malwarebytes banner

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Selena Ransomware and decrypt .selena files

0
Selena is a disruptive ransomware infection targeting primarily business networks. It encrypts network-stored data and demands victims to pay a monetary ransom for its return. During encryption, Selena alters the way original files appear - no longer accessible files acquire a uniquely generated victim's ID, the e-mail address of cybercriminals, and the .selena extension. To illustrate, a file initially titled as 1.xlsx will change to id[q2TQAj3U].[Selena@onionmail.org].1.xlsx.selena and reset its icon to blank. After this process comes to a close, the ransomware creates a file named selena.txt, which is a text note explaining how to recover the files. It is said there is no way to decrypt the restricted data other than directly negotiating with cybercriminals. To get further information, victims are guided to write to one of the following e-mail addresses (selena@onionmail.org or selena@cyberfear.com) and state their personal ID in the title. In order to get the necessary decoder and private keys, which will unlock access to data, victims are required to pay money (in bitcoins) for it. The price remains unknown and is likely to be calculated individually only after contacting the swindlers. In addition, cybercriminals offer victims to send 2 files containing no valuable information (under 5MB) and get the decrypted for free. This offer works as a guarantee measure proving they are actually able to decrypt your data. Unfortunately, options to decrypt files without the help of cybercriminals are less likely existent.

How to remove Hhjk Ransomware and decrypt .hhjk files

0
Hhjk has been classified as a ransomware-type virus, which encrypts personal data using cryptographic algorithms. Being yet another version of the Djvu/STOP family, Hhjk can target both individuals and organizations to demand high amounts of ransom. Ransom is a so-called payment required by cybercriminals in exchange for the blocked data. Extortionists provide detailed information on that inside of a text note (_readme.txt) which is created after Hhjk ends up file encryption. The encryption process can be easily spotted by new extensions that are assigned to each of the files. This virus appends the .hhjk extension so that an encrypted piece ends up looking like this 1.pdf.hhjk. It is said that users are able to decrypt their files only by opting for the paid decryption tool sold by extortionists. In order to get it, victims have to contact developers via manager@time2mail.ch or supportsys@airmail.cc e-mail addresses. After this, you will be given a payment address to commit the transfer of money. If you manage to contact developers within the first 72 hours, you will receive a 50% discount on the main price (490$ instead of 980$). Before doing so, you are also offered to test free decryption. For this, users are asked to send up to 1 encrypted file that does not contain valuable information. Such an offer helps cybercriminals appear more trusted in the eyes of inexperienced users. In fact, they can still play a trick on you not sending any decryption tools. This happens to a lot of victims that decide to pay the demanded ransom. Unfortunately, although trusting cyber criminals is highly unadvisable, there are only figures being able to provide full decryption of data. There are no free tools at the moment that could crack open the cipher assigned by Hhjk Ransomware.

How to remove Ttii Ransomware and decrypt .ttii files

0
Ttii runs encryption of data (with RSA 2048 + Salsa20 algorithms), renames filenames with the .ttii extension, and demands money for its return. These traits make it categorized as a ransomware infection. It is also part of a very popular and dangerous ransomware family called STOP/Djvu which is responsible for hundreds of devastating infections. Once Ttii installs onto a system, users will lose access to files they used to open prior to the infection. This is how an infected file will look after successful encryption - from healthy 1.pdf to encrypted 1.pdf.ttii. As soon as the process is done, Ttii unveils ransom instructions inside of text note (_readme.txt). Developers use the same template they did with other ransomware variants originating from the STOP/Djvu family. It is stated that victims should spend their money on special decryption software held by cybercriminals. The price to be paid is 980$, though, it can be cut down to 490$ if victims decide to pay within the first 72 hours upon getting infected. To prove malware developers can be trusted, they offer the so-called guarantee which implies users are allowed to send 1 file (not important) and get it decrypted for free. All the communication related to paying and other details should be established by writing a message to one of the attached e-mail addresses (manager@time2mail.ch or supportsys@airmail.cc).

