KOOM ransomware virus locks victim’s personal files such as images, videos, documents, archives and other data formats with sole aim to restrict user’s access to them and force to pay a ransom for their decryption. The way this virus functions is that once on the victim’s computer, it checks for Internet connection and if it is available, it connects to its Command&Control server to get a unique generated encryption key for the host machine. If the connection fails, the virus uses a hardcoded offline encryption key instead. During data encryption, the malware only affects the first 150 KB of each file to finish the attack process sooner. This is enough to make data inaccessible, although it also allows the victim to repair certain file formats with some data loss as explained in this guide. For example, a repaired audio file might miss some seconds of the recording in the beginning of it. Cyber criminals behind KOOM virus know that the victim needs to recover files as soon as possible because these are important to one as personal memories or are work or study related. Therefore, they present a solution in the _readme.txt note. According to the message left in it, the attackers expect the victim to pay a ransom to them to get the decryption key and software. They also offer a 50% discount from the initial decryption price (which is $980) if the victim writes to the given email addresses and settles an agreement within 3 days. In this case, the attackers promise to provide required tools for $490. In addition, the note suggests that the computer user can send one encrypted file to them via email so that the attackers could demonstrate the effectiveness of the tools and provide a decrypted version of it. This way, they simply try to encourage the victim to “trust” them and pay as soon as possible. However, according to cybersecurity experts worldwide and Geek’s Advice team, paying a ransom is NOT a recommended option. Here are some reasons why you shouldn’t do as cybercriminals command you to do:

Cybercriminals can disappear the minute you make the transaction to them. In other words, paying doesn’t mean that you will recover your files successfully.After receiving the ransom, the criminals might start demanding for more money from you.Don’t sponsor malware: paying them means giving them income that allows funding further operations. Each year, ransomware operators collect millions of US Dollars. This also attracts other people to join them and as a result, expand the malware reach.Paying the ransom might be illegal in the country you live in.

In addition, viruses from STOP/DJVU ransomware family often drop AZORULT Trojan, an information-stealer on infected systems. This threat can collect information that can be used to blackmail you further , steal your personal accounts or even cause financial loss. REPAIR VIRUS DAMAGE

Ransomware modus operandi explained

Victim’s typically download KOOM ransomware virus via infected software cracks or other illegal torrent downloads. The ransomware first launches a fake executable file called winupdate.exe which displays a deceptive Windows update prompt on the screen. It has a process bar on it and pretends that some essential operating system updates are being installed. The purpose of it is to deceive the victim and make one ignore the unexpected system slowdown. However, at the same time, the ransomware executable named build.exe starts its operation. It identifies victim’s computer’s geolocation because such viruses are often programmed to cease the operation if the geolocation matches countries from the exception list. The process also captures various computer-related details, such as admin’s name, installed software list, browsing history and similar. As mentioned earlier, the virus first decides whether to use online or offline encryption key and victim’s ID (the latter usually ends in t1). The virus saves the encryption key used and victim’s personal ID to C:\Users\admin\AppData\Local\bowsakkdestx.txt and also saves the ID to C:\SystemID\PersonalID.txt. Then the malware begins scanning the system and encrypting files, plus dropping ransom notes in every directory. Once files are locked, the ransomware deletes Volume Shadow Copies from the computer by running a Command Line task: vssadmin.exe Delete Shadows /All /Quiet Deleting VSS prevents the victim from restoring files using System Restore points (if any were created prior to the attack). In some cases, the ransomware also modifies Windows HOSTS file by adding a list of various computer-related self-help websites, public forums and tech news sites and mapping them to localhost IP. This causes DNS_PROBE_FINISHED_NXDOMAIN error to appear for the user when trying to access them. In other words, the virus attempts to block websites that could provide valuable information for a victim of ransomware attack. Finally, some STOP/DJVU variants silently drops AZORULT Trojan on the system. This threat is capable of collecting sensitive data from the victim’s computer and transmitting it to the criminal. Besides, criminals can use it as a Remote Access Tool and perform the following tasks without physical access to the compromised computer:

Download various computer malware and running it;Take various login credentials, such as those of Telegram, Steam and other programs and send them to criminals;View or delete files on the victim’s computer;Steal cryptocurrency wallets and their contents;Steal browser-saved passwords, browser cookies, browsing history and more.

