Kupidon ransomware

Kupidon ransomware is the cryptovirus that targets companies and mainly spreads in Romania

Kupidon ransomware

Kupidon ransomware

Kupidon ransomware – malware that encrypts data and demand payment from the victim by claiming to have a decryption tool needed for the proper file restoring. The initial report[1] about this new threat states that it is a possible copy of some other older ransomware because the ransom note text delivered via !KUPIDON_DECRYPT.TXT file resembles a threat from before, but that is not new since many actors reuse information or code from other threats to build their own malware. Also, the post from researchers reveals that targets of this cryptovirus are mainly companies, and most of them are related to Romania. There are not many samples, at the time, but more details reveal that threat is dangerous and can evolve petty quickly. 

Kupidon ransomware virus is not reported to come from another family or malware developers. Once the machine is infected, that runs the encryption on common files using AES and RSA algorithms.[2] File locking is ensuring that creators have a reason for the money demands and scary messages that come right after the encryption. When images, documents, archives, or different types of files get encoded they become useless and receives .kupidon marker at the end, so the victim can differentiate which files got encrypted. Even though ransomware directly corrupts common files on the machine, system data can get affected when the malicious processes running in the background or parts of the system like registry entries and security tools altered.

Name Kupidon ransomware
File marker .kupidon – file marker that is placed at the end after all the original names and file-type extensions once the encryption process is completed
Danger Cryptocurrency-extortion based threats are dangerous because attacks involve money demands, blackmailing messages, and money. People can pay for nothing and end up losing money and data after all
Ransom amount Attackers ask for $300 from victims whose samples got analyzed. The amount is preferred to be obtained in the form of Bitcoin and can be determined for each victim separately judging on the value and amount of data encoded during the attack
Ransom note !KUPIDON_DECRYPT.TXT is the file that contains the message from virus creators and includes contact information, details on ransom amount and the unique victims’ ID
Elimination Kupidon ransomware removal should be performed using anti-malware tools, so any associated programs can get deleted 
Distribution The threat is delivered with the help of malicious files that can be placed on emails as attachments or downloaded from malware-laced pages, torrent services. The infiltration happens quickly, and users cannot notice the payload drop
Recovery As for the virus damage that ransomware possibly triggers in the background to affect the persistence of the virus, you should rely on Reimage Reimage Cleaner Intego or similar tools that can check for affected data or settings 

Kupidon ransomware starts with the encryption process, during which files get appended with .kupidono extensions and ransom note indicating the same name of the ransomware get placed in various folders. This !KUPIDON_DECRYPT.TXT file is created to inform people about further actions and encourage them to pay the demanded amount for the criminals.

Unfortunately, the Kupidon ransomware virus is focused on getting money and making a profit. Your files, devices, and other belongings are not important for the cybercriminals, so trusting them is not a good option. Malicious actors may even offer the test decryption for you to fake that this is a legitimate service and that decryption tool works.

The test decryption prior to the payment can be performed on files no larger than 10 MB. This may be the case because criminals store some of these files for the purpose of tricking you that data got recovered. Do not fall for any of these tricks that attackers use.

The text displayed in Kupidon ransomware ransom note:

 All your files have been encrypted with Kupidon Virus.
Your unique id: 
As a private person you can buy decryption for 300 $ in Bitcoins.
But before you pay, you can make sure that we can really decrypt any of your files.
The encryption key and ID are unique to your computer, so you are guaranteed to be able to return your files.
To do this:
1) Download and install Tor Browser (https://www.torproject.org/download/)
2) Open the http://oc3g3q5tznpubyasjgliqyykhxdfaqge4vciegjaapjchwtgz4apt6qd.onion/ web page in the Tor Browser and follow the instructions. 

Kupidon ransomware mainly targets companies and businesses, so the ransom amount can go up a notch and be specific for the particular target. However, even large businesses shouldn’t pay this demand and remove malware instead. The ransom payment page shows the following:

1) Send a few encrypted files (no more 3 files, no more 10 MB per letter) to [email protected] . Dont forget to include you ID from ! KUPIDON_DECRYPT.TXT .
2) We will decipher them and send you back with bitcoin address for payment.
3) After payment ransom for Bitcoin, we will send you a decryption program and aes-key with instructions. If we can decrypt any of your files, we have no reason to deceive you after payment. 

Kupidon ransomware virus
Kupidon ransomware – cryptocurrency extortion based malware that shows you a demanding message as the text file.

Kupidon ransomware virus
Kupidon ransomware – cryptocurrency extortion based malware that shows you a demanding message as the text file.

