Jump to content
ctytom

All the files in HDD extensions changed to .kvag

Recommended Posts

Hi everyone,

I found that the hdd have been infected by virus or spyware something like that. All the files in storage data disk have been changed by adding the extension to ".kvag". e.g. the original file is "testing.xls", now changed to "testing.xls.kvag". However, the files still cannot be opened by deleting the .kvag extension. The files are important! How can I recover the files?

Thanks brothers !

Share this post


Link to post
Share on other sites

I have the same ransomware, my files are all .kvag.
Does anyone have any solutions?

Share this post


Link to post
Share on other sites
1 hour ago, ctytom said:

Hi everyone,

I found that the hdd have been infected by virus or spyware something like that. All the files in storage data disk have been changed by adding the extension to ".kvag". e.g. the original file is "testing.xls", now changed to "testing.xls.kvag". However, the files still cannot be opened by deleting the .kvag extension. The files are important! How can I recover the files?

Thanks brothers !

I tried to convert some files earlier from .kvag to it's original file extension and it works. Unfortunately, it's not a permanent solution since there are tons of files to be fix.

Share this post


Link to post
Share on other sites
7 minutes ago, Tech2019 said:

Eu tentei converter alguns arquivos anteriormente de .kvag para sua extensão de arquivo original e funciona. Infelizmente, não é uma solução permanente, pois há muitos arquivos a serem corrigidos.

I tried too... but it did not work.

Share this post


Link to post
Share on other sites

Greetings,

For anyone having this or any other malware related issue, please read and follow the instructions in this topic and then create a new topic in our malware removal area by clicking here and one of our malware removal specialists will assist you as soon as one becomes available.  I do not know if there will be any way to retrieve your files, however they should at least be able to eliminate the ransomware that encrypted them along with any other malware that may be part of the infection.

Good luck, and I hope that you are all able to somehow get your files back, however either way please consider keeping regular backups of your data in the future on a separate/external drive that you do not leave connected to your system (otherwise it does you no good as it would then be compromised/infected just as easily as the files on the drive in your system) if you are not doing so already.

Edited by exile360

Share this post


Link to post
Share on other sites

To all posters here whose machines have files with extension .KVAG

Malwarebytes has no decrypter for any files that are encrypted.

I cannot find external references about the ".KVAG"

 

However, if your system has files with .kvag extension, you can upload one or two of your files for analysis only, so that you can perhaps get some information.

There is a community site you can use for that purpose.  At least see what the site reports ( after the upload).

https://id-ransomware.malwarehunterteam.com/

Share this post


Link to post
Share on other sites

Thank you for posting that.  I can understand that that would work for Onedrive & where Onedrive has older saved copies of the files.

Do you have encrypted files on your C drive ?

Can you locate one of the "ransom" note files on the Desktop, or Documents folder   and then do a upload one to ID-Ransomware ?

https://id-ransomware.malwarehunterteam.com/

That would be a help to the community.

Then post back a copy of the result back here.  That would be much appreciated.

 

Notes:  Ransomwares delete themselves after doing their deed.  They usually also disable the Windows System Restore and typically also delete all volume shadow copies.

You will want to turn System Restore back ON.

 

 

Edited by Maurice Naggar

Share this post


Link to post
Share on other sites

Hello my friend, I currently don’t have the encrypted files anymore, but before I was able to restore my files I tried that website, uploaded one of the files but it just returned an error.. there’s nothing about .kvag on the internet except a couple forum threads .. I think that soon a solution will roll out!  I’m so relieved now, I hope you guys will soon be relieved too..

Share this post


Link to post
Share on other sites

This .kvag issue seems to be a new ransomware variant that only just first appeared today.

I am hoping to get from one or more posters here to this thread ...a copy of a ransom note from their system.

Have you looked closely on your C drive for some TXT  file notes created September 14 ?

Can you look on your Desktop,  Documents, Downloads folders please?

