family  ransomware.

Hopefully you can see  the ID ransomware direct feedback here  https://id-ransomware.malwarehunterteam.com/identify.php?case=4c582e187a64bec46c3a80df47455de476060f8c

 

 

Do keep in mind that this new variant of STOP ransomware may not be able to be decrypted by the current STOPdecrypter   (more information at Bleepingcomputer )

The criminals have made changes to the malware in newer versions that makes decryption near impossible at this time.

My suggestion is to make a post at Bleepingcomputer forum where they have special experts.

https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

 

[MarioZ97]

Yo tengo el mismo ransomware, he estado investigando por la web, y aparentemente este ransomware es de las versiones, el cual es imposible por el momento para descifrar los archivos cifrados, una lástima que está vez ganen los hackers ... si no tenías una copia de seguridad de los archivos, sólo queda guardar los archivos cifrados y rogar que en el algún futuro puedan encontrar una solución

[poptqr]

Hello, I am facing this problem. Is there anyway to fix this .kvag problem? Thank you.

[ctytom]

40 minutes ago, Maurice Naggar said:

Thank you for that file.  From doing prior searches, it did seem that the bandits are using ransom notes previously seen on other variants of STOP family  ransomware.

Hopefully you can see  the ID ransomware direct feedback here  https://id-ransomware.malwarehunterteam.com/identify.php?case=4c582e187a64bec46c3a80df47455de476060f8c

 

 

Do keep in mind that this new variant of STOP ransomware may not be able to be decrypted by the current STOPdecrypter   (more information at Bleepingcomputer )

The criminals have made changes to the malware in newer versions that makes decryption near impossible at this time.

My suggestion is to make a post at Bleepingcomputer forum where they have special experts.

https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

 

It is the same case when i upload one file for checking.

[Maurice Naggar]

Hello.   I regret to read that you too have this new ransomware infection.  No, there is not a fix for this.

Please read all of my notes up higher on this thread.

What I would urge you to do is upload a copy of 1 or 2 of your files named with .kvag  up tp ID-Ransomware site.

You need to see what it reports  and also importantly if it can determine whether the ransomware used a OFFLINE key.

https://id-ransomware.malwarehunterteam.com/

 

This is a very new variant of ransomware.  There is no current known decrypter for this variant.

The criminals have made changes to the malware in newer versions that makes decryption near impossible at this time.