Kerkoporta Ransomware Removal Guide

Do you know what Kerkoporta Ransomware is?

Kerkoporta Ransomware is an infection that appears to be targeted at Windows users living in Greece. This is because the ransom note represented via a screen-locking window is represented in Greek. That being said, an English version is offered as well, which indicates that the threat could be spread further. According to the latest information, this malware is not yet fully completed, and it is yet to be determined whether or not it is spread at all. Nonetheless, the current version of this malware that our research team has analyzed suggests that someone is trying to build a file-encrypting and screen-locking threat, and that is a good enough reason to start a conversation about it. In case the threat has been released by the time you are reading this report, we have added instructions that would help you remove Kerkoporta Ransomware. In either case, you should read the report to learn more about this threat.

Are you aware of the distribution methods that the creators of ransomware usually use? These include concealing the launcher as an attachment to a spam email and spreading the threat by exploiting unsafe RDP configurations. In any case, the threat is concealed or is silent, so that users would not recognize danger right away. In fact, most victims realize that Kerkoporta Ransomware has invaded their operating systems only after this threat encrypts files and shows a scary ransom note. When the threat invades, it creates a folder in %APPDATA%\Microsoft\Windows\. This folder is called “Windows Update Protocol,” and this name is likely to fool users and stop them from deleting it right away. In this folder you should find two files, one of which is the copy of the .exe file launching the threat. The second file is called “UpData.bat”, which is a script file that creates a file called “WindowsUpdates.lnk”. This file is created in the Startup directory, and it is started every time the operating system is booted. Needless to say, all of these Kerkoporta Ransomware components must be removed.

When Kerkoporta Ransomware is done encrypting files – it attaches the “.encryptedsadly” extension to all files that are encrypted – it locks the screen to show a message where the ransom is presented. According to this file, Όλα σου τα αρχεία έχουν κρυπτογραφηθεί!, which translates to “All your personal files have been encrypted!” Cyber criminals demand you to buy an Amazon gift card worth 100 USD and then type the code of this gift card into the field represented via message. It is stated that this is the only way for you to get a decryption key. Even if that is the only option, it does not mean that you will get a decryptor if you fulfill the demands! You should also pay no attention to the threat suggesting that bad things would happen if you tried removing Kerkoporta Ransomware. That being said, if your files were encrypted, it is unlikely that you will get them back. Of course, if backup copies can be found online or on external drives, you should be fine. In any case, you must delete the ransomware ASAP.

As you can see, you might be able to delete Kerkoporta Ransomware manually using instructions that our research team has created. Of course, it is imperative that you know where the original .exe file is. If you do not know, and you fail to remove it, it is unlikely that you will be able to successfully get rid of this devious ransomware yourself. Remember that a legitimate anti-malware program can erase all malicious infections automatically, and so if you fail at manual removal, consider using this program. We suggest installing it because besides cleaning the system it can also protect it against other ransomware threats.

Delete Kerkoporta Ransomware

  1. Delete recently downloaded suspicious files.
  2. Launch Windows Explorer by tapping Win+E keys.
  3. Enter %APPDATA%\Microsoft\Windows into the bar at the top.
  4. Right-click and Delete the file named Windows Update Protocol.
  5. Check these directories for a file called WindowsUpdates.lnk (if found, Delete ASAP):
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
  6. Empty Recycle Bin.
  7. Install a malware scanner you trust to examine your operating system for leftovers.

In non-techie terms:

Kerkoporta Ransomware is a serious threat that could start invading operating systems and encrypting personal files. At this moment, this malware is not yet spreading, but that might be only a matter of time. Decrypting files once they are affected by this ransomware can be impossible, which is why it is important that you protect your operating system as best as you can. We suggest using anti-malware software. If threats are already active on your system, they will be erased automatically, and if your system is currently clean, this software will ensure that it stays that way. If you wish to discuss anything else about this malware, start a discussion in the comments section.