malwarebytes banner


Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Bpto Ransomware and decrypt .bpto files

One of the main computer security threats today is ransomware. Those are devastating computer viruses, that encrypt users' files using various cryptographic algorithms and extort ransom money for the decryption key. It is especially sensitive for users, as it attacks either personal files such as videos, photos, music, or business data such as MS Office file formats, e-mails, databases. Such files can be crucial for business operation or extremely important personally as part of family memory. Malefactors can demand from several hundred to several thousand dollars as a ransom. STOP Ransomware is officially the most widespread and therefore most dangerous ransomware threat. There've been more, than 650 versions of this virus in 5 years. Each variation infects thousands of computers, and there are millions of victims of this nasty malware. In this article, we will explain typical methods to fight Bpto Ransomware and decrypt affected files. In today's focus, versions of STOP (Djvu), that add .bpto extensions. Recent samples use a very similar pattern to infiltrate PCs and encrypt files. After encryption, ransomware creates a file (ransom note), called _readme.txt.

How to remove Bpws Ransomware and decrypt .bpws files

Being part of the STOP/Djvu family, Bpws is a ransomware-type virus that puts up a lock on personal data. The encryption is done using military-grade algorithms that generate online keys on special servers. This ensures no third-party tools can access the keys to decipher the files. Just like other infections of this type, Bpws changes the names of each infected file. It does so by appending a new extension (.bpws) to every encrypted piece. For example, a file like 1.pdf will be modified and change its name to 1.pdf.bpws after encryption. After this stage of the virus is over - Bpws Ransomware creates a text note called _readme.txt containing decryption instructions. A number of other ransomware variants developed by Djvu used the same content for the ransom instructions.

How to remove Theva Ransomware and decrypt .theva files

Theva is the name of a ransomware virus that encrypts system-stored data and demands victims to pay money in Bitcoin for its decryption. During encryption, targeted files end up visually altered - for instance, 1.pdf will change to 1.pdf.[].theva and so forth with other files. Upon successful blockage of data, Theva Ransomware represents its decryption instructions in a text document called #_README_#.inf. It also changes victims' desktop wallpapers. In order to recover the data, victims are urged to contact cybercriminals via the given e-mail address ( and pay the ransom in Bitcoin cryptocurrency. It is said the price for decryption depends on how fast victims establish contact with swindlers. Following successful payment, threat actors promise to send the necessary decryption tool that will unlock all blocked data.

How to remove Bpsm Ransomware and decrypt .bpsm files

Bpsm is a ransomware infection belonging to the Djvu/STOP Ransomware family. This family has released a number of file encryptors that target various users worldwide. Once the system is penetrated by ransomware, the virus begins scouting for potentially valuable file formats and running data encryption. After the cryptographic encryption occurs, users will no longer be able to access and use their data as before. You may immediately spot the change by looking at the altered names of the files. This specific ransomware assigns the .bpsm extension, making a file like 1.pdf change to 1.pdf.bpsm and reset its original icon. Usually, Bpsm Ransomware and other modern Djvu/STOP versions generate "online" keys, which means full decryption of data is likely impossible without the help of cybercriminals. There are, however, sometimes exceptions to this - which can be found about further below.

How to remove Znws Ransomware and decrypt .znws files

Just like many previous versions of this virus, Znws Ransomware is a malicious program recently developed by the STOP (Djvu) ransomware family, which runs data encryption. Once it gets on your computer, the virus covers all personal data with strong encryption algorithms, so that you could no longer be able to get access to them. Unfortunately, preventing ransomware from blocking your data is impossible unless you have special anti-malware software installed on your PC. In case of its absence, the files stored on your disks will be restricted and no longer accessible. After the encryption process is done, you will see all the files change to 1.pdf.znws and similarly with other file names. This version of STOP ransomware uses .znws extension to highlight the encrypted data. Then, as soon as ransomware has stormed through your system and put all the sensitive data under a lock, it goes further creating a ransom note (_readme.txt).

How to remove Znto Ransomware and decrypt .znto files

Znto Ransomware (also known as STOP Ransomware) is ruinous virus, whose operating principle is based on strong file encryption and money extortion. There have been more, than 600 versions of this malware, with several major modifications and numerous minor changes. Recent ones use random 4-letter extensions added to affected files, to indicate that they are encrypted. Since the very beginning, Znto Ransomware has used the AES-256 (CFB mode) encryption algorithm. Depending on the exact extension there are slightly different, but similar removal and decryption methods. Variation under research today uses .znto extensions. Like its predecessors, it creates a ransom note called _readme.txt, below is an example of such a text file.