Needless to say, keeping such dangerous threats on your computer can lead to disastrous consequences. For this reason, our team recommends to remove KOOM ransomware virus along other residing malware as soon as you can. Typically, we do not suggest trying to eliminate computer viruses manually – unless you are a cybersecurity professional. For this task, we recommend you to follow the guide given below the article and use a robust antivirus such as INTEGO Antivirus to clean the infection automatically. In addition, we suggest downloading RESTORO to repair virus damage caused for Windows OS files.

Ransomware Summary

REPAIR VIRUS DAMAGE

How ransomware-type threats are distributed

Ransomware type threats coming from STOP/DJVU family are usually distributed in a form of malicious downloads, mostly those that are distributed via peer-to-peer file sharing networks. Many victims who have reported getting infected with KOOM, WIOT or other versions said that the infection came from cracks used to activate the following software:

Adobe Photoshop;Tenorshare 4ukey;League of Legends;Corel Draw;Cubase;Adobe Illustrator;Windows activation tools such as KMSPico.

Cybercriminals prey on computer users and gamers who seek to get pirated software copies, movies and other content and bypass license or streaming fees. Sadly, non-genuine software often comes packed with additional apps, malicious scripts or malware such as ransomware. However, the worst part is that users try so hard to get paid content for free that they even willingly choose to ignore their security software alerts. Most of the time, they believe that antivirus programs flag any type of “crack” download as insecure, therefore they proceed to make an exception for it and open it anyway. This can result in an immediate computer infection, although you might not notice it instantly. In case of ransomware, your files can get encrypted (remember that the most noticeable location – desktop gets compromised last), although you can get infected with not-so-noticeable malware such as crypto-mining software or Trojans as well. Remember that if you want to obtain a genuine and secure software copy, you should always choose legitimate sources to download it. We also want to add our two cents and mention that software license prices hardly ever surpass hefty ransoms demanded by cybercriminals. Another very popular method to distribute ransomware is to inject its download and execution script into a document (DOCX, XLS, PDF or another format), attach it to a phishing email and send it to thousands of recipients. For example, the attachment might be called an “Invoice”, “Order details” or “Tracking information” and come in a .ZIP or .RAR format. This archive might contain a PDF or Word document that prompts the computer user to enable Macros (this feature is disabled by default). Once enabled, Macros can download the ransomware executable and run it. For this reason, we strongly recommend you to avoid interacting with email attachments if the email message or the sender seems at least a bit suspicious. For example, scammers tend to send messages with grammar errors and insert well-known company logos that are poorly edited. However, experienced attackers are harder to spot as they try to make no mistakes and even use email spoofing techniques (which help to display a different sender’s email address than the original one that was used to send the email). We recommend avoiding interaction with email attachments or links included if:

You sense that the sender urges you to open the attachments or links immediately;The email contains spelling and grammar mistakes;Your email server marks it as spam or blocks images included;The email message comes from a sender that you did not expect to contact you;The message starts with an unfamiliar or weird greeting;The email message seems to be too good to be true.

Finally, STOP/DJVU ransomware victims should beware that scammers are trying to lure already-infected computer users with fake decryption tools. For example, ZORAB ransomware operators used such fake decryption tools as a bait to infect victims with a second payload. As a result, victim’s files would get double-encrypted.

