Kings Ransomware

Security researchers have identified another variant belonging to the Babyk Ransomware family. The threat is being tracked as the Kings Ransomware and it is being used in double-extortion schemes. The attackers aim to lock the data of their victims and make it inaccessible. Numerous file types can be affected and users can be left locked out from all of their important files effectively.

As part of its intrusive actions, the malware threat also will append '.kings' to the original names of all encrypted files. Afterward, a text file named 'RestoreFiles.txt' will be created on the compromised system. The file contains a ransom note with instructions for the victims.

Ransom Note's Details

The ransom-demanding message states that besides encrypting the user's data, the cybercriminals also have collected important documents and files that are now stored on remote servers. If the victim refuses to meet the attacker's demands and does not pay the ransom, the acquired data will supposedly be released to the public. Victims are given two days to establish contact with the hackers and discuss the terms of the payment. For this purpose, the note provides two email addresses - 'decryptydata@gmx.de' and 'decryptydata2@gmx.net.'

The full text of the ransom note is:

'Hello, friends!
Your system has been compromised by our team.We have blocked your files and also uploaded useful data from your computers(doc, docx, pdf, xls and other office extensions) to our servers.
You have 2 days to contact us to discuss the terms of payment for our services to restore your files.If you do not contact us or refuse to pay, we will place your stolen files in the public domain.
Do not change the file namesand extensions.Do not try to decrypt the files yourself, they are encrypted using a good encryption algorithm.
Main Mail:
decryptydata@gmx.de
Backup mail(if we don't reply 24 hours):
decryptydata2@gmx.net
At the first contact, you can write to both emails for reliability.'