KCBU Ransomware. How to decrypt .kcbu files?

Written by William Reddy

If you cannot open your images, documents, or other files and see the .kcbu extension on them, your system is definitely infected with Kcbu ransomware. It pertains to STOP/Djvu ransomware group

Kcbu ransomware encrypts personal files found on the victim’s computer with the extension “.kcbu” and then generates the ransom note in each folder which contains encrypted files. The instructions are put on the victim’s desktop in the “readme.txt” file. Its task is pretty much similar to other samples of the same ransomware family: Kcvp, Tcbu, Tcvp.

What is Kcbu Ransomware?

NameKcbu Virus
Ransomware family1DJVU/STOP2 ransomware
Ransomware note_readme.txt
RansomFrom $490 to $980
Contactsupport@fishmail.top, datarestorehelp@airmail.cc
SymptomsThe images, videos, and other documents have the “.kcbu” extension and cannot be opened by any programs
Fix Tool Trojan Killer – ransomware infections tool. 14-day free trial.

Kcbu is file-encrypting ransomware that prevents regular access to your text files, Excel tables, videos and photos by encrypting them. It marks the ciphered files with the “.kcbu” extension. Then Kcbu ransomware adds a ransom note (readme.txt) to each folder. In this note, you can see the instructions to pay the ransom ($490-$980 in Bitcoin) to a specified Bitcoin wallet. The AES-256 or RSA-1028 cipher it uses to cipher the documents is not decryptable with contemporary computers. Even quantum PCs that currently exist will spend hundreds of years to find the decryption key.

How dangerous is the Kcbu ransomware?

When Kcbu ransomware gets in your system, it will examine your disks for photos, videos, and also important documents. It encrypt] all widespread file formats- .psd, .doc, .docx, .xls, .xlsx, .pdf, .jpeg, .png, et cetera. When these files are located, the ransomware will encrypt them and change their extension to “.kcbu” to make sure that you understand what happened.

After the Kcbu ransomware ciphered the files on your PC, it will drop the last “readme.txt” file on the main screen. In addition to the ransom transactioning instructions, the victims also see the emails to contact the fraudsters – datarestorehelp@airmail.cc and support@fishmail.top.

Here is the money ransom note that the Kcbu ransomware shows to its victims:


Don't worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that's price for you is $490.
Please note that you'll never restore your data without payment.
Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

How did the Kcbu ransomware get on my computer?

The Kcbu ransomware spreads by placing websites to get hacked programs or games. Cybercriminals who distribute this ransomware are pretty foxy, and aim to correspond with contemporary trends. New games releases, new popular films – Kcbu creators make whatever to get their money on that. One of the most favored strategies these burglars apply is one-day websites with torrent downloading links. However, pursuing the modern-day things is not the only way these crooks utilize. Ways that have already turned into classic, such as e-mail spamming, are likewise normal for STOP/Djvu ransomware distribution.

Malicious email spam

The example of email spamming that may lead to Kcbu ransomware injection

Avoiding this ransomware does not require a lot of effort. Following the standard rules of PC hygiene will significantly decrease all risks. Remember that opening all files you get on email is not a good habit. Even worse situation is to enable macros in Microsoft Office documents. However, it is far better to prevent the malware attack at the moment when you have only opened the e-mail message. Examining the sender’s address can point out a lot about what you can anticipate, as well as when you see things like “support@amazon.com”– it is likely a legit e-mail. On the other hand, stuff that tries to resemble Amazon or FedEx shipping alert, but uses the e-mail address of “amazonspurrot1363@gmail.com”– must make you get on the alarm. Above, you can see the example of such a message.

Illegal sources of various digital things need some additional explanation. Violating copyright regulation surely throws you to the danger of being fined. Nevertheless, using torrent trackers or third-party sites to download “free” programs likewise exposes you to various malware. Nobody can oversee unnamed people that start the torrent seeding or release the hacked program version on the site with pirated software.

Kcbu virus removal instructions.

Download Trojan Killer Portable

Trojan Killer Portable Download

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use.

This guide below shows how to use Trojan Killer Portable3 for Kcbu virus detection and removal:

  • STEP 1. Download and install Trojan Killer.

  • STEP 2. Click on "Finish".

  • STEP 3. Wait until necessary updates are downloaded and installed.

  • STEP 4. Select computer scan type.

  • STEP 5. The software will begin scanning your computer.

  • STEP 6. Click on "Cure PC".

Restore the files encrypted by the Kcbu ransomware

In most cases, it’s impossible to recover the files encrypted by the Kcbu ransomware because the private key needed to unlock the encrypted files is only available through cybercriminals. However, we’ve listed one option you can use to recover your files below.

Warning! Make sure you remove the ransomware from your system first, otherwise, it will repeatedly encrypt your files.

If your files were encrypted with an offline key, there is a chance you can recover them by using Emsisoft Decryptor for the STOP/Djvu decryption tool. Follow the below guide to recover your files using the Emsisoft Decryptor for STOP/Djvu.

  1. You can download Emsisoft Decryptor for STOP Djvu by clicking this link.
  2. When the decryptor has finished downloading, double-click on “decrypt_STOPDjvu.exe” to run this program on your computer.
  3. Click the “Decrypt” button to start the decryption process for Kcbu files. The screen will switch to a status view, informing you about your files’ current process and decryption status.
  4. The decryptor will inform you once the decryption process will be finished. If you require the report for your records, you can save it by clicking the “Save log” button.

If the Emsisoft Decryptor can’t decrypt your .kcbu files and you do not plan on paying the ransom, it is advised that you make an image of the encrypted drives so that you can decrypt them in the future.

Your computer should now be free of the Kcbu ransomware infection. However, suppose your current antivirus allowed this malicious program on your computer. In that case, you might want to consider purchasing the full-featured version of Trojan Killer to protect against these types of threats in the future.

Remove KCBU Ransomware Virus (DECRYPT .kcbu FILES)

Name: KCBU Virus

Description: KCBU Virus is a STOP/DJVU family of ransomware-type virus. It encrypts files, video, photos, documents. Encrypted files can be tracked by a specific kcbu extension. KCBU ransomware asks victims for a ransom fee about $490 - $980 in Bitcoin.

Offer price: 480

Currency: $

Operating System: Windows

Application Category: Virus

User Review
3.91 (11 votes)
  1. My files are encrypted by ransomware, what should I do now?
  2. About DJVU (STOP) Ransomware: https://gridinsoft.com/ransomware/djvu
  3. More about Trojan Killer: https://gridinsoft.com/trojankiller

About the author

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several months after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master's degree in cybersecurity, I've started working as a virus analyst in a little anti-malware vendor.

Leave a Comment