All the files in HDD extensions changed to .kvag

[ctytom]

1 hour ago, Maurice Naggar said:

Thank you for relaying that.

Sorry, there is not a solution.

Can you at least attach the physical note file itself ?   I can then take that and upload myself to ID-Ransomware.

.

Ransomwares delete themselves after doing their deed.   Malwarebytes has no decrypter for any encrypted file.

Ransomwares also disable System Restore and delete all system restore points.

They also delete volume shadow copies typically.

 

You may try what follows on some of your files with the .kvag   extension  to see if Windows "may" have a old copy.

  Pick one file.  you can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up

see if yours shows a line entry with some old date prior to date of infection.

the files has no previous versions. Since this method not working for me >.<

[JulienJohnson]

I'm going to be honest with you about the .kvag file. I had to hurry to finish a work on a video game, I needed the winrar software very quickly, I went to the site www.piratbay3.org to download this software, I downloaded it about 15 hours ago I took the most recent upload that was not checked on this site, at this time and later deleted. . the nickname I remember it's sonicdude. I also saw that it has the address .ch comes from Swiss and other similarity (kvag) I found that .... (Law on the supervision of health insurance, KVAG)
The Federal Assembly of the Swiss Confederation ... https: //www.admin.ch/opc/de/classified-compilation/20110252/index.html .... in short I hope he will pay a day for this he has done because my company has lost a steam contract for hundreds of thousands of francs ... it will not stay there ....

_readme.txt

[exile360]

I'm sorry that you were impacted by this horrible ransomware threat.  That is most unfortunate.  In the future I would strongly advise going to the actual source/vendor for any software you download if possible; in this case the source being www.rarlab.com; they always have the latest build of WinRAR hosted directly on their site along with any available beta builds.

I hope that you all are somehow able to recover all of your lost/encrypted data.

[Maurice Naggar]

Good morning. 

@ctytom    I will post soon one or two other ways to try to recover your files.  There is no decrypter;  but you can try them.

I should have mentioned, recent backups of the system  ( if you had that ) would be the best way to recover files.

 

@JulienJohnson 

Thank you for the detail  and honesty.  I want to urge everyone to never go to www (dot) piratbay  or any similar site.

Just the name is a clue of a pirate site.  Pirated software is often bundled with some sort of malware.   Here apparently bundled with the worst - - - a ransomware.

A very new one for which there is no current decrypter.

 

@ Everyone  who has this situation   ( encrypted files with a .KVAG extension )

Look on the Desktop, Documents folder,  Downloads folder for files with extension .KVAG

What I would urge you to do is upload a copy of 1 or 2 of the  files named with .kvag  up tp ID-Ransomware site  for analysis, which can be most helpful to all of you.

You need to see what it reports  and also importantly if it can determine whether the ransomware used a OFFLINE key.

https://id-ransomware.malwarehunterteam.com/

 

[Maurice Naggar]

I am listing below 3 possible ways to try to see if your files can be recovered.  These are things you can try.  But first, I need to re-emphasize some things.

This is a very new ransomware variant.  There is no known current decrypter tool.

Ransomwares delete themselves after doing their deed.   Malwarebytes has no decrypter for any encrypted file.

Ransomwares also disable System Restore and delete all system restore points.

They also delete volume shadow copies typically.

 

Restoring from backups is the best way to recover files.  Backup is your best friend.

If you have made backups from before the infection, use backup to do restores.

If you have no prior backups, see one of the other ways below.

 

You may try what follows on some of your files with the .kvag   extension  to see if Windows "may" have a old copy.   Note none of these can “fix” the encrypted files.

 

Remember that each new file you create or save on your machine may well over-write the space used by a old deleted file.

[ 1 ]

Pick one file that has the .kvag.  You can right-click on the file, go into Properties, and select the Previous Versions tab. This tab will list all copies of the file that have been stored in a Shadow Volume Copy and the date they were backed up

see if yours shows a line entry with some old date prior to date of infection.

To restore a particular version of the file, simply click on the Copy button and then select the directory you wish to restore the file to.

See if that works for you.   If it works on one file, then try another.

If not, see # 2 & # 3 below;   as well as the summary notes at bottom.

 

[ 2 ]

Try using a program named Shadow Explorer.

Shadow Explorer allows you to browse the Shadow Copies created by the Windows Vista / 7 / 8 / 10 Volume Shadow Copy Service.

See the about page   https://www.shadowexplorer.com/

Download page   https://www.shadowexplorer.com/downloads.html

Here is one how – to  guide ( article ) on Shadow Explorer

https://www.linglom.com/it-support/recover-deleted-files-on-windows-with-shadow-explorer/

 

[ 3 ]

It may be possible to use a file recovery tool like Recuva to recover some files. There is no guarantee it will work.  But worth trying.

Recuva can help in finding older deleted copies of your files.  Note, it cannot “fix” encrypted files.

https://www.ccleaner.com/docs/recuva/using-recuva

 

This link is to a generic  video guide on Youtube   

https://youtu.be/V7SwEgIN1TM

 

This link is a generic written guide  

https://www.howtogeek.com/howto/2216/restore-accidentally-deleted-files-with-recuva/

 

 

Other general comments:

You will eventually want to re-enable the System Restore service on Windows.  As well as the

Volume Shadow Copy service.