How to remove Pipikaki Ransomware and decrypt .@PIPIKAKI files

0
Pipikaki is a recent devastating ransomware infection reported by victims on forums. Malware of this type is also known as crypto-viruses, designed to encrypt system-stored data and blackmail victims into paying money for its return. Pipikaki does exactly the same renaming targetted files with the victim's ID and .@PIPIKAKI extension during encryption. For instance, a previously named file 1.pdf will change to 2.pdf.[8A56562E].@PIPIKAKI or similarly depending on a victim's ID. Instructions on how to return restricted files are then presented inside of a file named WE CAN RECOVER YOUR DATA.txt. The ransom note guides users to contact developers (via Skype, ICQ Live chat, or pipikaki@onionmail.org e-mail) and negotiate about returning the data. As a rule, many cybercriminals ask their victims to pay a certain amount of monetary ransom (most often in cryptocurrencies). It is also said that noncompliance with what swindlers demand will result in the publication of all sensitive data. They threaten to leak important business-related information (clients' data, bills, annual reports, etc.) which was collected from the encrypted machine/network.

How to remove Mmob Ransomware and decrypt .mmob files

0
Mmob Ransomware, being a part of STOP Ransomware is a critical virus, endangering user's personal files. It belongs to the family of file-encrypting malware, that uses the AES (Salsa20) algorithm and unbreakable key. This virus is, sometimes, called DJVU Ransomware, after the word used as an extension in the first versions (.djvu). The variant of the threat, that we describe today, modifies files with .mmob extension appeared on May 2022 and acts exactly the same in comparison with dozens of previous versions. Files are encrypted with a secure key and there are quite small chances to decrypt them completely, especially if an online key was used. However, certain manual methods and automatic tools, described in this article can assist you in successfully decrypting some data. In the textbox below you can find the "ransom note" - a small text file with a brief virus introduction and instructions to pay the ransom. The price of decryption of files encoded by STOP Ransomware is $490 (or $980, if not paid within 72 hours). But as statistic shows, it is pointless to pay any money, as malefactors almost every time ignore the victims. STOP Ransomware purposefully encrypts important personal information: videos, photos, documents, local e-mails, archives. It detects and attacks a type of data, that can be so critical to users to pay such an amount of money for. If there are any realistic chances to recover files with the .mmob extension, you can do it with a special utility called Emsisoft Decryptor for STOP Djvu, which can be downloaded below. This little program can decrypt more than 350 types of ciphered files. In some situations, you will need a pair of the original and encrypted files, in most cases, data can be restored only if an offline key was used by malware (this only happens in case of malfunction or internet connection loss during the encryption process).

How to remove Jhgn Ransomware and decrypt .jhgn files

0
This article contains information about Jhgn Ransomware version of STOP Ransomware that adds .jhgn extensions to encrypted files, and creates ransom note files on the desktop and in the folders with affected files. Jhgn Ransomware is actively distributed in the following countries: USA, Canada, Spain, Mexico, Turkey, Egypt, Brazil, Chile, Ecuador, Venezuela, Germany, Poland, Hungary, Indonesia, Thailand. This variation first appeared in April 2022 and is almost identical to the previous dozens of variations. Here is formulaic message in ransom note (_readme.txt). Ransomware virus still uses AES encryption algorithm and still demands a ransom in BitCoins for decryption. Jhgn variation of STOP Ransomware displays a fake Windows Update pop-up during the process of file encryption. All three varieties belong to one author, because they are using the same e-mail addresses for communication: manager@time2mail.ch and supportsys@airmail.cc. From the file above we can learn, that hackers offer a 50% discount for decryption if the ransom amount is paid within 72 hours. However, from our experience, this is just a trick to encourage the person to pay the ransom. Often malefactors don't send decryptors after this.