Security researchers uncovered the Killswitch virus, a dangerous malware that encrypts system and user data using a strong cipher. The affected files are renamed using the .switch extension. The victims can restore their computers and files by following our in-depth removal guide.
Manual Removal Guide
Recover .switch Files
Skip all steps and download anti-malware tool that will safely scan and clean your PC.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
How Does KillSwitch File Virus Infiltrate the System?
The Killswitch virus is currently being distributed using different infection strategies.
One of the primary ones is the coordination of email spam messages. The hackers use social engineering tricks by creating emails that pose as being sent by legitimate companies or institutions. There are several different payload delivery strategies – having the KillSwitch virus delivered as a file extension, linked in the body contents or bundled in files.
Direct hacker intrusion attempts are another possible source of infection. The criminals use special software that seeks for outdated applications on the victim computers. This is why we recommend that everyone applies the latest updates to all installed programs.
Dangerous web browser addons, also known as hijackers, are another source of infections. They are made by hackers for the most popular browsers: Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge and Safari. In the majority of cases they are described as having useful functions that may be missing from the core functionality of the browsers themselves. Upon installation they change the default home page, new tabs page and search engine to point to a hacker-controlled site. The privacy of the victims is also endangered as the hijackers harvest all found cookies, sessions, history, bookmarks, passwords, stored account credentials and form data. Most of the hijacker are also able to download various malware directly to the infected systems, including the KillSwitch virus.
Related: JeepersCrypt Ransomware Virus, Schwerer Ransomware
Infection Flow of KillSwitch File Virus
The Killswitch virus is a dangerous ransomware that has recently been discovered in an ongoing attack campaign. During the analysis we were not able to identify a link between it and the main ransomware virus families. This means that it has been developed by an unknown hacker or a hacker collective. The threat is also known under the alias of CryptoKill, but it is not connected to the ransomware bearing the same name.
The captured KillSwitch virus samples were found to be versions still in development. And while the Killsiwtch virus is still not fully complete, the computer hackers behind it have started to distribute it globally.
At its current stage of development it includes only a built-in encryption engine that only encrypts the files located in the following folder: %USERPROFILE%\Documents\test\. The used cipher is AES-256 which is very strong and cannot be decrypted by the victims. Depending on the configuration done by the criminals the malware may process different file types: videos, music, photos, documents, archives, backups and etc.
Some of the captured samples have been found to encrypt the following file type extensions:
.crt, .csr, .CSV, .DOC, .key, .odt, .ott, .pdf, .pern, .PPT, .RTF, .stw, .sxw, .txt, .uot, .XLS, .xml
Once this process is completed the Killswitch virus creates a lockscreen that prohibits ordinary computer interaction. It displays the ransomware note and can only be removed by restoring the computer using a quality anti-malware solution. The following message is displayed to the victims:
ATTENTION!
Your files has been encrypted by KillSwitch
KillSwitch is a new kind of cryptography malware, unlike the most of other
ones utilizing encryption like ransomware…All of your files are encrypted with AES-256 ciphers. Unlocking of your files is
not possible because KillSwitch generates unique one-way encryption keys
without keys used to decrypt.Your only option would be to attempt to break the encryption, but this is very
hard since AES256 is a strong cipher algorithm.
Remove KillSwitch File Virus and Restore Data
WARNING! Manual removal of KillSwitch file virus requires being familiar with system files and registries. Removing important data accidentally can lead to permanent system damage. If you don’t feel comfortable with manual instructions, download a powerful anti-malware tool that will scan your system for malware and clean it safely for you.
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
KillSwitch File Virus – Manual Removal Steps
Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently. The steps bellow are applicable to all Windows versions.
1. Hit the WIN Key + R
2. A Run window will appear. In it, write msconfig and then press Enter
3. A Configuration box shall appear. In it Choose the tab named Boot
4. Mark Safe Boot option and then go to Network under it to tick it too
5. Apply -> OK
Show Hidden Files
Some ransomware threats are designed to hide their malicious files in the Windows so all files stored on the system should be visible.
1. Open My Computer/This PC
2. Windows 7
-
– Click on Organize button
– Select Folder and search options
– Select the View tab
– Go under Hidden files and folders and mark Show hidden files and folders option
3. Windows 8/ 10
-
– Open View tab
– Mark Hidden items option
4. Click Apply and then OK button
Enter Windows Task Manager and Stop Malicious Processes
1. Hit the following key combination: CTRL+SHIFT+ESC
2. Get over to Processes
3. When you find suspicious process right click on it and select Open File Location
4. Go back to Task Manager and end the malicious process. Right click on it again and choose End Process
5. Next, you should go folder where the malicious file is located and delete it
Repair Windows Registry
1. Again type simultaneously the WIN Key + R key combination
2. In the box, write regedit and hit Enter
3. Type the CTRL+ F and then write the malicious name in the search type field to locate the malicious executable
4. In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys
Click for more information about Windows Registry and further repair help
DOWNLOAD KillSwitch Removal ToolSpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
Recover .switch Files
WARNING! All files and objects associated with Blooper file virus should be removed from the infected PC before any data recovery attempts. Otherwise the virus may encrypt restored files. Furthermore, a backup of all encrypted files stored on external media is highly recommendable.
1. Use present backups
2. Use professional data recovery software
Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.
3. Using System Restore Point
-
– Hit WIN Key
– Select “Open System Restore” and follow the steps
4. Restore your personal files using File History
-
– Hit WIN Key
– Type restore your files in the search box
– Select Restore your files with File History
– Choose a folder or type the name of the file in the search bar
– Hit the “Restore” button
Preventive Security Measures
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter