Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Phobos Ransomware and decrypt .phobos, .phoenix, .actin or .banjo files

Phobos Ransomware is a virus, that encrypts user files using AES encryption algorithm and demands ~$3000 for decryption. Ransomware adds .phobos, .mamba, .phoenix, .actin, .actor, .blend, .adage .acton, .com, .adame, .acute, .karlos or .Frendi extensions to encoded files and makes them inaccessible. In order to confuse users and researchers Phobos Ransomware uses file-modification patterns and ransom notes similar to very wide-spread Dharma Ransomware. Especially after design change in January 2019, when they started to look like identically. However, there are certain differences in file-markers and appearance. After contacting the developers via one of the provided e-mails, they demand $3000 in BitCoins for decryption to be paid in 6 hours. Otherwise, the cost of decryption will increase up to $5000. At the moment automated decryptors for Phobos Ransomware do not exist. There is no proof, that malefactors send decryptors to the victims, that is why we do not recommend paying the ransom. Instead, try using instructions on this page to recover encrypted files. File-recovery software can restore some files from your hard-drive.

How to remove STOP Ransomware and decrypt .nacro, .mtogas, .coharos or .nasoh files

New wave of STOP Ransomware infection continues with .nacro, .mtogas, .coharos and .nasoh variations. Those extensions are added to encrypted files in the middle of August of 2019. This tricky virus uses AES encryption algorithm to encode user's important information. As a rule, STOP Ransomware attacks photos, videos and documents - data, that people value. The malware developers extort ransom and promise to provide decryption key in return. In the ransom note, we can see, that malefactors demand $980 (amount can be reduced if paid within the first 72 hours). Hackers offer victims to contact them via e-mails: gorentos@bitmessage.ch and gorentos2@firemail.cc. In most cases algorithms of STOP Ransomware are unbreakable. But virus code has its flaws. Particularly, if attacked PC lost internet connection during ransomware activity or hackers servers experienced some sort of malfunction, there are high chances to recover your files. In this case, STOP Ransomware generates an offline key, that can be retrieved by special decryption tool - STOPDecrypter.

How to remove STOP Ransomware and decrypt .londec, .krusop, .masok or .brusaf files

New instances of STOP Ransomware (DJVU Ransomware) continue to damage users files all over the world. This crypt-virus uses complex AES encryption algorithm to block users access to their data and extort a ransom of $490 or $980. New variations of extensions appeared in August, 2019, are: .londec, .krusop, .masok or .brusaf. Ransomware adds such suffixes to the end of encrypted files. If your files got such ending and are not accessible, it means your PC is infected with STOP Ransomware. Malware developers slightly modify the virus technically. As you can see from the message above hackers offer to decrypt 1 file for free and provide a "discount" if the user pays within the first 72 hours. However, those are, often, false promises and malefactors do not reply after receiving the payment. Luckily in some cases, your files can be decrypted. This can be possible if there was some internet connection loss or malfunction of hacker's servers during the encryption process. In this situation, STOP Ransomware uses an offline key, that can be calculated by a special tool called STOPDecrypter. Please, download it below, and read instructions on how to use it carefully.

How to remove STOP Ransomware and decrypt .nvetud, .zatrov, .lotej or .kovasoh files

Nvetud Ransomware, Zatrov Ransomware, Lotej Ransomware and Kovasoh Ransomware are devastating encryption viruses from the series of STOP Ransomware (DJVU Ransomware). They've got their names from .nvetud, .zatrov, .lotej or .kovasoh extensions, that ransomware adds to the end of encrypted files. From a technical point of view, the virus remains the same as previous versions. From this note, we can learn, that malefactors offer to decrypt 1 file for free and can provide a "discount" if the user pays fast (within first 72 hours). Our experience and reports from multiple victims show, that those are false promises. Hackers rarely reply back after receiving the payment. However, do not despair - there are cases when your files can be decrypted. If during encryption process there was some internet connection loss or malfunction of hacker's servers, STOP Ransomware uses an offline key, that can be retrieved by a special tool called STOPDecrypter. Please, download it below, and read instructions on how to use it carefully. If STOPDecrypter is unable to help you, you can try some alternative methods to restore your photos, documents, videos, etc.

How to remove STOP Ransomware and decrypt .cosakos, .prandel, .mogranos or .nelasod files

Nelasod Ransomware, Prandel Ransomware, Cosakos Ransomware and Mogranos Ransomware are the subtypes of STOP Ransomware (or DJVU Ransomware) and has all the characteristics of this family of viruses. Malware blocks access to the data on victim's computers by encrypting it with AES encryption algorithm. STOP Ransomware is one of the longest living ransomware. First infections were registered in December 2017. STOP Ransomware is yet another generation of it and appends .cosakos, .prandel, .mogranos or .nelasod extensions to encrypted files. Following the encryption, the malware creates ransom note file: _readme.txt on the desktop and in the folders with encoded files. In this file, hackers provide information about decryption and contact details, such as e-mails: gorentos@bitmessage.ch, gorentos2@firemail.cc and Telegram account: @datarestore. Good news is: there is a possibility for successful file decryption. However, several conditions should match. If affected PC was not connected to the internet, or malicious server, that generates keys was not accessible at the moment of infection there is a tool called STOPDecrypter, can decrypt files, encrypted by STOP Ransomware. We provide download link and instructions on how to use it below in the article.