malwarebytes banner


Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Bonsoir QNAP NAS Ransomware and decrypt .bonsoir files

According to recent forum reports, users are dealing with a new ransomware infection known as Bonsoir. This virus targets local networks (NAS, QNAP, Samba/SMB, Synology) encrypting the stored data with AES-CFB algorithms. The decryption of files is thereby offered inside of a text file called HOW-RECOVER-MY-FILES.txt. To elaborate on data encryption, we should mention that Bonsoir applies a one-word extension to each piece of data - .bonsoir. For example, if there was a file named 1.mp4 in your storage, it will change to 1.mp4.bonsoir as a result of infection. Developers of the virus claim their instructions to be the only solution towards restoring your files. One of the victims actually emptied his pockets and bought the decryption key imposed by extortionists. He, therefore, managed to recover his files with the provided key. Unfortunately, this method does not fit everybody because of the high amounts required by cybercriminals and the risk to be fooled by them. This is why our advice is to delete Bonsoir QNAP NAS Ransomware and try using legitimate utilities to access your data.

How to remove Cadq Ransomware and decrypt .cadq files

If unexpectedly the names of your files changed, .cadq is added at the end of their name, and the files themselves stopped opening, this means that your computer is infected with the file-encryption virus called Cadq Ransomware (STOP Ransomware). Using a strong hybrid encryption system and a unique key, this virus encrypts all files located on the infected computer. Each encrypted file receives new extension: .cadq. To encrypt data, the parasite uses a combination of AES and RSA algorithms. New versions appear almost every week, although they all show their activity according to the same template. Even if you delete the new extension or completely rename the file, it will not help restore access to its contents. Only the key and decryptor that the authors of the Cadq Ransomware have can decrypt the files. Fortunately for the victims of this virus, a free decryptor was created, which in some cases can help decrypt affected files. After encryption malware places special text file with instructions to pay the ransom (ransom note), called _readme.txt in each folder.

How to remove Cuba Ransomware and decrypt .cuba files

Cuba Ransomware is a malicious program, which uses a set of cryptographic algorithms to encrypt personal data. The virus has been seen in different versions with different styles of encryption. They might differ by ransom instructions, but usually, all of them apply the same .cuba extension and FIDEL.CA file marker in the header. For example, an infected file like 1.mp4 will transform and start looking like this 1.mp4.cuba or similar. Then, once the encryption is up, Cuba drops a text file stating how to decrypt your data. Many victims have received various instruction samples (!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT). In most of the cases, all of them tell victims to contact the attached e-mail with their personal ID number. After this, people will get the necessary steps to run the payment and retrieve the decryption tools promised by the developers. Unfortunately, statistics upon successful decryption are pretty poor. This is because there are potent ciphers applied to the files, which makes it hard to decrypt them.

How to remove Cring Ransomware and decrypt .cring files

Cring is categorized as a ransomware-type virus that encrypts personal data of various sorts (images, videos, documents, etc.) To make the encryption successful, Cring applies special cryptographic algorithms, which establish strong cipher protection. All of this is accompanied by the assignment of the ".cring" extension, which is added to the end of each file. As an example, the original piece like 1.mp4 will be changed to 1.mp4.cring and reset its icon. Whilst this process is underway, the virus prepares to drop a text file (!!!!deReadMe!!!.txt) containing ransom instructions. Inside of a document, extortionists are straightforward saying that your files are impossible to unlock on your own. The only solution is to contact developers and pay a fee of 2 bitcoins. Unfortunately, because the infection is very new to the ransomware world, cyber experts have not found a way to decrypt it for free just yet.

How to remove Ygkz Ransomware and decrypt .ygkz files

Being part of the Djvu and STOP virus family, Ygkz Ransomware is a file-encrypting virus that has been strolling around the web since February, 2021. In fact, developers distribute a plethora of versions that vary from each other by extensions, cybercriminals' e-mail, and other details. There are over 300 extensions that STOP Ransomware has used to attack the user's data. In our case, STOP Ransomware appends .ygkz extension to files so that they become encrypted. For instance, something like 1.mp4 will be retitled to 1.mp4.ygkz and reset its default icon after infection. Sequentially, the program creates a note called _readme.txt that contains ransom information. Usually, the generated content looks very similar in all ransomware types. It only differs by insignificant details notifying users that their system has been infected and experienced data encryption with high-end algorithms like AES-256, RSA, or others. Thereafter, swindlers claim that you should spend about 980$ on purchasing a decryption key that will access your data.

How to remove DEcovid19 Ransomware and decrypt .covid19 or .locked files

A new ransomware infection known as DEcovid19 has come to the web and caused a lot of attacks on unprotected PCs. The virus was reported on 11th January by desperate victims with data encrypted. Based on current information, it is clear that DEcovid19 blocks access to data by changing file extensions to .covid19 or .locked. An example of the original 1.mp4 impacted by ransomware may appear in two ways: either as 1.mp4.locked or 1.mp4.covid19. Once the encryption process gets to a close, the malicious program creates a text note (!DECRYPT_FILES.txt or ATTENTION!!!.txt) meant to explain decryption instructions. Inside, users can see a quick skim through the virus information. The next part of the text is dedicated to restoring your data. Users are said to contact the telegram bot attaching personal ID in the subject line and writing how many PCs need to be decrypted. It is also necessary to send 1-2 encrypted files that do not contain important information (less than 2MB) so that cybercriminals could match up the right decoder for your data. The last, but not least said by swindlers is time boundaries - you have 72 hours to make a decision and pay for the decryption key.