malwarebytes banner

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove GhostLocker Ransomware and decrypt .ghost files

0
GhostLocker is a type of ransomware developed by the GhostSec cybercriminal group. Ransomware is a type of malware designed to encrypt data and demand payment for its decryption. GhostLocker targets a wide range of data types, including documents, spreadsheets, drawings, images, movies, and videos. It is a derivative of the BURAN Ransomware and is distributed in a worldwide campaign. GhostLocker encrypts files and appends their names with a .ghost extension. For example, an original filename such as 1.jpg would appear as 1.jpg.ghost. The encryption process is simple – every file that gets encrypted becomes unusable. GhostLocker uses AES encryption, a symmetric encryption algorithm known for its speed and security. GhostLocker leaves a ransom note in a text file (lmao.html), warning against renaming the encrypted files or using third-party recovery tools, as this may lead to permanent data loss. The victim is also warned that seeking aid from third-parties or authorities will result in data loss and the stolen content getting leaked.

How to remove Mlap Ransomware and decrypt .mlap files

0
Mlap Ransomware is a malicious software that encrypts data on a victim's computer, rendering it inaccessible. It is a member of the Djvu ransomware family, which is known for its robust encryption methods and aggressive ransom demands. The Mlap ransomware specifically appends the .mlap extension to the filenames of the files it encrypts, transforming, for example, 1.jpg into 1.jpg.mlap. It uses the Salsa20 encryption algorithm, which is a robust ciphering algorithm typical for all other STOP/Djvu ransomware family members. This encryption algorithm generates a 78-digit number of possible decryption keys, making it nearly impossible to brute force the decryption. After completing the encryption process, Mlap ransomware drops a ransom note named _readme.txt on the victim's desktop. This note contains two email addresses (support@freshmail.top and datarestorehelp@airmail.cc) and offers victims the opportunity to obtain decryption software and key for a price set at $980.

How to remove Locknet Ransomware and decrypt .locknet files

0
Locknet Ransomware is a type of malicious software that belongs to the MedusaLocker family. Its primary purpose is to encrypt files on a victim's computer, making them inaccessible. The ransomware also renames files by adding the .locknet extension to filenames. For instance, it changes a file named 1.jpg to 1.jpg.locknet, 2.png to 2.png.locknet, and so forth. Locknet Ransomware uses a combination of RSA and AES encryption algorithms to encrypt the files on the infected computer. These encryption methods are robust and secure, making it extremely difficult to decrypt the files without the specific decryption key. After encrypting the files, Locknet Ransomware creates a ransom note named HOW_TO_BACK_FILES.html. This note informs victims that their network has been breached and all important files have been encrypted. It warns against attempting to restore the files with third-party software, as this could permanently damage them. The attackers claim that only they can provide the decryption solution.

How to remove Mlza Ransomware and decrypt .mlza files

0
Mlza Ransomware is a malicious software that belongs to the STOP/DJVU family, known for its malignant file encryption operations. It is a fresh iteration within the Djvu ransomware lineage, with its primary aim being to encrypt files found on a compromised system. Once the Mlza ransomware infects a computer system, it targets various file types, encrypts them, and appends the .mlza extension to the file names. For instance, a file named 1.jpg would be renamed to 1.jpg.mlza. The ransomware uses the Salsa20 encryption algorithm, which, while not the strongest method, still provides an overwhelming amount of possible decryption keys. This encryption makes the files inaccessible and the decryption key almost impossible to find without cooperating with the attackers. Mlza ransomware generates a _readme.txt file containing a ransom note.

How to remove Mlrd Ransomware and decrypt .mlrd files

0
Mlrd Ransomware is a type of malicious software that belongs to the Djvu family, a notorious group of ransomware known for encrypting data on infected computers. This ransomware is a new variant of the STOP/DJVU ransomware family, which is infamous for its file-encrypting capabilities. It was discovered during a thorough analysis of samples on VirusTotal. Once the Mlrd ransomware infects a computer, it scans for files to encrypt. It targets a wide range of file types and appends the .mlrd extension to the filenames of the encrypted files. For instance, a file named 1.jpg would be transformed into 1.jpg.mlrd. Mlrd Ransomware uses the Salsa20 encryption algorithm to encrypt files. This is not the strongest method, but it provides an overwhelming amount of possible decryption keys, making it nearly impossible to brute force the decryption key. After the encryption process, Mlrd ransomware leaves behind a ransom note named _readme.txt.

How to remove Enmity Ransomware and decrypt your files

0
Enmity Ransomware is a type of malware designed to encrypt data, modify the filenames of all encrypted files, and leave a ransom note. This ransomware is a potent form of malware that targets computers with the harmful intent of encrypting the files stored on them. It is developed by individuals with criminal intentions and operates as a ransom-demanding infection. Enmity Ransomware modifies the original names of the encrypted files by appending a complex pattern to the filenames, following the format: {random-string}-Mail-[rxyyno@gmail.com]ID-[].{random-extension}. The email address used in the file extensions is rxyyno@gmail.com, while the rest of the pattern is dynamically generated for each victim individually. It also appends a 6 random character extension to the end of the encrypted data filename. Enmity Ransomware leaves behind a text file named Enmity-Unlock-Guide.txt on the infected device.

How to remove Mlwq Ransomware and decrypt .mlwq files

0
Mlwq is a ransomware variant that belongs to the Djvu family. This malicious software carries out file encryption and appends the .mlwq extension to the original filenames of all affected files. For instance, Mlwq renames 1.txt to 1.txt.mlwq, 2.jpg to 2.jpg.mlwq, and so forth. Once the Mlwq ransomware infects a system, it targets various types of files, such as documents, pictures, and databases making them unreadable and unusable. The Mlwq ransomware uses the Salsa20 encryption algorithm. This is not the strongest method, but it still provides an overwhelming amount of possible decryption keys, making it practically impossible to "hack". After the encryption process, Mlwq ransomware leaves behind a ransom note titled _readme.txt containing instructions for victims.

How to remove PepeCry Ransomware and decrypt .cry files

0
PepeCry is a ransomware discovered during an analysis of samples uploaded to the VirusTotal website. It is designed to encrypt files, making them inaccessible, and add the .cry extension to filenames. For example, it renames 1.jpg to 1.jpg.cry and 2.png to 2.png.cry. PepeCry displays a ransom note in a pop-up window, demanding a ransom of 1 BTC to decrypt the files. The note is designed to instill fear and urgency, encouraging victims to pay the ransom. According to the ransom note provided, PepeCry ransomware uses the AES256 encryption algorithm. The note states FACIL METE LA CLAVE DE DESENCRIPTADO AES256, which translates to "Easy, enter the AES256 decryption key." AES256 is a symmetric encryption algorithm known for its strong security, making it virtually impossible to decrypt the files without the correct decryption key.