Kruu Ransomware/Cryptovirus

The Kruu virus is a STOP/DJVU family which is a file encryption Trojan malware famous for ransomware-type infections. This virus encrypts your documents, images and videos. Kruu encrypts files then renames them by adding the .kruu extension and creates files named “_readme.txt” containing the ransom demand message. For instance, a file named “document.docx” will be renamed to “document.docx.kruu”, an “image.jpg” file to “image.jpg.kruu”, “acknowledge.pdf” to “acknowledge.pdf.kruu”. The document can be identified by a specific “.kruu” extension.

Short description of the ransomware

Name – Kruu Virus
File extension - .kruu
Type – Ransomware, Cryptovirus
Symptoms - Encrypt your files by adding the .Kruu extension to them
Demanding note location - _readme.txt
Distribution method – Spam emails, email attachments, freeware downloads, known software cracks, illegal torrent downloads, malicious URLs, MSPs & RMMs, malvertising, USB drives & pirated software
Encryption type – RSA 2048+Salsa20

The "_readme.txt" file contains two email addresses and decryption prices. It says that victims have to send an email to manager@time2mail.ch or supportsys@airmail.cc within 72 hours to be able to purchase decryption software and key for  $490 instead of $980.

The ransomware virus may be positioned in multiple forms in the following locations.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Isolating the infected device

Some ransomware-type infections are designed to encrypt files by moving through wired and wireless networks to infect other computers. It is very important to isolate the infected device as soon as possible.

Disconnect from the internet

Unplug all storage devices

Removal guidelines

Start your computer in Safe Mode with Networking – Start your computer, press Windows key and R

And write msconfig and hit enter

Navigate to Boot window and check the Safe boot & Network box

Click on apply and ok

Restart the system –

This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart

In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt.

Finally start the restore process

Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.

The above command launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.

Click Yes to begin the system restoration process

Other things you can do –

Click CTRL + SHIFT + ESC simultaneously and go to the Processes Tab. Try to identify which processes are malicious.

Right click on each of them and choose Open File Location. Then inspect the documents with online file checker like virus total.

You may also try to check the malicious process running in your system or learn registry hacks.