What is Proton Ransomware
Proton is a ransomware infection. The purpose of this virus is to run encryption of potentially critical pieces of data and then demand money for its complete decryption. While doing so, Proton also changes the files visually – an affected file with acquire firstname.lastname@example.org email address, victim’s ID, and .kigatsu extension to encrypted files. For instance, a file like
1.pdf will turn to look something like
1.jpg.[email@example.com][719149DF].kigatsu. Following this change, victims will no longer be able to access their files, no matter what modifications are made. After this, the virus drops the README.txt text note, which contains decryption instructions.
~~~ Proton ~~~
>>> What happened?
We encrypted and stolen all of your files.
We use AES and ECC algorithms.
Nobody can recover your files without our decryption service.
>>> How to recover?
We are not a politically motivated group and we want nothing more than money.
If you pay, we will provide you with decryption software and destroy the stolen data.
>>> What guarantees?
You can send us an unimportant file less than 1 MG, We decrypt it as guarantee.
If we do not send you the decryption software or delete stolen data, no one will pay us in future so we will keep our promise.
>>> How to contact us?
Our Telegram ID: @ransom70
Our email address: Kigatsu@tutanota.com
In case of no answer within 24 hours, contact to this email: Kigatsu@mailo.com
Write your personal ID in the subject of the email.
>>>>> Your personal ID: - <<<<>> Warnings!
- Do not go to recovery companies, they are just middlemen who will make money off you and cheat you.
They secretly negotiate with us, buy decryption software and will sell it to you many times more expensive or they will simply scam you.
- Do not hesitate for a long time. The faster you pay, the lower the price.
- Do not delete or modify encrypted files, it will lead to problems with decryption of files.
It is said victim’s data has been encrypted (using AES and ECC algorithms) and stolen by cybercriminals. The word “stolen” likely suggests that the encrypted data has been copied to cybercriminals’ servers and can be abused anytime unless the ransom is paid. Threat actors encourage their victims to reach out to them via Telegram or e-mail and purchase the decryption service. In addition, victims are also allowed to send one file (less than 1MB) and get it decrypted for free. This way, cybercriminals demonstrate their trustworthiness as well as their capability of returning access to the blocked data. At the end of the ransom message, extortionists state a couple of warnings regarding risks of attempting to decrypt files without the help of ransomware developers.
Sadly, it is necessary to admit that cybercriminals are usually the only source of getting full and flawless decryption. In rare cases, it is sometimes possible to run independent decryption using third-party tools or Windows shadow copies, however, this happens only in seldom instances when ransomware is underdeveloped or for whatever reason failed to actually encrypt the data during its operation. At the time of writing this article, none of these third-party means have been reported to work for the victims of Proton Ransomware. Thus, the only ways to recover your data are either by collaborating with ransomware developers or retrieving data from existing backup copies. Backups are copies of data stored on external devices such as USB drives, external hard drives, or SSDs.
It is always safer to use backups copies instead of paying the attackers. Paying cybercriminals always involves a certain risk and does not always guarantee that promised keys/tools will be obtained. Therefore, make sure to create regular backups so that your data can be recovered in case of unexpected loss or ransomware infection. If you are going to recover your data without the involvement of cyber intruders, it is important to first delete the ransomware virus from your system so that it does not touch other pieces of data. Even if you choose to collaborate with them to decrypt your files, deletion is also necessary afterwards. Use our guide to remove Proton Ransomware and safeguard your system against such threats in the future.
How Proton Ransomware infected your computer
Phishing e-mail letters, unprotected RDP configuration, infected software installers (pirated or cracked), exploit kits, trojans, fake updates/license cracking tools, unreliable ads, backdoors, and keyloggers are the usually the most common gateways for ransomware and other malware infections. As a rule, the way such channels succeed is by tricking inexperienced/naive users into downloading and opening some malicious file or link. For example, fraudulent e-mails can disguise harmful attachments as legitimate and genuine files, such as .DOCX, .XLSX, .PDF, .EXE, .ZIP, .RAR, or .JS. Thanks to being masked under trustworthy organizations (e.g., delivery companies, tax authorities, banks, and so forth), they manage to win users’ trust and trick them into doing what they are meant for.
Be attentive and careful whenever it comes to your online activity. Avoid using shady download resources, torrent-sharing websites, dubious ads, potentially malicious attachments/links, and other types of content that may seem suspicious or compromised. Download software only from official and trusted resources. Also, feel free to check out our guide below for more practical ways and advice on how to protect your system from ransomware and other types of malware in the future.
- Download Proton Ransomware Removal Tool
- Get decryption tool for .kigatsu files
- Recover encrypted files with Stellar Data Recovery Professional
- Restore encrypted files with Windows Previous Versions
- Restore files with Shadow Explorer
- How to protect from threats like Proton Ransomware
Download Removal Tool
To remove Proton Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders, and registry keys of Proton Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.
Alternative Removal Tool
To remove Proton Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders, and registry keys of Proton Ransomware and prevents future infections by similar viruses.
Proton Ransomware files:
Proton Ransomware registry keys:
How to decrypt and restore .kigatsu files
Use automated decryptors
Download Kaspersky RakhniDecryptor
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .kigatsu files. Download it here:
There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
Dr.Web Rescue Pack
Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .kigatsu files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.
If you are infected with Proton Ransomware and removed from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Data Recovery Professional to restore .kigatsu files
- Download Stellar Data Recovery Professional.
- Click Recover Data button.
- Select type of files you want to restore and click Next button.
- Choose location where you would like to restore files from and click Scan button.
- Preview found files, choose ones you will restore and click Recover.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses, like Proton Ransomware , in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
As an additional way to save your files, we recommend online backup. Local storage, such as hard drives, SSDs, flash drives, or remote network storage can be instantly infected by the virus once plugged in or connected to. Proton Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and a simple interface. You can read more about iDrive cloud backup and storage here.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails are the most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications and provides a very high level of anti-spam protection.