malwarebytes banner

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Reig Ransomware and decrypt .reig files

0
Reig Ransomware (also known as STOP Ransomware) is ruinous virus, whose operating principle is based on strong file encryption and money extortion. There have been more, than 300 versions of this malware, with several major modifications and numerous minor changes. Recent ones use random 4-letter extensions added to affected files, to indicate that they are encrypted. Since the very beginning, Reig Ransomware has used the AES-256 (CFB mode) encryption algorithm. Depending on the exact extension there are slightly different, but similar removal and decryption methods. Variation under research today uses .reig extensions. Like its predecessors, it creates a ransom note called _readme.txt, below is an example of such a text file. Reig Ransomware uses system directories to store its own files. In order to start automatically each time the OS starts, the encryptor creates an entry in the Windows registry section that defines the list of programs that start when the computer is turned on or restarted. Therefore, to be able to decrypt your files you need to remove the virus first. The technical peculiarity of this malware allows users to decrypt files successfully in some cases. The matter is Reig Ransomware tries to connect its server every time it starts encryption on a victim's computer.

How to remove Parasite Ransomware and decrypt .parasite, .betarasite or .paras1te files

0
Parasite is one of the newest ransomware samples detected by cyber experts in recent days. Alike other malware of this type, Parasite encrypts personal data and demands money for the decryption. However, it was found that Parasite has a significant flaw - it encrypts data with the wrong cipher and overwrites data with 256 bytes. This means that all data encrypted by Parasite loses its value completely, simply because it gets replaced with empty space. For example, a word file, which weighs megabytes of data will decrease and start weighing mere 256 bytes. Such a bug instantly shows that Parasite is not able to decrypt your files, simply because they become damaged. Of course, they claim to decrypt them in HOW_CAN_GET_FILES_BACK.txt ransom note (alternatively @READ_ME_FILE_ENCRYPTED@.html or info.hta), which is created after encryption, but it does not make any sense due to the above-mentioned.

How to remove Perfection Ransomware and decrypt .perfection files

0
Perfection is a ransomware-infection that involves RSA and AES algorithms to encrypt personal data. The purpose of such attacks is about capitalizing on desperate victims willing to restore their files. As a result, developers behind Perfection offer to pay for the decryption tool that will help you regain access to data. Before that, however, Perfection Ransomware appends the .perfection extension to each of the files. For example, 1.mp4 will change to 1.mp4.perfection and so on. Then, once this process is done, extortionists create a number of identical browser files and place them into folders with encrypted data. The ransom note created by Perfection is known as Recovery_Instructions.html.

How to remove Tirp Ransomware and decrypt .tirp files

0
Tirp Ransomware or as it is often called STOP Ransomware or DjVu Ransomware belongs to the large family of file-encryption viruses with long history and multiple modifications. Currently, this is one of the most widespread ransomware. We won't go deep into technical details of the infection, but explain simple methods and chances to decrypt affected files and remove the virus. The first thing you should know, there are cases, that can be treated successfully, the bad news is - chances of a successful outcome are less than 5%. In this article, we will observe variations that append .tirp extensions to files. Tirp Ransomware uses a similar pattern with all victims. It comes as a fake windows update from torrent websites that run executable to disable security programs and starts the encryption process of valuable files, such as docs, videos, photos, music. In the end, it places a ransom note (_readme.txt) file in every folder with encrypted files.

How to remove Ribd Ransomware and decrypt .ribd files

0
New generation of Ribd Ransomware (Djvu Ransomware) started to add .ribd extensions to encrypted files since April, 17th. We remind you, that Ribd Ransomware belongs to the family of crypto-viruses, that extort money in exchange for data decryption. Last examples of STOP Ransomware are sometimes categorized as Djvu Ransomware, as they use the identical templates of ransom notes since the beginning of 2019, when .djvu extensions were appended. Ribd Ransomware uses same email addresses, used in last dozens of versions: helpmanager@mail.ch and restoremanager@airmail.cc. Ribd Ransomware creates _readme.txt ransom note file, that looks almost the same. The decryption of files encrypted by Ribd Ransomware still costs $980 (or $490 if the ransom is paid within 72 hours). Our team does not recommend you pay the ransom. There are frequent cases when hackers don't reply after receiving the payment. The most recent versions of STOP Ransomware were successfully decrypted by security specialists and enthusiasts. Below is the article, where you can find the download button for STOP Djvu Decryptor, a decryption utility, that is constantly updated by developers. It is able to decrypt .ribd files for free or will be able to recover them in a few days or weeks. Before that, you need to remove the executable of Ribd Ransomware, to prevent further infection.

How to remove Assist Ransomware and decrypt .assist files

0
Using a set of cryptographic algorithms, Assist Ransomware encrypts personal data and claims money for its decryption. This practice is highly-popular around ransomware infections as they make everything possible to leave no choice to desperate victims. Because of powerful ciphers applied by Assist, manual decryption becomes quite an arduous task. This is why cybercriminals offer to contact them via the team-assist002@pm.me e-mail address and receive further instructions. This information is listed inside of the note (ASSIST-README.txt) created after your data is locked completely. Not to mention that this version of ransomware encrypts files using the .assist extension. To illustrate, a file like 1.mp4 will get a new look of 1.mp4.assist after the encryption is done. As mentioned, the only possible method to get 100% decryption is with the help of ransomware developers, however, this is not the best option since they can fool you and do not give any software for restoring the data. We strongly insist on deleting Assist Ransomware from your computer to prevent further encryption, especially if you do not regret the lost data that much.