Share this post


Link to post
Share on other sites
4 minutes ago, Maurice Naggar said:

This .kvag issue seems to be a new ransomware variant that only just first appeared today.

I am hoping to get from one or more posters here to this thread ...a copy of a ransom note from their system.

Have you looked closely on your C drive for some TXT  file notes created September 14 ?

Can you look on your Desktop,  Documents, Downloads folders please?

I’ll look , and post if I found something ! Good luck in the meantime 👍

Share this post


Link to post
Share on other sites

Here's the ransom note.

ATTENTION!

Don't worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
https://we.tl/t-JbqssVgS78
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.


To get this software you need write on our e-mail:
gorentos@bitmessage.ch

Reserve e-mail address to contact us:
gerentoshelp@firemail.cc

Anyone got a solution?

Share this post


Link to post
Share on other sites

Thank you for relaying that.

Sorry, there is not a solution.

Can you at least attach the physical note file itself ?   I can then take that and upload myself to ID-Ransomware.

.

Ransomwares delete themselves after doing their deed.   Malwarebytes has no decrypter for any encrypted file.

Ransomwares also disable System Restore and delete all system restore points.

They also delete volume shadow copies typically.

 

You may try what follows on some of your files with the .kvag   extension  to see if Windows "may" have a old copy.

  Pick one file.  you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up

see if yours shows a line entry with some old date prior to date of infection.

Share this post


Link to post
Share on other sites

Thank you for that file.  From doing prior searches, it did seem that the bandits are using ransom notes previously seen on other variants of STOP family  ransomware.

Hopefully you can see  the ID ransomware direct feedback here  https://id-ransomware.malwarehunterteam.com/identify.php?case=4c582e187a64bec46c3a80df47455de476060f8c

 

image.png.c67dc2da34940f0183cbad52cf5f0557.png

 

Do keep in mind that this new variant of STOP ransomware may not be able to be decrypted by the current STOPdecrypter   (more information at Bleepingcomputer )

The criminals have made changes to the malware in newer versions that makes decryption near impossible at this time.

My suggestion is to make a post at Bleepingcomputer forum where they have special experts.

https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

 

Share this post


Link to post
Share on other sites

Yo tengo el mismo ransomware, he estado investigando por la web, y aparentemente este ransomware es de las versiones, el cual es imposible por el momento para descifrar los archivos cifrados, una lástima que está vez ganen los hackers ... si no tenías una copia de seguridad de los archivos, sólo queda guardar los archivos cifrados y rogar que en el algún futuro puedan encontrar una solución

Share this post


Link to post
Share on other sites
40 minutes ago, Maurice Naggar said:

Thank you for that file.  From doing prior searches, it did seem that the bandits are using ransom notes previously seen on other variants of STOP family  ransomware.

Hopefully you can see  the ID ransomware direct feedback here  https://id-ransomware.malwarehunterteam.com/identify.php?case=4c582e187a64bec46c3a80df47455de476060f8c

 

image.png.c67dc2da34940f0183cbad52cf5f0557.png

 

Do keep in mind that this new variant of STOP ransomware may not be able to be decrypted by the current STOPdecrypter   (more information at Bleepingcomputer )

The criminals have made changes to the malware in newer versions that makes decryption near impossible at this time.

My suggestion is to make a post at Bleepingcomputer forum where they have special experts.

https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

 

It is the same case when i upload one file for checking.

Share this post


Link to post
Share on other sites

Hello.   I regret to read that you too have this new ransomware infection.  No, there is not a fix for this.

Please read all of my notes up higher on this thread.

What I would urge you to do is upload a copy of 1 or 2 of your files named with .kvag  up tp ID-Ransomware site.

You need to see what it reports  and also importantly if it can determine whether the ransomware used a OFFLINE key.

https://id-ransomware.malwarehunterteam.com/

 

This is a very new variant of ransomware.  There is no current known decrypter for this variant.

The criminals have made changes to the malware in newer versions that makes decryption near impossible at this time.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.