December 1, 2018 James Kramer 0

How to remove STOP (Puma) Ransomware and decrypt .puma, .pumax or .pumas files

Standard

Puma Ransomware, that started to hit thousands of computers in November, 2018, is, actually, nothing but another variation of STOP Ransomware. Current version appends .puma, .pumax or .pumas extensions to encrypted files, and that is why it has such nickname. Virus uses the same name for ransom note file: !readme.txt. Developers tried to confuse ransomware identification services and users by adding new extensions, but using the same templates, code and other signs unequivocally indicate belonging to a certain family. As we see from the name of the executable: updatewin.exe, it pretends to be a Windows update. Puma (STOP) Ransomware still uses RSA-1024 encryption algorithm. Current version of Puma Ransomware was developed in Visual Studio 2017.

November 30, 2018 James Kramer 0

How to remove Dharma Ransomware and decrypt .adobe, .like, .risk or .myjob files

Standard

Dharma virus, unlike similar types of ransomware, does not change desktop background, but creates README.txt or Document.txt.[amagnus@india.com].zzzzz files and places them in each folder with compromised files. Text files contain message stating that users have to pay the ransom using Bitcoins and amount is approximately $300-$500 depending on ransomware version. The private decryption key is stored on a remote server, and there currently impossible to break the encryption of the latest version.

November 25, 2018 James Kramer 0

How to remove Everbe 2.0 Ransomware and decrypt .lightning or .neverdies@tutanota.com files

Standard

Everbe 2.0 Ransomware is second generation of wide-spread Everbe Ransomware. It is file-encryption virus, that encrypts user files using combination of AES (or DES) and RSA-2048 encryption algorithms and then extorts certain amount in BitCoins for decryption. The initial virus first appeared in March, 2018 and was very active since that time. Security researchers consider, that Everbe 2.0 Ransomware started its distribution on 4th of July 2018. Everbe 2.0 Ransomware authors demand from $300 to $1500 in BTC (BitCoins) for decryption, but offer to decrypt any 3 files for free. It is worth mentioning, that Everbe 2.0 Ransomware works only on Windows 64-bit versions of OS. Currently, there is no decryption tools available for Everbe 2.0 Ransomware, however, we recommend you to try using instructions and tools below.

November 25, 2018 James Kramer 0

How to remove GandCrab v5.0.4 Ransomware and decrypt .[random-letters] files

Standard

GandCrab V4 Ransomware fourth generation of notorious GandCrab Ransomware. Virus uses complex combination of AES-256 (CBC-mode), RSA-2048 and Salsa20 encryption algorithms. This particular version adds .KRAB extension to encrypted files and creates slightly different ransom note called KRAB-DECRYPT.txt. GandCrab V4 Ransomware demands ransom in BitCoins. Usually, it varies from $200 to $1000. Malware encrypts all types of files except ones in the whitelist and some necessary for Windows operation. All photos, documents, videos, databases get exncrypted after indection. Virus uses WMIC.exe shadowcopy delete command to remove shadow copies and reduce the chances of recovery. Unfortunately, at the moment we write this article, current decryption tools cannot decrypt GandCrab V4 Ransomware, but we will still provide links to this utilities as they can be updated any day.

November 20, 2018 James Kramer 0

How to remove Dharma-Fire Ransomware and decrypt .fire files

Standard

Fire Ransomware one of the types of encryption viruses made from the family ща Crysis-Dharma-Cezar ransomware. Version, that is under review today has certain differences. It adds .fire extension to encrypted files and uses other e-mail addresses for communication. Fire Ransomware, as well as other latest Dharma variations, doesn’t have decryptor, that can automatically decrypt encoded data. However, using instructions below can help you recover some files. Dharma-Fire Ransomware creates suffix, that consists of several parts: prefix “id-“, identification number (alphanumeric and unique for each computer), developer’s e-mail address and .fire extension. The pattern of the filename after encryption looks like this: file called 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].fire.

1 2 3 4 5 14

By continuing to use the site, you agree to the use of cookies. more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close