Remove .NumberDot (“System May Have Found”) Ransomware Virus

This ransomware has several names. It may be called AngryKite due to the file it uses to begin the attack (angryKite_v3.exe.bin). It can also be called .NumberDot since it appends such extension to all encrypted files. Finally, you can refer to it as “SYSTEM MAY HAVE FOUND anonymous encryption on your computer” as this is the fake warning that the virus displays once it activates.

Just like other ransomware types, AngryKite encrypts your files and makes them unopenable. It then asks for a payment in order to decrypt your data. However, instead of directly asking for a BitCoin payment it provides a phone number (1-855-545-6800) and instructs you to call a fake support line.

We strongly discourage you from contacting the criminals or paying the ransom. You will be asked to pay a ransom but there is no guarantee that you will receive decryption key afterwards. Also, the virus creators might still have control of your computer even if you recover the files. You should remove the threat yourself to make sure that no vulnerabilities are left on the system.

We recommend using the automatic removal tool provided below. It will scan and detect this and other viruses and remove eliminate them from the system. It will also protect you from threats in the future by acting as an antivirus.

We have also included a file recovery guide. However, you should follow it only after you have successfully removed the virus.


Recommended Method: Download Ransomware Removal Tool

No widget block selected.

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is AngryKite (.NumberDot) ransomware virus?

This virus is based on another ransomware called KRider. Just like the original, it infiltrates your system, encrypts personal files and makes them unopenable. It then asks for a payment if you want to restore the access. However, the main difference is that it instructs you to call a “toll free” number instead of immediately demanding for a BitCoin payment.

Once the files are encrypted their names are changed to random character strings and their extensions are changed to .NumberDot (e.g. sample.docx becomes F1w5%v5B-$.NumberDot). Once all files are encrypted a warning window appears stating that “SYSTEM MAY HAVE FOUND anonymous encryption on your computer” and showing a “support” phone number. The virus pretends to have detected a threat while in reality it encrypts your files itself.

Full warning text:

WARNING: SYSTEM MAY HAVE FOUND anonymous encryption on your computer. 
You would not be able to access the files on your computer. 
Your System May have Found (2) Malicious Viruses Rootkit.Encrypt & Trojan.Spyware 
Your Personal & Financial information MAY NOT BE SAFE 
Your system has encryption ransomware which may permanently encrypt your data 
Please call immediately to avoid further damage Toll free 
1-855-545-6800

This warning is fake and is created by the ransomware developers. You should never call the provided number as the scammers will try to extort money and might cause even more damage. The provided numbers might also have increased calling rates and cost you even more.

Currently there is not much information on how this particular virus spreads and infects computers. It is known to use angryKite_v3.exe.bin file and most likely reaches unsuspecting users through spam emails. The ransomware might come disguised as an important attachment and launch the infection as soon as you try to open it. Other possible distribution methods are exploit kits and bundling with software and downloads from P2P networks.

At the moment we are unable to provide you with a free decryption tool but the virus seems to be simpler than most other ransomware and there are high chances of such tool appearing soon. While virus researchers are trying to find a solution you can try alternative file recovery methods listed at the bottom of this page. However, make sure you proceed to file recovery only after you have successfully eliminated the virus.

Use our automatic tool provided above in order to completely remove the threat. It will also scan for any other malware and protect your computer in the future by acting as a complete antivirus solution. You can also follow our manual removal guide. However, choosing this option it requires Windows system knowledge and you will still need to secure your computer afterwards.

Screenshots of AngryKite (.NumberDot) ransomware virus:

  


 Manual Removal Instructions:

NB: Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also print it out or open on another device.

Editing important Windows files and settings can be risky. We recommend using the automatic removal tool for an easier removal process and in order to avoid any damage to your Windows operating system.

Do not skip any steps as otherwise the threat might come back again and cause more damage.

Step 1:

Find any processes that might be associated with the ransomware virus and terminate them.

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

 

Right-click on each of the suspicious processes you find in the list and choose Open File Location.

Start by looking for these processes:

angryKite_v3.exe
KRider.exe

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have just opened.

Repeat this until you have checked all suspicious processes.

Step 2:

Check your hosts file for any suspicious IPs.

Press and hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

notepad %windir%/system32/Drivers/etc/hosts

Click OK.

Your hosts.ini file will open in Notepad. Delete any IPs that are not marked with an “#” in front of them except the “127.0.0.1 localhost” entry. Here is an example:

Step 3:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 4:

Clean up Windows temporary files as there are usually several AngryKite ransomware files placed here.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them permanently by pressing SHIFT + DELETE.

Step 5:

Check for any recent changes in all the other important system files.

AngryKite usually makes changes to important system files in order to stay undetected.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

 

Navigate to the following directory:

Roaming

Then find the following directory and Delete it:

QKYS

Step 6:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Use the folder tree on the left to navigate to the following directory:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\adr

If you find any registry entries that could be associated with AngryKite, delete them by right-clicking on it and choosing Delete.

Then search for other ransomware entries by pressing CTRL + F and entering the following:

angrykite

Click Find Next.

Repeat search and delete all registry entries associated with the virus.

Then repeat the search with the following queries:

numberdot
1-855-545-6800
krider
statlevel.exe

Step 7:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) in order to find the following files and, if found, delete them (some of them might have been already deleted during the earlier steps):

angryKite_v3.exe
KRider.exe
StatLevel.exe

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for AngryKite (.NumberDot) ransomware file decrypter here: List of currently available decrypters. Currently it is not decryptable but such software might be added in the future so check the list before continuing.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The virus also tries to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all .NumberDot encrypted files, store it externally and wait for a AngryKite decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the AngryKite / NumberDot ransomware you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *