Remove Karmen Ransomware And Decrypt .grt Files

Karmen is a newly appeared ransomware which encrypts your files using strong algorithms and changes their extensions to .grt. This virus is a ransomware as a service (RaaS) and can be duplicated and distributed by anybody. The developers share profits with their affiliates with a hope to spread it faster and infect more computers.

While this virus is still quite new it seems that it is evolving fast and is aiming to become one of the top threats during this year. For example, it has a website where it provides information about regular updates and bug fixes to its distributors.

Currently the virus displays only a short ransom note named “Karmen Decrypter” demanding to send BitCoin payment to a dedicated address in order to recover files. However, it might receive a more user-friendly look soon as the design has already been updated several times.

The criminals promise to provide you with a decryption key as soon as you make the payment. However, they might not necessarily fulfill this. Since this ransomware is still under development there is a high risk of losing your files even if you pay the ransom and there are no contacts provided to reach the creators for support. Therefore, we strongly discourage you from paying and financing the Karmen ransomware developers. Instead, you should follow our removal instructions and eliminate this threat yourself.

We have an automatic removal and protection tool which will also protect your computer from viruses in the future. We also have a manual removal guide for more experienced users. Finally, we have prepared file recovery instructions at the bottom of this article which should be used only after you completely remove the threat.


Recommended Method: Download Karmen Ransomware Removal Tool

Version:   All Updated:   2 days ago Compatible OS:   All
This is the most suitable program for automatically removing the threat and repairing your PC.
Works with: Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP. Read instructions here
File name Size
mb3-setup.exe 56.5 MB

Click here to download alternative tool

What is Karmen ransomware?

This ransomware is still under development but has a;ready managed to infect some victims. It seems to be created by Russian cyber criminals who also specialize in various other hacking activities. Karmen has its own “affiliate” page on TOR network where everybody can create their own copy, infect computers and share profits with the developers.

Since anybody can start distributing this virus there are many methods how it can spread and infect computers. One of the most popular methods is email spam with suspicious attachments named “invoice”, “important document”, “requested photo” and similar. However, other channels like exploit kits and infected websites might be employed to distribute this ransomware as well. Therefore, it is hard to pinpoint one specific method used to spread Karmen.

Just like many other such malware, this virus targets personal files and encrypts them using strong AES algorithm. The files receive .grt extension (e.g. “sample.docx” becomes “sample.docx.grt“). Karmen distributors then ask for a BitCoin payment in order to make the files openable again.

The ransom amount, ransom note content and other settings can be modified by the affiliates so it can vary. However, current ransomware samples show a short note called “Karmen Decrypter” and kas two language buttons: DEU and ENG.

Here is the content of ransom note:

Files encrypted
All files are encrypted! Please follow the mind. 
In order to get the key to decrypt send this amount to our wallet Bitcoin.
Decrypt files automatically.
Interference with the program - can leave you without files.

Currently the provided instructions are very unclear for a regular user and it might be impossible to contact the creators after the payment. Therefore, there is no guarantee that you will receive the decryption software and key even if you decide to pay the ransom. Also, the criminals might leave a backdoor and you might be targeted again later.

We recommend removing the threat by yourself. We provide an automatic tool at the beginning of this page. The tool will not only remove the virus but will also secure your computer from possible future infections. We also have a manual removal tool, however, it only removes the source of the threat and does not guarantee security afterwards. Finally, we have a .grt file recovery guide which should help you get back the ransomed files.

Here are some screenshots of Karmen ransomware and its affiliates page:

   


 Manual Removal Instructions:

NB: Bookmark this page in order to access it after you restart your computer while working on the removal process! You can also print it out or open on another device.

Manual removal does not guarantee complete elimination of the threat and does not offer protection. We strongly recommend simply using the automatic tool instead of removing the virus yourself.

Step 1:

Restart your Windows in Safe Mode.