Remove KOOM Ransomware Virus and Decrypt .koom Files

If your files were encrypted by the described ransomware, we recommend you to take action and free the computer system from threats as soon as possible. Keeping viruses on the system leaves it vulnerable to further attacks. Therefore, we strongly advise to read the guidelines given below on how to remove KOOM ransomware virus and other threats from your Windows PC safely. Once you boot your computer in Safe Mode with Networking, use recommended security software – INTEGO Antivirus to scan the system and eliminate malware automatically. Additionally, you might want to download RESTORO to repair virus damage on Windows OS files. After a successful KOOM virus removal, take the following actions:

Register cybercrime incident to your local authority responsible for handling such cases. You can find some links to official cybersecurity authorities for different countries below the article.Use a data backup (if you had it), but only after you remove all malware from the system.See these instructions to decrypt or repair files affected by STOP/DJVU versions.We also recommend changing your passwords, especially for websites that you save login credentials for in your browser.

OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.

Method 1. Enter Safe Mode with Networking

Before you try to remove KOOM Ransomware Virus virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, if you prefer a video version of the tutorial, check our guide How to Start Windows in Safe Mode on Youtube. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users Now, you can search for and remove KOOM Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable security program such as INTEGO Antivirus. For virus damage repair, consider using RESTORO.

Method 2. Use System Restore

In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10/11 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.

Alternative software recommendations

Malwarebytes Anti-Malware Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.

System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.

Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.

Decrypt KOOM files

Fix and open large KOOM files easily:

It is reported that STOP/DJVU ransomware versions encrypt only the beginning 150 KB of each file to ensure that the virus manages to affect all files on the system. In some cases, the malicious program might skip some files at all. That said, we recommend testing this method on several big (>1GB) files first.

STOP/DJVU decryption tool usage guide

STOP/DJVU ransomware versions are grouped into old and new variants. KOOM Ransomware Virus is considered the new STOP/DJVU variant, just like BPTO, ISWR, ISZA, BPSM, ZOUU, MBTF, ZNSM (find full list here). This means full data decryption is now possible only if you have been affected by offline encryption key. To decrypt your files, you will have to download Emsisoft Decryptor for STOP DJVU, a tool created and maintained by a genius security researcher Michael Gillespie. Note! Please do not spam the security researcher with questions whether he can recover your files encrypted with online key - it is not possible. In order to test the tool and see if it can decrypt KOOM files, follow the given tutorial.

Meanings of decryptor’s messages

The KOOM decryption tool might display several different messages after failed attempt to restore your files. You might receive one of the following messages: Error: Unable to decrypt file with ID: [example ID] This message typically means that there is no corresponding decryption key in the decryptor’s database. No key for New Variant online ID: [example ID]Notice: this ID appears to be an online ID, decryption is impossible This message informs that your files were encrypted with online key, meaning no one else has the same encryption/decryption key pair, therefore data recovery without paying the criminals is impossible. Result: No key for new variant offline ID: [example ID]This ID appears to be an offline ID. Decryption may be possible in the future. If you were informed that an offline key was used, but files could not be restored, it means that the offline decryption key isn’t available yet. However, receiving this message is extremely good news, meaning that it might be possible to restore your KOOM extension files in the future. It can take a few months until the decryption key gets found and uploaded to the decryptor. We recommend you to follow updates regarding the decryptable DJVU versions here. We strongly recommend backing up your encrypted data and waiting.

Victims of KOOM Ransomware Virus should report the Internet crime incident to the official government fraud and scam website according to their country:

In the United States, go to the On Guard Online website.In Australia, go to the SCAMwatch website.In Germany, go to the Bundesamt für Sicherheit in der Informationstechnik website.In Ireland, go to the An Garda Síochána website.In New Zealand, go to the Consumer Affairs Scams website.In the United Kingdom, go to the Action Fraud website.In Canada, go to the Canadian Anti-Fraud Centre.In India, go to Indian National Cybercrime Reporting Portal.In France, go to the Agence nationale de la sécurité des systèmes d’information.

If you can’t find an authority corresponding to your location on this list, we recommend using any search engine to look up “[your country name] report cyber crime”. This should lead you to the right authority website. We also recommend staying away from third-party crime report services that are often paid. It costs nothing to report Internet crime to official authorities. Another recommendation is to contact your country’s or region’s federal police or communications authority.