 

This is a brand new variant of ransomware.  It appears to be a new one of the STOP ransomware.

Keep the .KVAG files as they are.  It is possible that in the future a decrypter may be made available.

 

If you are not currently a member of BleepingComputer forum, Join it so you can then  be updated of news about this ransomware.

To join  ( it’s free)  see   https://www.bleepingcomputer.com/forums/

 

Go to this Thread  and Follow it   ( that way you get notices)

https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-stop-puma-djvu-promo-drume-help-support-topic/

 

Lastly:

Please never go to dodgy sites to get apps, games, tools, or other downloads.

Pirate sites often have malware.   Free or nearly free or very low price copies of “stuff” can be bundled with malware.  Check the reputation of the site before downloading.

 

Backup is your best friend always.  Make regular offline backups of your system to offline media.

 

Malwarebytes for Windows Premium has multiple protections.  That includes ransomware protection.

If your pc had had it installed before   ( prior to this incident) ,  it would have stopped this ransomware.

 

As noted previously, Ransomwares delete themselves after doing their deed.

You may run a scan with Malwarebytes for Windows to check your machine.

You should also scan your machine with a antivirus, like Windows Defender on Windows 10 or 8.1

Edited September 15, 2019 by Maurice Naggar

[ctytom]

thx Maurice and bros,

it seems to be waiting for the offline key.

i ve tried the above method and still cannot recover the files。

[Maurice Naggar]

I regret that you have not had luck with ( apparently ) Shadow Explorer , or Recuva.

It may be the case that this ransomware does not delete files as part of the process used to encrypt user files.  Those 2 apps look for files on disk that were deleted.

Alas, as noted before, there is no known current decrypter for this new-variant ( kvag ) ransomware.   There may be one in the future.  So you want to keep and hold on to the .kvag files.

Stopdecrypter cannot decrypt these files.  Further, development of Stopdecrypter has been halted by the author.

 

For future security, Making regular backups of your system to offline media is a must have.  Backup is your best friend.

You should, as much as possible, have 2 or 3 backups of your system.  

First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".  It is especially critical to never get apps or games or any thing from 'dodgy' sites.  Or those whose reputation you have not checked out.

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

 

[JulienJohnson]

I finally found the file that infect the file in kvag .... warning by opening it. malewarebytes !!!!!!!!

tell me when you have the file after I delete the upload thank you ...

 

 

Edited September 19, 2019 by AdvancedSetup
Remvoed link and corrected font issues

[Maurice Naggar]

Tell me,  What is the name of that file ?   How did it get there ?

[Maurice Naggar]

I got a zip file named setup.zip

 

[JulienJohnson]

the file I just downloaded it on piratbay, it is the same that infected me, it is basically under the name of final winrar x86 x64, it is me who uploaded it on google!

 

Edited September 19, 2019 by AdvancedSetup
Remvoed link and corrected font issues

[JulienJohnson]

just tell me when you have the zip file because I do not want to have any problem, I would like to delete the link, I hope that it will help you for your research on .kvag files

[Maurice Naggar]

ok.  Thanks.  Please everyone,  do yourself a big favor.  Never go to piratbay  or any other pirate website or any that are suspected to have software that claim to be from other parties.

I do believe one of my colleagues had already advised you where to get the legitimate ( official) winrar

 

The setup zip has been submitted up to Virustoal for analysis

https://www.virustotal.com/gui/file/2af0a8befa92057b9d0499a88fe1ba377c016806cd9da5a346150985f62b1183/detection

 

There, the Malwarebytes scanner has identified it as a trojan.    Trojan.IStartSurf

Thanks for the file.   Please go ahead and delete it off your Google drive.

 

Is there something you need at this point ?

 

[JulienJohnson]

 

not just two years destroyed to make a video game, if it can help other people to recover their files it's essential ... good luck for your research 😉 ... it's the good file I'm sure who transform everything into a kvag file. I delete the link. 

[Maurice Naggar]

Thanks for the file.   Setup.exe also submitted up to Visrutotal

https://www.virustotal.com/gui/file/5b87619aa8ce795b0c9eb86b321239028ae3adabcf78959bd008fbdf79f1d644/detection

 

Also, the Malwarebytes for Windows program detects this file, when you run a context menu scan with Malwarebytes.

identified it as a trojan.    Trojan.IStartSurf

 

This reminds me to mention this other advice.

Whatever you download, do not run the setup directly from the web browser.  Just save the file first to disc.

Only then, go to where you saved it, right-click the file & choose "Scan with Malwarebytes"

and

do the same type action to scan it with the resident antivirus app.

All that before doing any "setup".

[AdvancedSetup]

Even Google Drive warns you it is a deceptive file and not to download it. How many applications need to warn a user before they stop and delete it.

 

[Maurice Naggar]

p.s.   see the IstartSurf trojan information on the Malwarebytes blog

https://blog.malwarebytes.com/detections/trojan-istartsurf/

[AdvancedSetup]

Okay, this topic is going way off topic. This is not a General PC support issue.

I'm going to close this topic. If you have this infection please open a NEW topic in the Malware Removal forum and someone will assist you with one-on-one support.

https://forums.malwarebytes.com/forum/7-windows-malware-removal-help-support/

Thank you