Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


All files encrypted to .kcnhkok extension by CTB Locker

  • This topic is locked This topic is locked
4 replies to this topic

#1 psudhakar999


  • Members
  • 3 posts
  • Local time:04:18 AM

Posted 19 January 2015 - 09:01 AM

Dear Team,


                        Recently We have received mail from below person. After opening .scr file all my files are attacked with extension  .kcnhkok mainly txt, pdf, doc, xlsx, jpg, .pst , Asking to pay ransom. Kindly provide some solution as my important files nearly 30000 affected. 


           Kindly note upgrades.zip was virus file received in mail


Louvenia Burnie (marginality@eriepa.com)

 Message [utf-8] ASCII UTF-8 Traditional Chinese (Big-5) Chinese (Simplified GB) CNS 11643 plane 1 CNS 11643 plane 2 CP 1250 (Windows Latin-2) CP 1251 (Windows Cyrillic) CP 1252 (Windows Latin-1) CP 1257 (Windows BalticRim) CP 1258 (Windows Vietnamese) CP 437 CP 850 (DOS Latin-1) CP 864 (DOS Arabic) CP 866 CP 874 EUC-JP EUC-KR EUC-TW Greek CCITT HZ ISO 2022-JP ("JIS") ISO 2022-KR ("KSC") ISO 5428 ISO 8859-1 (Latin-1) ISO 8859-2 (Latin-2) ISO 8859-3 (Latin-3) ISO 8859-4 (Latin-4) ISO 8859-5 (Cyrillic) ISO 8859-6 (arabic) ISO 8859-7 (Greek) ISO 8859-8 (Hebrew) ISO 8859-9 (Latin-5) ISO-8859-15 (Latin 9) KOI8-R Mac OS Arabic Mac OS Croatian Mac OS Cyrillic Mac OS Farsi Mac OS Greek Mac OS Hebrew Mac OS Icelandic Mac OS Latin-1 Mac OS Roman Mac OS Romanian Mac OS Thai Mac OS Turkish Mac OS Ukrainian Mac Romanian Shift-JIS Thai VISCII Windows Arabic Windows Greek Windows Hebrew Windows Thai Windows Turkish 




Mon, 19 Jan 2015 13:17:56 +0100


[Falcon Aviation] New fax message GD3S67D02A342

Fax: +07522-879-194
Date: 2015-01-18 12:17:44 CST
Pages: 3
ID: GD3S67D02A342
Filename: upgrades.zip

Falcon Aviation
Louvenia Burnie

Edited by quietman7, 19 January 2015 - 04:00 PM.
Moved from Win 7 to Am I Infected - Hamluis.

BC AdBot (Login to Remove)


#2 M. de Jager

M. de Jager

  • Banned
  • 434 posts
  • Gender:Male
  • Local time:11:48 PM

Posted 19 January 2015 - 09:31 AM

Take a look into this discussion, it is about the infection you have.

#3 psudhakar999

  • Topic Starter

  • Members
  • 3 posts
  • Local time:04:18 AM

Posted 19 January 2015 - 09:39 AM

HI M De Jager,


                             I have visited & referred all those sites related to this but nothing fixed my problem all my files are still in encryption mode. Kindly help me to recover my files. To support you I have shared all files and sample virus to decode it.  

#4 M. de Jager

M. de Jager

  • Banned
  • 434 posts
  • Gender:Male
  • Local time:11:48 PM

Posted 19 January 2015 - 09:48 AM


I don't need that stuff and I can't help you with it, sorry.


The best thing you can is to open here a new thread, pleas read this thread first, starting by step 6. If you can't do a step skip it and move on.

If you've posted your thread there a moderator will close this thread to avoid confusion.


Do NOT change anything to your computer (install/uninstall) or run tools your own unless requested by a MRL member. If HelpBot replies follow PLEAS step 1 to report the topic to the MRL team.


Best of luck with everything.


Edit, it has been moved to AII. 

Edited by M. de Jager, 19 January 2015 - 10:13 AM.

#5 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,271 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:48 PM

Posted 19 January 2015 - 04:03 PM

A repository of all current knowledge regarding CTB Locker and Critroni Ransomware is provided by Grinler (aka Lawrence Abrams), in this tutorial: CTB Locker and Critroni Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CTB Locker (Critroni) does and provide information for how to deal with it. The newest variants of CTB Locker typically encrypt all data files and rename them as a file with a 6-7 length extension with random characters. The newer variants also do not always leave a ransom note if the malware fails to change the background, like it generally does. You can check your documents folder for an image the malware normally uses...it may be labeled "decryptallfiles" or something similar. At this time there is no fix tool and no way to retrieve the private key that can be used to decrypt your files without paying the ransom.

More information in this article: New Critroni variant offers free test decryption and now uses CTB2 extension. Unfortunately, there is still no known method of decrypting your files without paying the ransom.

There is also an ongoing discussion in this topic: CTB Locker or DecryptAllFiles.txt Encrypting Ransomware Support & Discussion. Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

The BC Staff

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users