When your computer is infected by a virus some of its features may be locked or compromised. You need to bypass this by rebooting your computer using Safe Mode. This will allow you to remove the virus.

Since Safe Mode only has the most basic features do not be scared that your Windows look completely different!

Click here to show how to reboot Windows 98, XP, Vista or Windows 7 in Safe Mode

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard until you get the following screen:
  3. Use arrow keys to highlight Safe Mode With Networking and press Enter.
  4. Wait for the Windows to launch.

 

Click here to show how to reboot Windows 8, 8.1 or Windows 10 in Safe Mode

F8 method (1/4):

Restarting and constantly hitting F8 might not work for this version of Windows since the booting is much faster and does not always react to the key presses. Try this method first and then proceed to other methods if this does not help.

  1. Restart your computer (if it is locked you can do this by physically pressing the power button on your computer).
  2. As soon as the PC starts booting begin constantly clicking F8 key on the keyboard.
    If it does not work try repeating the same procedure but this time holding Shift key and clicking F8.
  3. Follow instructions from Step 5 below:

Shift+Restart method (2/4):

  1. Click the Power icon at the login screen or in the settings charm.
  2. Hold Shift key on your keyboard and click Restart with your mouse while holding:
  3. Click Troubleshoot:

  4. Click Advanced options:
  5. Click Startup Settings:
  6. Click Restart:
  7. Now press F5 key on your keyboard to enable Safe Mode With Networking:

System configuration method (3/4):

  1. Press and hold Windows () key and click R key.
  2. Enter msconfig.exe and click OK:
  3. When System Configuration opens go to the Boot tab:
  4. Check the box “Safe Boot” in Boot options and click OK.
  5. When prompted, click Restart.
  6. Windows will now start in Safe Mode.

System Recovery method (4/4):

If everything above fails you can try inserting System Recovery CD or DVD (works only with Windows 8) or System Recovery USB Memory Stick (works with Windows 8 and 8.1). You will be able to choose Troubleshoot option. The steps are then identical as in Shift + Restart method starting from #3.

Step 2:

Find any processes that might be associated with the Karmen virus and terminate them. They are usually randomly named .exe files (e.g. 48btrbe6.exe).

Press CTRL + SHIFT + ESC at the same time to launch Windows Task Manager. You can also launch it by right-clicking on Windows toolbar/startbar and clicking Start Task Manager.

Go to Processes tab.

All currently running processes will be listed.

 

Right-click on each of the suspicious processes you find in the list and choose Open File Location.

Go to virustotal.com and upload the opened file for a scan.

If the scan shows that the file is dangerous, right-click on the process and choose End Process, then delete that file in the location you have just opened.

Repeat this until you have checked all processes.

You might not find any malicious process since the virus usually exits after completing the encryption process.

Step 3:

Remove suspicious programs from your startup config so they would not launch as soon as you boot your computer.

Hold Windows () key and click R key.

Enter the following in the field:

msconfig.exe

Click OK.

Go to the Startup tab and uncheck all suspicious entries.

The infected or fake startup items usually have “Unknown” listed as Manufacturer. However, sometimes they might pretend to be legitimate programs.

Check process location by hovering your mouse over the “Command” column. Navigate to the location and scan the file using virustotal.com if it looks suspicious but you are not sure.

Click OK when you are finished unselecting all potentially dangerous processes.

Step 4:

Clean up Windows temporary files as there are usually several Karmen ransomware files placed here.

You can safely remove all temporary files without posing any risk to your computer.

Hold Windows () key and click R key.

Enter the following in the field:

%Temp%

Click OK.

All temporary files will be listed in the directory.

Select all temporary files by simultaneously pressing CTRL + A and delete them permanently by pressing SHIFT + DELETE.

Step 5:

Check for any recent changes in all the other important system files.

Karmen usually makes changes to important system folders in order to stay undetected.

Hold Windows () key and click R key.

Enter the following in the field:

%AppData%

Click OK.