You need to remove Kupidon ransomware instead of paying the ransom because the options of getting your files may be false and not possible at all. Decryption tool officially is not released yet, so the option for file recovery is only one- data backups. Of course, you can rely on some third-party programs and our suggestions below, but the best thing you can do when encountered such intruder is run the cleaning process.

Kupidon ransomware removal results are the best when you rely on professional anti-malware tools and can clean the threat completely alongside other possible infections or malicious files, applications. Security tools cannot recover those encrypted documents or images, but you shouldn’t even consider file recovery until the system is virus-free. 

Kupidon ransomware can easily run the encryption algorithms again and affect files you newly added on the machine. This way you lose all of your data. This can happen to your external data backup when you plug in the USB device to the still infected computer. We strongly advise staying away from criminals and terminating the threat ASAP. 

The process of cleaning the machine can get difficult when Kupidon ransomware damages shadow volume copies, alters Windows registry entries, changes settings, or disable programs that can be helpful for either malware termination or file recovery. We have listed a few tips to bypass these changes below.

As for the virus damage that Kupidon ransomware causes, rely on optimization software or tools designed to repair computers like Reimage Reimage Cleaner Intego and run the full check for affected files. Later on, you can repair any corrupted parts of the system. Experts[3] always note how important it is to get rid of the damage and repair functions as to the normal stage.  Kupidon cryptovirus
Kupidon ransomware – a threat that delivers ransom note on the desktop as soon as the encryption is done.

Kupidon cryptovirus
Kupidon ransomware – a threat that delivers ransom note on the desktop as soon as the encryption is done.

Malware targets users data by dropping the payload via a malicious file

Payload droppers for the ransomware-type malware can be anything from trojans, other cyber threats, to files attached to email notifications that contain malicious macro triggering functionalities. Malware script initiates the installation of the main launched of the threat, so the infection happens and the system gets affected significantly.

These files that spread malware can be disguised as PDFs, Microsoft Word, or Excel documents and state about important information, so people fall for the trick and download the attachment from a questionable email. At this point, users’ interaction is needed because malicious macros need to be enabled. The file that you open shows a form to agree on, so the content can be displayed.

One-click and malware script gets dropped directly on the system. If you want to avoid such infiltration, you need to delete any suspicious emails after receiving them and rely on proper security tools before downloading anything from the internet, Most of such tools can check the attachment and show if that is safe to download.

Kupidon ransomware termination includes cleaning infectious files from the system

When you encounter the Kupidon ransomware virus, you should take the additional infections and programs that can be loaded behind your back, into consideration. Anything related to the malware that is left on the machine can affect the persistence of the ransomware and interfere with security tools, other methods of data recovery, and malware elimination.

Kupidon ransomware removal can be achieved with anti-malware tools that check the system for malware and intruders, deletes those payload files and other threats. Security programs like SpyHunter 5Combo Cleaner or Malwarebytes can for such purposem but you may want to reboot the machine in Safe Mode with Networking first to get better results. 

When you remove Kupidon ransomware using the anti-malware program, you can be sure that no additional threats can run in the background. However, some of the alterations that malware does to system files and functions can trigger unwanted symptoms or even further damage, so running Reimage Reimage Cleaner Intego or a different PC repair tool can help to fix the damage completely.

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

Remove Kupidon using Safe Mode with Networking

Rebooting the machine in Safe Mode with Networking can significantly lessen the frustration when terminating Kupidon ransomware with AV tools

  • Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8

    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Log in to your infected account and start the browser. Download Reimage Reimage Cleaner Intego or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Kupidon removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Kupidon using System Restore

System Restore is the feature that can help with malware elimination since it recovers computer in the previous state

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Kupidon from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Kupidon, you can use several methods to restore them:

Data Recovery Pro – the program that restores files after encryption or accidental deletion

Your device may get affected by Kupidon ransomware or you remove files unwantedly. Both times your data gets damaged. Data Recovery Pro is the solution for both too

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Kupidon ransomware;
  • Restore them.

Windows Previous Versions relies on recovering affected data

When you use System Restore gets enabled, Windows Previous Versions can also get used for file restoring

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer is the method that allows recovering the encrypted files

If Shadow Volume Copies don’t cent affected, you can rely on ShadowExplorer

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Kupidon ransomware decryption tool is not available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Kupidon and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner Intego, SpyHunter 5Combo Cleaner or Malwarebytes

This entry was posted on 2020-05-14 at 07:21 and is filed under Ransomware, Viruses.