Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


RansomeWare / CryptoLocker Virus / *.KYKFKHA

  • This topic is locked This topic is locked
3 replies to this topic

#1 dreamteam2k


  • Members
  • 3 posts
  • Local time:04:12 AM

Posted 30 June 2015 - 11:02 AM


I was brought in to help somebody who got a CryptoLocker Virus. I have no prior experience with this before and have only began reading up on it since yesterday. As far as I can tell the person I'm helping has been hit hard and cannot access any of their documents anymore. They have no backups.

I am attaching a screen shot of what I see on the infected computer.


All of the files are now appended with the following file extension *.KYKFKHA


We wish not to pay the ransom but not sure how else to avoid. It is asking for one Bitcoin for payment and am looking at about a week of time in order to process the payment. 

Like I said, I was brought in to help somebody so I'm just doing what I can. I hope someone else has seen this and is willing to share their experience and advice. 

Thank you,



Edited by hamluis, 30 June 2015 - 12:15 PM.
Moved from Am I Infected to Gen Security - Hamluis.

BC AdBot (Login to Remove)


#2 dreamteam2k

  • Topic Starter

  • Members
  • 3 posts
  • Local time:04:12 AM

Posted 30 June 2015 - 11:05 AM

I'm trying to figure out how to attach the screen shot and I feel stupid but I'm not able to find the correct way to upload it to this thread

#3 Aura


    Bleepin' Special Ops

  • Malware Response Team
  • 19,672 posts
  • Gender:Male
  • Local time:04:12 AM

Posted 30 June 2015 - 11:40 AM

Hi dreamteam2k :)

You've been infected with CTB-Locker or one of it's variants. CTB-Locker is known to change the extension of the file it encrypts to random characters, in your case, it's .KYKFKHA. There's no way to decrypt the files encrypted with new variants of CTB-Locker at this time. I'll ask you to go seek support in the CTB-Locker Support Thread, since it'll avoid the creation of hundreds of thread for the same issue.

CTB Locker or DecryptAllFiles.txt Encrypting Ransomware sets extension to .CTBL

If you want to learn more about CTB-Locker, you can consult the FAQ hosted on BleepingComputer.

CTB Locker and Critroni Ransomware Information Guide and FAQ

This being said, I contacted a Moderator to get this thread closed.

Good luck!

Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.

#4 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,734 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:12 AM

Posted 30 June 2015 - 07:04 PM

To avoid confusion, this topic is closed.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users