Beware! Kitu Ransomware Will Encrypt Your Data

During our thorough analysis of malware samples, we encountered a new strain of ransomware called Kitu. This particular malicious software employs a sophisticated file encryption technique to lock users out of their files, effectively appending the ".kitu" extension to the original filenames. Additionally, the ransomware creators leave a clear message for their victims by creating a ransom note called "_readme.txt".

Kitu ransomware is part of the infamous Djvu ransomware family, sharing connections with other notorious information stealers like RedLine and Vidar. To illustrate how Kitu operates, it alters filenames such as "1.jpg" into "1.jpg.kitu" and "2.png" into "2.png.kitu," and so on.

Upon examining the contents of the ransom note, it becomes evident that its primary purpose is to provide instructions on how to communicate with the attackers and proceed with a partial payment to regain access to the encrypted files. The "_readme.txt" file includes two email addresses, namely support@freshmail.top and datarestorehelp@airmail.cc, along with two specified ransom amounts: $980 and $490.

Furthermore, the ransom note emphasizes that victims have a limited window of 72 hours to contact the attackers if they wish to receive decryption tools (software and key) at a discounted rate. As an additional enticement, the note mentions that victims can choose one file to be decrypted free of charge before deciding whether to proceed with the ransom payment.

Table of Contents

Kitu’s Ransom Note Asks for $980 After Three Days

The full text of the Kitu ransom note reads as follows:

ATTENTION!

Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-lOjoPPuBzw
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:
support@freshmail.top

Reserve e-mail address to contact us:
datarestorehelp@airmail.cc

Your personal ID:

How Can Ransomware Like Kitu Get in Your System?

Ransomware like Kitu can infiltrate your system through various methods, exploiting vulnerabilities and taking advantage of human errors. Here are some common ways ransomware can get into your system:

Phishing Emails: One of the most prevalent methods is through phishing emails. Attackers send emails that appear legitimate, often mimicking well-known companies or individuals, enticing recipients to click on malicious links or download infected attachments. Once clicked or downloaded, the ransomware gains access to the system.
Malicious Websites: Visiting compromised or malicious websites can lead to drive-by downloads, where ransomware is automatically downloaded and installed on your system without your knowledge or consent.
Software Vulnerabilities: Ransomware can exploit vulnerabilities in software or operating systems. If your software is not up-to-date with the latest security patches, it becomes easier for attackers to gain entry.
Infected Software Installers: Illegitimate or cracked software installers downloaded from unofficial sources can contain ransomware payloads, which get executed during the installation process.
Removable Media: Ransomware can spread through infected USB drives or external hard disks. When you connect such media to your system, the ransomware may transfer itself.
Malvertising: Online advertisements can be used to distribute ransomware. Clicking on malicious ads can trigger the download and execution of the ransomware.
Remote Desktop Services: If Remote Desktop Protocol (RDP) is left unprotected or poorly configured, attackers can use brute-force attacks or other methods to gain access and deploy ransomware on the system.
Exploit Kits: These are toolkits that cybercriminals use to take advantage of known vulnerabilities in software and browsers, delivering ransomware to systems that have not been patched.