malwarebytes banner

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Gujd Ransomware and decrypt .gujd files

3
Gujd Ransomware, being a part of STOP Ransomware (DjVu Ransomware) family, is an elaborate encryptor virus, that encrypts user's files and makes them inaccessible. Malware uses an unbreakable AES (Salsa20) encryption algorithm and decryption is only possible in 2-3% of cases. Recent version of STOP Ransomware adds following suffix or extension: .gujd. Сorresponding virus variation received names: Gujd Ransomware. After encrypting, the ransomware creates _readme.txt file, that specialists call "ransom note", and below you can get acquainted with the contents of this file. Gujd Ransomware utilizes similar techniques through all versions: it encrypts files, adds a new extension to them, and places a ransom note on the infected machine (it demands $490, and if not paid within 72 hours amount doubles to $980). As a rule, the virus does not affect essential system files and encrypts only data that can be potentially valuable for users: videos, photos, documents, local e-mails, archives. The good news is, that Emsisoft (antivirus vendor) released special utility called Emsisoft Decryptor for STOP Djvu, that can decrypt more than 200 variations of the threat. In some cases, you will need a pair of the original and encrypted files, in most cases, data can be restored only if an offline key was used by malware (this happens due to malfunction or internet connection loss during the encryption process).

How to remove the Vn_os Ransomware and decrypt .vn_os files

0
Vn_os is a ransomware-type virus that encrypts personal data to demand money in exchange for the blocked files. Such virus type also assigns new file extensions. Vn_os makes sure all encrypted files are changed with the .vn_os extension. This is meant to visually separate encrypted from original files. For instance, 1.pdf and other files stored on your system will be changed to 1.pdf.vn_os, or similarly, right after encryption. As soon as this stage of infection is done, the virus displays a pop-up window with instructions on how to recover your data. The same can also be found inside of a text note called ___RECOVER__FILES__.vn_os.txt which is dropped into each folder containing infected data.

How to remove Wwka Ransomware and decrypt .wwka files

0
The epidemy of STOP Ransomware still goes on, with its another successor called Wwka Ransomware. This nasty virus hits thousands of computers all over the world, mostly targeting the USA, Europe, and Australia. The most recent version uses .wwka extension, that it adds to the end of encrypted files. As DjVu Ransomware uses AES encryption algorithm, probability of decryption is low, but exists. Wwka Ransomware damages users' important data: photos, videos, documents, and other types of information, victims are ready to pay ransom for. At the same time, it doesn't touch system files to keep Windows operable. Latest generation of this virus creates ransom note file called _readme.txt. The ransom note is typical. Malefactors let victims get acquainted with the conditions and price of the ransom, which is $980 and disclose e-mail addresses for contact manager@mailtemp.ch and helpmanager@airmail.cc. Although developers affirm, that there is not possible to recover files without paying the ransom, the objective situation is different. The virus code has bugs, that allow security specialists to retrieve the key in some cases. Particularly, if the PC is disconnected from the web during the encryption process, or hackers' servers are unavailable - Wwka Ransomware generates an offline key. This key can be found with a special decryption tool called STOP Djvu Decryptor.

How to remove Lssr Ransomware and decrypt .lssr files

1
STOP Ransomware is a sophisticated encryption virus, that uses the Salsa20 algorithm to encode sensitive personal data, such as photos, videos, and documents. The latest appeared version (Lssr Ransomware) in September 2020 adds .lssr extension to files and makes them unreadable. To date, the family includes about 180 representatives, and the total number of affected users is approaching a million. Most of the attacks are in Europe and South America, India, and Southeast Asia. The threat also affected the United States, Australia, and South Africa. Although the Lssr virus is less known than GandCrab, Dharma, and other ransomware trojans, it is this year that accounts for more than half of the detected attacks. Moreover, the next rating participant, the aforementioned Dharma, lags behind him by this indicator by more than four times. A significant role in the prevalence of STOP Ransomware is played by its diversity: in the most active periods, experts found three or four new versions daily, each of which hit several thousand victims.

How to remove Pooe Ransomware and decrypt .pooe files

0
STOP Ransomware (DJVU Ransomware) is officially the most common virus-encrypter in the world. The encryptor operates according to the classical scheme: it encrypts files, adds a new extension to them, and places a ransom note on the infected machine. More than 50% of ransomware-infected computers are infected with STOP Ransomware. It has got second name - DJVU Ransomware, after the extension .djvu, that was appended to the files on first infected computers. With several minor and major modifications virus continues its devastating activity in the present days. Recent variation of malware (Pooe Ransomware) adds .pooe extension to files. Of course, affected files become inaccessible without a special "decrypter", which has to be bought from hackers. Here is _readme.txt ransom note, that ransomware places in every folder and on the desktop.

How to remove Zzla Ransomware and decrypt .zzla files

0
Zzla Ransomware (latest version of STOP or DjVu Ransomware) is extremely harmful and one of the most active encryption viruses. More than half of ransomware submissions to ID-Ransomware (ransomware identification service) are made by victims of STOP Ransomware. Although it has been in circulation for a couple of years, the number of infections caused by Zzla Ransomware continues to increase. It may be somewhat ironic, but most of the victims (at the moment) are users of pirated software. The version of the virus, that is under consideration today, adds .zzla extension to files. The malicious program also creates a text file (called _readme.txt) in each infected folder, which explains to the user that his computer is infected and he will not be able to access his data until he pays a ransom of $980. If the user pays within 72 hours after infection, the ransom is reduced to 490 US dollars. The example of this ransom note is presented below.