Kampret Ransomware

The Kampret Ransomware is one of the many ransomware Trojans active today that are derived from HiddenTear, an open source ransomware Trojan that was open to the public since 2015. The Kampret Ransomware was first observed on April 7, 2017, and it receives its name from the Indonesian word for 'bat,' which it contained in its logo, as an image of a bat. Malware analysts have observed that the Kampret Ransomware uses the AES 256 encryption to make the victim's files inaccessible completely. The Kampret Ransomware displays a ransom note demanding that the victim pays a large ransom to decrypt the affected files. The Kampret Ransomware's ransom note is written in very poor English, making it clear that its creators are not English speakers. Although the Kampret Ransomware seems to be the work of Indonesian hackers, it is apparent that their intended victims are computer users located in English-speaking regions.

Measuring the Threat Posed by the Kampret Ransomware

The Kampret Ransomware is designed to encrypt the victims' data, affecting various storage devices. The Kampret Ransomware is nearly identical to most variants of HiddenTear, which have become quite prevalent since this threat's initial release. It seems that the most common way of distributing the Kampret Ransomware is through corrupted text documents that use scripts to download and install the Kampret Ransomware on the victim's computer. The Kampret Ransomware will target all files on the affected computer's hard drives, including removable memory devices such as media players, and network storage. The Kampret Ransomware connects to its Command and Control server to relay information about the infected computer and receive configuration data. The Kampret Ransomware will target a wide variety of file types, using the AES 256 encryption to make the files inaccessible completely. The Kampret Ransomware will target the following file types:

.3GP, .7Z, .APK, .AVI, .BMP, .CDR, .CER, .CHM, .CONF, .CSS, .CSV, .DAT, .DB, .DBF, .DJVU, .DBX, .DOCM, ,DOC, .EPUB, .DOCX .FB2, .FLV, .GIF, .GZ, .ISO .IBOOKS,.JPEG, .JPG, .KEY, .MDB .MD2, .MDF, .MHT, .MOBI .MHTM, .MKV, .MOV, .MP3, .MP4, .MPG .MPEG, .PICT, .PDF, .PPS, .PKG, .PNG, .PPT .PPTX, .PPSX, .PSD, .RAR, .RTF, .SCR, .SWF, .SAV, .TIFF, .TIF, .TBL, .TORRENT, .TXT, .VSD, .WMV, .XLS, .XLSX, .XPS, .XML, .CKP, .ZIP, .JAVA, .PY, .ASM, .C, .CPP, .CS, .JS, .PHP, .DACPAC, .RBW, .RB, .MRG, .DCX, .DB3, .SQL, .SQLITE3, .SQLITE, .SQLITEDB, .PSD, .PSP, .PDB, .DXF, .DWG, .DRW, .CASB, .CCP, .CAL, .CMX, .CR2.

After encrypting the victim's files, the Kampret Ransomware will drop a file named 'READ_ME.txt' on the affected computer's Desktop. This file contains the Kampret Ransomware's ransom note. As part of the attack, the Kampret Ransomware also will delete the Shadow Volume Copies and other components that could help computer users recover from a the Kampret Ransomware attack. The following is the text contained in the Kampret Ransomware's ransom note:

'Files has been encrypted with kampret.
Send Me 0.5 BTC for buy a coffe and bakpao :), then Email Me 🙂
Emy email kampretos@protonmail.com'

The Kampret Ransomware encrypts your files and marks them with the extension '.lockednikampret.' Once the Kampret Ransomware Trojan has finished its encryption, the affected files will become inaccessible completely. The decryptor costs approximately $600 USD. However, computer users that pay the Kampret Ransomware ransom or contact these people may end up losing their files and money. No one can guarantee that the perpetrator of the Kampret Ransomware will deliver on their promise, and the payment of the ransom allows the Kampret Ransomware's creators to develop more threats and infect more computer users.

Dealing with a Kampret Ransomware Infection

It may not be possible to decrypt files that have become inaccessible by the Kampret Ransomware attack. Because of this, by having a backup of all files, computer users can get back their files without spending any money. A security program that is fully up to date can be used to remove the Kampret Ransomware infection itself.