malwarebytes banner


Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Geno Ransomware and decrypt .geno files

Geno Ransomware (a.k.a Djvu Ransomware or STOP Ransomware) encrypts victim's files with Salsa20 (stream encryption system) and appends one of the hundreds of possible extensions including latest discovered .geno. STOP is one of the most active ransomware today, but they hardly talk about it. The prevalence of STOP is also confirmed by the extremely active forum thread on Bleeping Computer, where victims seek help. The fact is that this malware attacks mainly fans of pirated content, visitors to suspicious sites, and is distributed as part of advertising bundles. There is a possibility for successful decryption, however, to date, there are more than two hundred STOP Ransomware variants that are known to researchers, and such a variety significantly complicates the situation.

How to remove Zorab Ransomware and decrypt .zrb or .zorab2 files

Zorab is a file-encrypting virus determined by S!R1, malware researcher that opened a number of other infections. Consequences delivered by Zorab can be clearly seen in data encryption and payment demands to get decryption tools. All files impacted by ransomware will be reconfigured either with .zrb or .zorab2 extension. For example, a virus-free file like 1.mp4 will get a look of 1.mp4.zrb or 1.mp4.zorab2 after penetration. Such a change means that your files become no longer accessible. To decrypt them, extortionists offer to read instructions given in a text note (--DECRYPT--ZORAB.txt) that is dropped after major encryption gets done. In the ransom note, cybercriminals try to console confused victims and let them know that their data is safe and can be recovered. The only thing they have to do is buying decryption software in BTC after establishing contact with cybercriminals via e-mail. Also, there is a trick designed to incept trust in users - decryption of 2 small files for free. Unfortunately, since you are dealing with fraudulent means, there is no real guarantee that your files will be brought back as a result. This is why most cyber experts recommend people to save their money and create extraneous backups preemptively to restore blocked files after deletion of malware.

How to remove Boop Ransomware and decrypt .boop files

Boop Ransomware (that is a part of a large family of STOP/Djvu Ransomware) is an obnoxious virus, that encrypts files on computers using the AES encryption algorithm, makes them unavailable and demands money in exchange for so-called "decryptor". Files processed by the latest version of STOP Ransomware, in particular, can be distinguished by the .boop extensions. The analysis showed that the cryptographic installer loaded with the "crack" or adware is installed under an arbitrary name in the %LocalAppData%\ folder. When executed, it loads four executable files there: 1.exe, 2.exe, 3.exe and updatewin.exe. The first of them is responsible for neutralizing Windows Defender, the second is for blocking access to information security sites. After the malware is launched, a fake message appears on the screen that says about installing the update for Windows. In fact, at this moment, almost all user files on the computer are encrypted. In each folder containing encrypted documents, a text file (_readme.txt) appears in which attackers explain the operation of the virus. They offer to pay them a ransom for decryption, urging them not to use third-party programs, as this can lead to the deletion of all documents.

How to remove Vari Ransomware and decrypt .vari files

Vari Ransomware is a devastating crypto-virus (subversion of STOP Ransomware), that uses the AES-256 asymmetrical encryption algorithm to restrict user access to their files without the key. Malware appends .vari extensions to files make them unreadable and extort ransom for decryption. Unfortunately, due to technical modifications in the newest version file recovery is impossible without backups. However, there are certain standard Windows features and tools, that may help you restore at least some files. File-recovery software may also be useful in this case. In the text box below, there is text message from _readme.txt file, called "ransom note". In this file, malefactors disclose contact information, price of the decryption, and ways to pay the ransom.

How to remove CoronaLock Ransomware and decrypt .pandemic, .corona-lock or .biglock files

Discovered in 2020, CoronaLock restricts access to users' data by encrypting it with ChaCha, AES and RSA algorithms. Files compromised by this ransomware, experience a change in extension to either .pandemic, .corona-lock or .biglock. For example, if 1.mp4 gets modified by the virus, it will migrate to 1.mp4.corona-lock or 1.mp4.biglock. After this, extortionists display ransom information in the note (!!!READ_ME!!!.TXT or README_LOCK.TXT) that is dropped on the desktop. Interestingly enough, people who get attacked with ".biglock" extension, do not have any contact information in the ransom note to connect with cybercriminals. It seems like its developers forgot to include it before the release. In the meantime, ".corona-lock" versions do not have that drawback and contain e-mail in the text file. If you want to take a test-decryption, you are free to send them one file.

How to remove Django Ransomware and decrypt .djang0unchain3d files

Being categorized as ransomware-infection, Django is not a virus to be trifle with. As soon as it drops on your PC, it causes havoc around personal data by encrypting with special algorithms that do not allow third-parties tools to have any argument in the future. During data encryption, your files get altered with the .djang0unchain3d extension. This means that a file like 1.mp4 will be changed to 1.mp4.djang0unchain3d and reset its original icon. It seems like developers inspired a Hollywood movie called "Django Unchained" and decided to borrow its name. Once the encryption gets to a close, victims are presented with ransom instructions in Readme.txt that explain how to decrypt your data. Cybercriminals say that in order to retrieve your files, you should contact them via the attached e-mail address and include your ID. If you do not get an answer within 24 hours, you should write to another e-mail mentioned in the note. After this, extortionists will ask you to purchase the decryption key via the BTC wallet which will help you restore access to blocked data eventually.