kes$ Ransomware

At the beginning of May 2019, cybersecurity researchers uncovered yet another file-locking Trojan lurking in the shadows of the Internet. It was discovered that this seemingly new threat is a variant of the infamous Scarab Ransomware and it was given the name kes$ Ransomware.

The most likely propagation methods employed by kes$ Ransomware appear to be spam email campaigns alongside the use of pirated software and faux update notifications. Once it has infiltrated a user's computer, the kes$ Ransomware would start a quick scan of their system to recognize the files it will be encrypting. Usually, to ensure maximum damage, ransomware threats like the kes$ Ransomware are programmed to go after the most universal file-types, which normal users would have on their PCs. For example .ppt, .mov, .mp3, .png, .jpeg, .doc, etc. Next, the kes$ Ransomware would begin the encryption of the files it targeted. When encrypting your files, the kes$ Ransomware would apply a '.kes$' extension at the file name. This means that a photo that was originally called 'cuckoo-clock.jpg' would be renamed to 'cuckoo-clock.jpg.kes$.' After completing this step, the kes$ Ransomware would drop off a ransom note for the victim. The ransom note is named 'Инструкция по расшифровке.TXT' ('Instructions for decryption.TXT' from Russian), which could mean that this data-encrypting Trojan may be aiming for users in Russia mainly. In the note, the attackers promise that they are capable of unlocking your data and offer to prove it by having you send them two of your encrypted files, up to 1MB in size and they would decrypt them for free. They provide an email where you can contact them – kesoma32@horsefucker.org. Furthermore, they threaten to delete 24 files every 24 hours unless you get in touch with them and send them your personal ID that is provided in the ransom note. The authors of the kes$ Ransomware go on to 'guarantee 100%' that they will recover all of your files successfully and that their service is '100% reliable.'

We would strongly advise you against contacting the creators of the kes$ Ransomware. Authors of ransomware are known to trick their victims, and even if you pay up the ransom fee, there is no '100% guarantee' that they will provide you with a decryptor as they claim. The best response would be to install a legitimate anti-malware solution and clean your computer of the kes$ Ransomware.