malwarebytes banner

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Axxes Ransomware and decrypt .axxes files

0
Axxes is a ransomware virus. Infections of this type are designed to prevent users from accessing their personal data. This is done through the so-called encryption process usually followed by attempts to blackmail victims into paying money for data return. After successfully attacking a system, Axxes enciphers targeted files and renames them using the .axxes extension. To illustrate, a regular file like 1.png will change to 1.png.axxes and reset its icon as well. The rest of the data will be renamed based on the same pattern as well. Next, the virus creates two files containing decryption instructions (RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt). Cybercriminals say all business- and employee-related data has been both encrypted and uploaded to external servers. Should victims refuse to collaborate with the developers, the latter claim they hold their right to publish victims' data on specialized resources. To avoid this, victims are guided to open Tor Browser at the attached website address and contact swindlers to pay for decryption. The onion page also displays a number of tabs including what other companies have been compromised by the virus already. It is unfortunate, but for now, there are no free means to decrypt Axxes files completely. Furthermore, cutting all the ends with cybercriminals will definitely motivate them to leak your collected data.

How to remove GonnaCope Ransomware and decrypt .cope files

0
Recently discovered by a malware researcher named Petrovic, GonnaCope is a ransomware infection able to encrypt system-stored data. Research showed that it also deletes and replaces some data with random and pointless files, which appear with the .cope extension. On the other hand, files encrypted by GonnaCope do not change in their appearance and remain exactly the same yet no longer accessible. To get access back to encrypted files, swindlers behind the virus guide victims to complete a 100$ transfer (in Bitcoin) to the crypto-address attached in the ReadMe.txt note. In addition, it also displays a cmd window with almost identical information. After sending the money, ransomware developers promise to provide their victims with a decryption key to return the data. Whether cybercriminals can be trusted or not is never without uncertainty. In general, frauds have a bad reputation since they are able to fool you and not send any promised decryption tools at the end. Either way, they are the only figures who have the ability to decrypt your data at this moment. Victims can avoid paying the ransom only if there are backup copies available on external devices. This way, they can be used to recover encrypted and no longer usable files. If you are not in favor of paying the required ransom and you do not have backups to use, you can still put your hand to using third-party tools - there is a chance they will be able to help under some circumstances.

How to remove Jhbg Ransomware and decrypt .jhbg files

1
Jhbg Ransomware, which is actually next generation of STOP Ransomware appeared in June of 2021. This virus encrypts users' essential files, such as documents, photos, databases, music with AES encryption and adds .jhbg extensions to affected files. This ransomware is almost identical to numerous previous versions of the malware, that we described earlier, and belongs to the same authors, and uses the same e-mail addresses (manager@time2mail.ch and supportsys@airmail.cc) and the same BitCoin wallets. After the virus finishes, it creates _readme.txt file with the ransom note on the desktop and in the folders with affected files. Jhbg variation of STOP Ransomware displays a fake Windows Update pop-up during the process of file encryption. From the file above, we can understand, that hackers offer a 50% discount for decryption if the ransom amount is paid within 72 hours. However, this is just a trick to encourage people to pay the ransom. Often hackers don't send decryptors after this. We recommend you remove the executables of STOP Ransomware and save those encrypted files to the time when the decryption tool appears. Before that, you can try the manual instructions described in this article to restore files. File-recovery software can also help return some of the copies of the files, probably, removed earlier.

How to remove Dewd Ransomware and decrypt .dewd files

0
Developed by Djvu, Dewd is a ransomware-type virus that targets personal data. Just like other malware of this type, Dewd runs data encryption to demand monetary ransom from victims. All files attacked by Dewd (including pictures, databases, documents, etc.) will be restricted from access and altered visually as well. For example, a file like 1.pdf will change its look to 1.pdf.dewd at the end of encryption. Developers of this ransomware variant apply the .dewd extension to each of the target files stored on a system. The next thing it does after manipulating data extensions creates a ransom note (_readme.txt) that contains decryption instructions. Once users open it up, they will be presented with text written by cybercriminals. This text provides information on how to return the encrypted data. To do it, victims have to pay for decryption software and keys that will be able to unlock access to data. In order to buy this set of tools, victims have to contact extortionists via e-mail and get payment details. There is also an offer to send 1 file for free decryption prior to paying the ransom. Developers think that such an offer will strengthen the trust of victims towards paying the swindlers. However, despite this, there is no real guarantee that cybercriminals will not fool you eventually. In other words, they can receive your money and forget about sending the promised decryption tools. In some cases, users can avoid paying the ransom if there is a free decryption tool developed by cyber experts.

How to remove PARKER Ransomware and decrypt .PARKER files

0
PARKER is the name of a ransomware program designed to encrypt users' data and extort money from victims. It is likely to be a product of cybercriminals who developed two other devastating file-encryptors named ZORN and MATILAN. Just like them, PARKER creates the same RESTORE_FILES_INFO.txt text note on how to recover encrypted data. During encryption, the virus changes various types of potentially important files in the following pattern - from 1.pdf to 1.pdf.PARKER and so forth with other files stored on a system. As a result, this change will make files no longer usable without a special decryption tool, which has to be purchased from cybercriminals. Unless victims contact threat actors via written contact addresses and pay the required monetary ransom within 3 given days, the latter threatens to leak the collected data to public resources. This will carry a risk of debunking private company information, which can be abused by competitors or other fraudulent figures. Although it is always advised against collaborating with cybercriminals, they might be the only figures able to provide full data decryption and somewhat guarantee to not publish sensitive information. Unfortunately, there are no third-party tools that could at least decrypt your data for free. The best feasible option available is to recover encrypted files through backups stored on uninfected devices (e.g. USB flashcards, other PCs, Cloud, etc.).

How to remove Jhdd Ransomware and decrypt .jhdd files

0
Jhdd is a new ransomware variant developed and published by a fraudulent group named Djvu. Being a file-encrypting virus, it blocks access to personal data by using secure encryption algorithms. This means that files stored on a PC will no longer be opened by users until they are decrypted. In order to show that all files have been put under a lock, developers append the new .jhdd extension to each of the files. For instance, a file sample like 1.pdf will change to 1.pdf.jhdd and reset its icon eventually. After this part of encryption is finished, the virus creates a text note (_readme.txt) with ransom instructions. Alike other Djvu/STOP ransomware versions, Jhdd states that all data has been strongly encrypted. To regain access, victims are encouraged to pay for the decryption kit (both software and keys) to unblock their files. Contacting cybercriminals via e-mail (manager@time2mail.ch or supportsys@airmail.cc) will be the way to get payment instructions. If you manage to reach out to them within 72 hours time frame, the price required to pay will be twice lower (from 980$ to 490$) than mentioned. Despite such an offer, it is still a high price to pay for most of the victims. Plus, there are many cases when users did not get any promised decryption even after paying the ransom. This is why it is hard to rely solely on offers thrown by swindlers (e.g. free decryption, price discounts, etc.) as testaments of their integrity.