KillSwitch Ransomware

The KillSwitch Ransomware is an encryption ransomware Trojan that is used to make the victims' files inaccessible. The KillSwitch Ransomware uses the AES encryption to make the victims' files out of reach. However, it is clear to malware researchers that the KillSwitch Ransomware is still under development. The KillSwitch Ransomware was first observed on an online anti-virus scanner. Con artists will submit a threat that is under development as a convenient way of testing whether it can bypass anti-malware measures frequently. Monitoring these sources allows PC security researchers to catch threats like the KillSwitch Ransomware before they can become widespread.

This Kill Switch is not Activated Yet

The main reason to believe that the KillSwitch Ransomware is still under development is that the KillSwitch Ransomware does not include capabilities to decrypt the affected data nor does it include instructions on how to carry out a payment. Rather than carrying out a full ransomware attack (where the victim's files are encrypted, and then a ransom payment is asked for), the KillSwitch Ransomware limits its encryption attack to a single test folder, which is found in the path C:\Users\%USERPROFILE%\Documents\test\ folder. This means that a KillSwitch Ransomware infection in its current state will not encrypt any of the victim's data. For the people responsible for this attack, changing the path so that it targets the entirety of the victim's drives is a trivial change, meaning that the KillSwitch Ransomware could be updated to encrypt the entirety of the victim's files easily.

After encrypting the victim's files, the KillSwitch Ransomware is designed to add the file extension '.switch' to the end of each file's name. In its current state, the KillSwitch Ransomware will only encrypt a small number of file types, which include the following:

.crt, .csr, .csv, .doc, .key, .odt, .ott, .pdf, .pern, .ppt, .rtf, .stw, .sxw, .txt, .uot, .xls, .xml.

As with the path to the encrypted files, expanding the file types targeted in the KillSwitch Ransomware attack also is a trivial change that would only require making a slight alteration to the KillSwitch Ransomware's code.

How the KillSwitch Ransomware Demands a Ransom Payment from Its Victims

The KillSwitch Ransomware ransom notification takes the form of a program window with the name '{} KillSwitch.' This program window delivers a ransom message, informing the victim of the infection (but failing to ask for a ransom payment). The following is the full text of the message contained in the KillSwitch Ransomware ransom note:

'ATTENTION!
Your files has been encrypted by KillSwitch
KillSwitch is a new kind of cryptography malware, unlike the most of other ones utilizing encryption like ransomware...
All of your files are encrypted with AES-256 ciphers. Unlocking of your files is not possible because KillSwitch generates unique one-way encryption keys without keys used to decrypt.
Your only option would be to attempt to break the encryption, but this is very hard since AES256 is a strong cipher algorithm.'

Protecting Your Data from Threats Like the KillSwitch Ransomware

Although the KillSwitch Ransomware is in an unfinished state, it could be updated to carry out more effective attacks against various victims easily. The real danger of threats like the KillSwitch Ransomware is that even after the threat infection has been removed, the victim's files will remain encrypted and inaccessible. Because of this, the best protection against the KillSwitch Ransomware and similar encryption Trojans is the use of a reliable backup method. Backup copies of all files stored in a safe place are the best way to prevent these infections, allowing computer users to recover their files after an attack without having to pay any ransom. Having file backups is such an effective protection against the KillSwitch Ransomware and similar threats that if enough computer users do it, these infections will become obsolete quickly.