malwarebytes banner


Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Locky Ransomware and decrypt .locky files

Locky is a ransomware virus that encrypts you files using the RSA-2048 and AES-1024 algorithms and demands 0.5 BTC (bitcoins) (equivalent to $207) for receiving "Locky Decrypter" to allow user decrypt his documents and images. This is a very dangerous blackmailing virus and there are currently only a few ways to decrypt your files. In this guide, we collected all information available that can help you remove Locky ransomware virus and restore infected files.

How to remove RedRum Ransomware and decrypt .redrum or .grinch files

RedRum Ransomware is a malicious piece that encrypts your data and demands to pay a ransom. Once the penetration reaches success, all stored data including images, videos, and text files will be encrypted with .redrum or .grinch (another version of RedRum family) extension. Case in point, if 1.mp4 got attacked by this virus, it will transform itself into 1.mp4.redrum or 1.mp4.grinch. As soon as encryption completes, RedRum will drop a text file (decryption.txt) with ransom information. According to the note provided by RedRum, you should pay for the decryption key. For this, you are purposed to send them an e-mail message and get further instructions. Unfortunately, ransomware is indeed very stubborn and does not give any sign of relief due to strong algorithms that make the decryption process almost impossible. However, you should certainly remove it from your PC to protect other files and apply all of the necessary measures to no let it happen again.

How to remove STOP Ransomware and decrypt .zipe, .nlah, .pezi or .covm files

STOP Ransomware or as it is often called DJVU Ransomware belong to the large family of file-encryption viruses with long history and multiple modifications. Currently, this is one of the most widespread ransomware. We won't go deep into technical details of the infection, but explain simple methods and chances to decrypt affected files and remove the virus. The first thing you should know, there are cases, that can be treated successfully, the bad news is - chances of a successful outcome are less than 5%. In this article we will observe variation that appends .zipe, .nlah, .pezi or .covm extension to files. STOP Ransomware uses a similar pattern with all victims. It comes as a fake windows update from torrent websites runs executable to disable security programs and starts the encryption process of valuable files, such as docs, videos, photos, music. In the end, it places a ransom note (_readme.txt) file in every folder with encrypted files.

How to remove Zeppelin Ransomware and decrypt your files

Zeppelin was discovered by GrujaRS, which is a malicious piece that infects computers and encrypts user's data. Programs of such are typically designed to make money on desperate users who got their files locked. As usual, with the encryption, comes a significant change in the file's extension - it renames them using the hexadecimal numeral system to something like this 1.mp4.126-A9A-0E9. In fact, the extension may vary by symbols since the virus can generate random values. Once the encryption is completed, Zepellin creates a text file called !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT on your desktop. In this note, extortionists offend you with ransom abuse calling you to contact them and buy a specific key. Unfortunately, there is no proven method that could decrypt your data for free at this point. The only way to do so is by following their instructions which is a huge risk. Although the decision lies on your shoulders, we recommend you to delete Zeppelin Ransomware in the guide below.

How to remove Hakbit Ransomware and decrypt .crypted, .ravack, .part or .gesd files

If you are unable to open your files, then more likely it is because Hakbit Ransomware attacked your PC. Developers of this piece use AES algorithms to cipher the stored data (e.g. images, videos, documents, text files, etc.). In other words, everything that is located on your disks will be completely locked. There are a couple of extensions used by Hakbit to alter files - .crypted, .ravack, .part or .gesd. Examples of encrypted files look like this 1.mp4.crypted, 1.jpg.ravack, 1.doc.part or 1.xls.gesd. After this, Hakbit drops a text file called HELP_ME_RECOVER_MY_FILES.txt and wallpaper.bmp, that replaces desktop wallpapers in some cases. Both of them contain information on how to get your files back. To do so, users should pay 300 USD in Bitcoin through the attached address and ring creators via e-mail. Unfortunately, buying decryption software is the only way to decrypt your data since none of the third-parties tools can handle it. However, we strongly advise you against spending your money on this because there is no guarantee that your data will be brought back.

How to remove CoronaLock Ransomware and decrypt .corona-lock or .biglock files

Discovered in 2020, CoronaLock restricts access to users' data by encrypting it with ChaCha, AES and RSA algorithms. Files compromised by this ransomware, experience a change in extension to either .corona-lock or .biglock. For example, if 1.mp4 gets modified by the virus, it will migrate to 1.mp4.corona-lock or 1.mp4.biglock. After this, extortionists display ransom information in the note (!!!READ_ME!!!.TXT or README_LOCK.TXT) that is dropped on the desktop. Interestingly enough, people who get attacked with ".biglock" extension, do not have any contact information in the ransom note to connect with cybercriminals. It seems like its developers forgot to include it before the release. In the meantime, ".corona-lock" versions do not have that drawback and contain e-mail in the text file. If you want to take a test-decryption, you are free to send them one file.