malwarebytes banner


Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Ewdf Ransomware and decrypt .ewdf files

Ewdf is a ransomware infection originating from the Djvu/STOP family. This family is a group of developers responsible for infecting a bunch of users with different file encryptors. Ewdf is new but has traits very similar to its precursors. The virus encrypts personal data while assigning the .ewdf extension. To illustrate, a file called 1.pdf will experience a change to 1.pdf.ewdf and reset its original icon after successful encryption. In order to decrypt the blocked data, victims are given instructions to follow inside a ransom note (_readme.txt). The ransom note states files have been encrypted and will be inaccessible until victims send money to cybercriminals. It said data decryption costs $980, but can be halved down to $490 if victims contact swindlers within the first 72 hours. In addition, ransomware developers offer their victims to decrypt 1 blocked file for free. This file must not contain any valuable information so as to not lose the incentive of paying for full decryption. Unfortunately, decrypting files without cybercriminals is almost impossible. It can be done partially or damage file configuration if something goes wrong. The best way to capitalize on and avoid paying the ransom is to use backup copies. Many users do not have those, meaning they are desperate to remain with the encrypted data. Even so, you can still try using third-party instruments to decrypt or recover the blocked data.

How to remove LokiLok Ransomware and decrypt .LokiLok files

LokiLok is the name of a ransom infection. Upon successful installation onto a targeted system, it encrypts important files and blackmails victims into paying money for their decryption. We also discovered that LokiLok was developed on the basis of another ransomware virus called Chaos. Once encryption occurs, victims can see their data change with the .LokiLok extension. To illustrate, a file named 1.pdf will most change to 1.pdf.LokiLok and reset its original icon. After this, victims will no longer be able to access their data and ought to seek decryption instructions in the read_me.txt file. The virus also replaces default wallpapers with a new picture. Cybercriminals want victims to buy a special decryption tool. To do this, victims should contact extortionists using the attached e-mail address ( Prior to buying the necessary software, it is also offered to send 2 small files - cybercriminals promise to decrypt and send them back to prove decryption abilities. In addition, the message also instructs against trying to use external recovery methods since it may lead to irreversible destruction of data. Whatever guarantees are given by ransomware developers, it is always not recommended to trust them. Many fool their victims and do not send the decryption software even after sending them money.

How to remove Uihj Ransomware and decrypt .uihj files

The epidemic of STOP Ransomware still goes on, with its another successor called Uihj Ransomware. This nasty virus hits thousands of computers all over the world, mostly targeting the USA, Europe, and Australia. The most recent version uses .uihj extension, that it adds to the end of encrypted files. As DjVu Ransomware uses AES encryption algorithm, probability of decryption is low, but exists. Uihj Ransomware damages users' important data: photos, videos, documents, and other types of information, victims are ready to pay ransom for. At the same time, it doesn't touch system files to keep Windows operable. The latest generation of this virus creates a ransom note file called _readme.txt. This file provides general information about the infection, ransom amount, and contact details. The ransom note is typical. Malefactors let victims get acquainted with the conditions and price of the ransom, which is $980 and disclose e-mail addresses for contact and Although developers affirm, that there is not possible to recover files without paying the ransom, the objective situation is different. The virus code has bugs, that allow security specialists to retrieve the key in some cases. Particularly, if the PC is disconnected from the web during the encryption process, or hackers' servers are unavailable - Uihj Ransomware generates an offline key. This key can be found with a special decryption tool called STOP Djvu Decryptor.

How to remove Pay Ransomware and decrypt .Pay files

Pay Ransomware is, in other words, a file-encryptor that prevents users from accessing their own data. A recent investigation confirmed that this virus belongs to a group of ransomware developers known as Xorist. Similar to other infections of this type, the virus changes all encrypted files using the .Pay extension. To illustrate, a file named 1.pdf will change to 1.pdf.Pay and reset its original icon as well. After getting things done with encryption, Pay Ransomware displays a pop-up window and creates a text file titled HOW TO DECRYPT FILES.txt. Both of them contain identical information on how to return access to files. It is said that victims can restore access to files by paying 50$ to the Bitcoin address of cybercriminals. After completion, victims will have to contact extortionists via the qTox client and receive their decryption code. There is also a warning that 5 unsuccessful attempts to enter the right code will result in irreversible destruction of data. Following this, swindlers encourage victims to be more careful while doing the above-mentioned. Additionally, it is also said that no third-party software like antivirus will help, but only prevent further decryption of data. Unfortunately, what they outline in their messages can be true - some cybercriminals set up protection against manual attempts to decrypt blocked data. In such a case, the only option, if you are in burning need of restoring your files, is either to pay the required ransom or use your own backup copies from external storage to compensate for the loss.

How to remove Qlln Ransomware and decrypt .qlln files

STOP Ransomware is a sophisticated encryption virus, that uses the Salsa20 algorithm to encode sensitive personal data, such as photos, videos, and documents. The latest version (Qlln Ransomware), appeared in late May 2022, adds .qlln extension to files and makes them unreadable. To date, the family includes about 400 representatives, and the total number of affected users is approaching a million. Most of the attacks are in Europe and South America, India, and Southeast Asia. The threat also affected the United States, Australia, and South Africa. Although the Qlln virus is less known than GandCrab, Dharma, and other ransomware trojans, it is this year that accounts for more than half of the detected attacks. Moreover, the next rating participant, the aforementioned Dharma, lags behind him by this indicator by more than four times. A significant role in the prevalence of STOP Ransomware is played by its diversity: in the most active periods, experts found three or four new versions daily, each of which hit several thousand victims. The virus uses similar patterns in all versions: it encrypts files, adds a new extension to them, and places a ransom note on the infected machine (it requires $490, but if not paid within 72 hours amount doubles to $980). Emsisoft experts, together with ransomware expert Michael Gillespie, have released a free STOP Djvu Decryptor (currently released and updated solely by Emsisoft). The development, created by Gillespie and Emsisoft specialists, uses a characteristic feature in the work of Qlln - the malware creates an encryption key based on the first five bytes of the affected object. This allows experts to recreate the key using the source file.

How to remove CryptBIT Ransomware and decrypt .cryptbit files

CryptBIT encrypts system-stored files making them no longer accessible and also demands victims to pay 400EUR for data decryption. Infections operating this way are therefore categorized as ransomware. During encryption, CryptBIT highlights blocked data by adding new extension (.cryptbit). In other words, a file like 1.pdf will change to 1.pdf.cryptbit and reset its original icon as well. The same change will occur with other file types encrypted by ransomware. The virus also changes desktop wallpapers and creates a text file named CryptBIT-restore-files.txt into each encrypted folder. This file instructs victims on how to decrypt their data. The note displays text that all files have been encrypted and uploaded to external servers. It is, therefore, said that victims can recover their data, but have to send 400EUR (in bitcoins) to the attached crypto address. Cybercriminals also ask to include the victim's e-mail address, to which they promise to send the necessary file decryptor. Unfortunately, it is unclear how victims should do it. While performing cryptocurrency transfers, it is often (if not always) impossible to include additional information like e-mail. Thus, such technical misunderstandings already give strong reasons against trusting cybercriminals behind CryptBIT Ransomware. It is also possible that this ransomware is only a pilot version, and cybercriminals will distribute updated ransomware someday in the future. Whatever it is, paying the ransom is always not recommended.