malwarebytes banner

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Jigsaw Ransomware and decrypt .onion, .LoLSec, .fun or .cat files

0
Jigsaw Ransomware is widely-spread family of ransomware. Ransomware is designed to encrypt files on a victim's computer, rendering them inaccessible, and then demands a ransom payment in exchange for the decryption key needed to restore the files. Jigsaw Ransomware gained attention in April 2016 when it was first discovered. It was named after the iconic character from the movie "Saw" due to its use of an image of the character as its logo. Jigsaw Ransomware targets Windows-based systems and spreads through various methods such as malicious email attachments, infected downloads, or exploit kits. Once a computer is infected with Jigsaw Ransomware, it begins encrypting files on the system, including documents, images, videos, and other important data. It then displays a ransom note on the victim's screen, demanding a payment, usually in Bitcoin, within a specified time frame. If the victim fails to pay the ransom within the given time, Jigsaw Ransomware threatens to delete a portion of the encrypted files as a form of punishment. It also displays a countdown timer, adding a psychological element of urgency.

How to remove Alphaware Ransomware and decrypt .Alphaware files

0
Alphaware Ransomware, a malicious software, employs a sophisticated combination of algorithms to encrypt the valuable data of its victims. Upon successfully encrypting the files, this ransomware reveals its original name, Alphaware, in a note, while the associated file itself is labeled as Alphaware.exe. The perpetrators behind this insidious threat identify themselves as the Alpha group of hackers. Their modus operandi involves demanding a ransom of $300 in BTC (Bitcoin) in exchange for the decryption key, which is necessary to restore the compromised files back to their original state. Alphaware Ransomware, which first surfaced around mid-May 2023, is primarily targeted at English-speaking users but has the potential to infect systems worldwide. Infected files undergo a transformation in their naming conventions or encoding, accompanied by the addition of the .Alphaware extension. The ransom demand is delivered through a file named readme.txt.

How to remove Vatq Ransomware and decrypt .vatq files

0
New generation of STOP Ransomware (Djvu Ransomware) started to add .vatq extensions to encrypted files since the end of May 2023. We remind you, that Vatq Ransomware belongs to a family of crypto-viruses, that extort money in exchange for data decryption. The last examples of STOP Ransomware are sometimes categorized as Djvu Ransomware, as they use nearly identical templates of ransom notes since the beginning of 2019, when .djvu extensions were appended. Vatq Ransomware uses same email addresses, used in last dozens of versions: support@freshmail.top and datarestorehelp@airmail.cc. The full decryption is only possible in 1-2% of cases when offline encryption key was used (by means of STOP Djvu Decryptor). In other cases, use instructions and tools offered in this article. Vatq Ransomware creates _readme.txt ransom note file, that looks almost the same.

How to remove FAST Ransomware and decrypt .FAST files

0
FAST Ransomware is a type of malware that our research team recently discovered while investigating submissions on the VirusTotal website. This particular malicious program is classified as ransomware, which means it is designed to encrypt data on a victim's computer and demand a ransom in exchange for its decryption. When we tested the ransomware on our own machine, we observed that it encrypted files and modified their filenames. The original file titles were altered by appending the cyber criminals' email address, a unique victim ID, and the .FAST extension. For example, a file named sample.pdf would appear as sample.pdf.EMAIL=[fastdec@tutanota.com]ID=[RANDOM].FAST after encryption. After completing the encryption process, FAST ransomware dropped a ransom note titled #FILEENCRYPTED.txt onto the victim's desktop.

How to remove EXISC Ransomware and decrypt .EXISC files

0
EXISC is a form of malware known as ransomware that came to our attention during our investigation. Its primary purpose is to encrypt data and demand payment in exchange for the decryption key. Upon executing a sample of this ransomware on our test system, we observed that it encrypted files and appended the .EXISC extension to their original filenames. For instance, a file named sample.pdf would appear as sample.pdf.EXISC. The ransomware also created a ransom note titled Please Contact Us To Restore.txt. Based on the message contained in the note, it became evident that EXISC primarily targets large organizations rather than individual home users. Victims often do not receive the promised decryption keys or software, even after complying with the ransom demands. Therefore, we strongly discourage paying the ransom, as it does not guarantee data recovery and only perpetuates criminal activities.

How to remove Vaze Ransomware and decrypt .vaze files

0
Vaze Ransomware (a.k.a. STOP Ransomware or Djvu Ransomware) is wide-spread file-encrypting virus-extortionist. This is one of the most dangerous ransomware with a high damaging effect and prevalence rate. It uses the AES-256 encryption algorithm in CFB mode with zero IV and a single 32-byte key for all files. A maximum of 0x500000 bytes (~5 Mb) of data at the beginning of each file is encrypted. The virus appends .vaze extensions to encoded files. The infection affects important and valuable files. These are MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives, application files, etc. Djvu Ransomware does not encrypt system files, to make sure Windows operates correctly and users are able to browse the internet, visit the payment page and pay the ransom. Vaze Ransomware creates _readme.txt file, that is called "ransom note" and it contains instructions to make payment and contact details. The virus places it on the desktop and in the folders with encrypted files. Developers offer following contact details: support@freshmail.top and datarestorehelp@airmail.cc.

How to remove Vapo Ransomware and decrypt .vapo files

0
Disastrous virus known as STOP Ransomware, in particular, its latest variation Vapo Ransomware doesn't loosen up and continues its malicious activity even during the peak of actual human coronavirus pandemic. Hackers release new variations every 3-4 days, and it is still hard to prevent the infection and recover from it. Recent versions have modified extensions, that are added to the end of affected files, now they are: .vapo. Although, there are decryption tools from Emsisoft available for previous versions, the newest ones are usually non-decryptable. The penetration, infection, and encryption processes remain the same: spam malvertising campaigns, peer-to-peer downloads, user's inattentiveness, and lack of decent protection lead to a severe loss of data after encryption using strong AES-256 algorithms. After finishing its devastating activity Vapo Ransomware leaves the text file – a ransom note, called _readme.txt, from which we can learn, that decryption costs from $490 to $980, and it is impossible without a certain decryption key.

How to remove Gatq Ransomware and decrypt .gatq files

0
Gatq Ransomware is, in fact, a subtype of notorious STOP Ransomware (DjVu Ransomware), that has been active since December 2017. The virus uses AES-256 (CFB-mode) encryption algorithm. This new version appeared in the middle of May 2023 and adds .gatq extension to encrypted files. STOP Ransomware belongs to a family of crypto-viruses, that demand money in exchange for decryption. The good news is, that most of previous versions of Gatq Ransomware could be decrypted using a special tool called STOP Djvu Decryptor (download link below in the article), developed by EmsiSoft. Gatq Ransomware uses exactly the same e-mails, ransom note patterns and other parameters as dozens of its predecessors: support@freshmail.top and datarestorehelp@airmail.cc. Malware creates _readme.txt ransom note file with all the contact information and explanations.