Recently, one of the very famous Indian Hacking group named "Kerala Cyber Warriors" has compromised the Pakistan based the Welfare organization site. According to the latest report, this group of cyber hackers attacking over 1000 of the Bangladesh and Pakistan based sites including the airport sites, government sites and much more. This variant of ransomware is mainly locked users files using .kcwenc and after that demand huge amount of ransom fee. If your Windows System is also attacked by this variant of ransomware and you want to get rid of it then go through with this expert's guidelines completely.
Threat's Profile of KCW Ransomware
Threat's Name | KCW Ransomware |
Threat's Type | Ransomware |
Alias | Kerala Cyber Warriors |
Affected Systems | Windows OS |
Risk Level | High |
Based on | PHP |
File Extension | .kcwenc file extension |
Compromised Sites | planavent.com and arainwelfare.org |
Description | KCW Ransomware is another worst ransomware infection that locks users stored files and after that asks victims to pay ransom demanded fee. |
Occurrences | Bundling method, junk mail attachments, spam campaigns, torrent downloads, contaminated devices, P2P file sharing sources and much more. |
Symptoms |
|
To delete KCW Ransomware and decrypt locked files, you must download Windows Scanner Tool – download it. |
KCW Ransomware – Labeled As Crypto Ransomware
KCW Ransomware is another crypto malware which is mainly used to lock the web files. It is a PHP based ransomware that aim to encrypt users files and websites. The locked or affected data can be easily notified by System users because it uses .kcwenc file extension to lock file. The locked site can not be easily noticed because it get encrypted by the Team Kerala Cyber Warriors. Currently, this malware has attacked planavent.com and arainwelfare.org site. As soon as the payload of this ransomware is being executed, it enables the hard code file encryption algorithm and creates an index file which launches the site displaying ransom note.
First of all the sign of KCW Ransomware has been discovered at back of 2016 when Kerala Cyber Warriors managed to hack People For Animals (PFA) site. PFA site is dedicated to protection of the animal rights and support for ban on extermination of stray dogs. After that it has been discovered at end of April 2018 when the malware researchers revealed the planavent.com and arainwelfare.org sites locked by this ransomware. Likewise other ransomware, KCW Ransomware has also sole intention to extort money from novice users. Therefore, you must take an immediate KCW Ransomware removal action after getting any harmful symptom.
Free Scan your Windows PC to detect KCW Ransomware
Remove KCW Ransomware From Your PC
Step 1: Remove KCW Ransomware in Safe Mode with Command Prompt
- First of all disconnect your PC with network connection.
- Click restart button and keep pressing F8 key regularly while system restart.
- You will see “Windows Advanced Options Menu” on your computer screen.
- Select “Safe Mode with Command Prompt” and press Enter key.
- You must login your computer with Administrator account for full privilege.
- Once the Command Prompt appears then type rstrui.exe and press Enter
- Now follow the prompts on your screen to complete system restore.
Step 2: Remove KCW Ransomware using MSConfig in Safe Mode:
- Power off your computer and restart again.
- While booting press the “F8 key” continuously to open “Windows Advanced Options Menu”.
- Use the arrow keys to select “Safe Mode” option and press Enter key.
- Once system get started go to Start menu. Type “msconfig” in the search box and launch the application.
- Go to the Startup tab and look for files from %AppData% or %Temp% folders using rundll32.exe. See an example below:
C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1
- Disable all the malicious entries and save the changes.
- Now restart your computer normally.
Step 3 : Kill Malicious Process Related To KCW Ransomware
- Press Alt+Ctrl+Del buttons together.
- It will open the Task manager on your screen.
- Go to Process Tab and find KCW Ransomware related process.
- Click the End Process Now button to stop the running process.
Step 4 : Remove KCW Ransomware Virus From Registry Entry
- Press “Windows + R” key together to open Run Box.
- Type “regedit” and click OK button.
- Find and remove KCW Ransomware related entries.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Runonce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Now hopefully you have completely removed the KCW Ransomware virus from your computer. If you are still get ransom message from the threat or unable to access your files, then it means that virus still remain into your computer. In such situation you don’t have any other option except removing this virus using any powerful malware removal tool.
Whereas if you have any backup of your infected or encrypted files, then you can also reinstall your Windows OS. This will erase all your files and data as along with the KCW Ransomware infection. You will get a completely empty computer system with no files. Now you can use your backup to get your files. If you don’t have any backup then using malware removal tool is a better option for you.
If you have any query or question regarding your computer, then you can easily ask your problem to our experts. Go to the Ask Any Question page and get the answer for your query directly from out experts.