Do not delete anything here! Search for any recent changes (by “Date Modified”) in the files first. Only if you see that a file has just been changed scan it with virustotal.com. Remove only files marked as dangerous. Otherwise you might remove critical system files and Windows might stop working.

The virus tends to copy its files to this directory so you might find randomly named .exe, .dll, .bat or other recently placed files.

Repeat this step with the following three directories while being very careful:

%LocalAppData%
%ProgramData%
%WinDir%

Remember that these directories contain many important system files! Be very careful!

Step 6:

Clean up your registry entries.

Hold Windows () key and click R key.

Enter the following in the field:

regedit.exe

Click OK.

All Windows registry entries will open.

Most of them are critical for correct system operation and deleting important entries might result in Windows failing to load. Make sure you are very careful while deleting and editing the entries!

Search for Karmen virus entries by pressing keyboard buttons CTRL + F and entering the copied value in the search field. Click Find Next and enter the following:

karmen

Repeat search and delete all registry entries associated with the virus.

Then repeat the search with the following text:

decrypter

Step 7:

Use Windows File Search (you can access it from Windows Start Menu by simply pressing Windows () button) or Windows Explorer in order to find the following file and delete it. The file can be placed in several directories.

joise.exe

 Decrypting The Files:

Start recovering your files only if you have finished all removal steps! Otherwise you might cause more damage and make it harder to recover them in the future!

We recommend making a backup of the encrypted files on a separate external media in case you are not able to recover the files using our methods.

Check for Karmen ransomware file decrypter here: List of currently available decrypters. Currently there is no information that a decrypter has been developed by virus researchers but it might appear in the future so check the list before continuing. You can also try using HiddenTear decrypter and see if it works in your case.

We have a list of extensive file recovery methods available here. The instructions below are just a short version of the simplest methods.

Step 1:

Start by enabling recovery since the virus might have turned it off.

Hold Windows () key and click R key while holding to open “Run” window.

Enter the following in the field:

cmd

Click OK.

A comand prompt will open.

Copy the following:

bcdedit.exe /set {default} recoveryenabled yes

Right-click on the command prompt (black window) and select Paste.

Press Enter

Step 2:

Restore the old system settings using System Restore. The virus has changed them so you need to revert to the old ones first.

Sometimes the virus is able to remove your system restore points so this step might be unsuccessful.

Press and hold Windows () key and click R key.

Enter the following in the field:

rstrui.exe

Click OK.

A System Restore wizard will open.

Click Next.

Check Show more restore points.

If you see any restore points, restore the system. Make sure you select a point that has been created before the attack happened.

If there are no restore points you will see “No restore points have been created…” error.

Step 3:

Restore earlier file versions.

Download Shadow Explorer.

When you run the program you will see the list of all shadow copies created.

Select the drive and date that you want to restore from.

Right-click on a folder name and select Export. The folder will be restored.

Read more here about how to restore files from shadow copies.

The can try to delete shadow copies so this step this might be unsuccessful as well. In such case, proceed to Step 4.

Step 4:

Read more on how to restore files (including backups) on our file recovery guide. This guide includes instructions how to restore the files from a backup or shadow copies as well as how to use a professional file recovery program (which has a very high success rate) if everything else fails.

Alternatively you could make a backup with all encrypted files, store it externally and wait for a Karmen decrypter to be created. New free decrypters for various ransomware appear every week but we cannot estimate the waiting time and if it is going to be created at all.

After removing the virus

When you have finished removing the Karmen ransomware you should protect your computer by installing a good antivirus suite. This will prevent any further infections and fix the current vulnerabilities that have been used by the ransomware to infiltrate your system.


Share your experience with us by leaving a comment!

Leave a comment to tell us about your experience removing this threat!
We can also help you if you run into any problems during the process, just don't hesitate to ask!

Leave a Reply

Your email address will not be published. Required fields are marked *