Korean Ransomware Removal Guide

These days, you do not have to be a talented programmer to become a cyber criminal. All you need is money, and it is possible to purchase the likes of Korean Ransomware, to infect unsuspecting users worldwide. This malicious infection is intended for the Korean users, but we have seen reports that it spreads just as well in other parts of the world, too. Luckily, the removal process of Korean Ransomware is not that complicated, although that does not mean you should take this infection lightly. It always for the best to leave this to professionals, so acquiring a reliable antispyware tool would be your best choice in this situation.

This program is based on the open source project Hidden Tears. The website for the infection can be accessed via t352fwt225ao5mom.onion, but of course, you cannot download the infection unless you have the purchase code, acquired from the original creators of this application. Actually, there are quite a few ransomware programs based on the same open-source code. For example, PokemonGo Ransomware, Uyari Ransomware, EduCrypt Ransomware, and several other applications are known to be based on it, too. Also, Korean Ransomware uses the same server as Microsoft Decryptor Ransomware and CrypMIC Ransomware. This evidence just proves how wide-reaching the ransomware plague is.

Once this particular program gets installed on your computer, it drops a ReadMe.txt file on your desktop. The content of the file is really laconic: 당신의 파일이 암호화 되었습니다.G2BGZjucG=SCUfL. The Korean part of the message means “Your files have been encrypted,” while the random sequence should be your unique ID. This ID should help the criminals to identify your computer, thus issuing you the decryption key (in the case you were to contact these people about the ransom fee). Needless to say, paying the fee is not an option because there is no guarantee this program would give you the decryption key in the first place.

Another unique thing about this infection is that the ransom note is really short, compared to most of the other ransomware infections we have encountered. Normally, the programs are very thorough in telling users what they should and should not do, but Korean Ransomware spews just three sentences, and the rhetoric style used has major inconsistencies:

당신의 파일이 암호화 되었습니다.
아래 주소로 가서
암호화를 풀기위한 정보 확인할실 수 있습니다.
http://2dasasfwt225dfs5mom.onion.city
위 사이트를 가기위해서는 Tor브라우져가 필요함

The message says that your files have been encrypted, and you must visit the given address to find out more about decryption. Also, it says that you will need the Tor browser to access the site. It also gives you an extremely long identification code you have to enter when you access the website.

Now, this sounds very daunting, but this program is still far from your worst nightmare. Based on the samples we have analyzed, not all versions of this program manage to encrypt files in the first place (ours did not). Thus, if your files are not affected by this infection, you can easily delete the installation file for this program and be done with it.

The installation file usually has the Kakao Talk icon (a Korean instant messing application), and it is the file you had opened right before the infection took over your computer. If you are not sure which files have to be removed, scan your PC with the SpyHunter free scanner and leave this job to computer security specialists.

How to Delete Korean Ransomware

1. Locate the file you have launched right before the infection.
2. Delete the file.
3. Scan your computer with an automated security tool.