malwarebytes banner

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove DASHA Ransomware and decrypt .ecrp files

0
DASHA Ransomware is a new variant of Eternity Ransomware. This malware is designed to encrypt system-stored data and demand money for its decryption. While restricting access to files (e.g., photos, videos, documents, databases, etc.), the virus alters file appearance with the .ecrp extension. For instance, a file previously named 1.pdf will therefore change to 1.pdf.ecrp and become no longer accessible. Once this process gets to a close and all targeted files are eventually renamed, DASHA replaces the desktop wallpapers and displays a pop-up window with ransom instructions.

How to remove Loki Locker Ransomware and decrypt .Loki files

0
Loki Locker is the name of a ransomware virus designed to extort money from victims by running strong encryption of data. It uses a combination of AES-256 and RSA-2048 algorithms and also alters the names of encrypted data according to this template - [][]original_file.Loki. For instance, a file previously named 1.pdf will change to [DecNow@TutaMail.Com][C279F237]1.pdf.Loki and become no longer accessible. It is worth noting that there are also some newer versions of Loki Locker, which rename data with .Rainman, .Adair, .Boresh, .PayForKey, or .Spyro extensions. Following the successful blockade of files, the virus creates two files (Restore-My-Files.txt and info.hta) with similar ransom-demanding instructions. In addition, Loki Locker also replaces the desktop wallpapers to display brief steps on what should be done.

How to remove LOL! Ransomware and decrypt .LOL! files

0
Being a new variant of PGPCoder Ransomware, LOL! is also designed to encrypt system-stored data with the help of asymmetric RSA and AES algorithms. Such algorithms are oftentimes strong making manual decryption next to impossible, however, this is yet to be discussed in detail further below. During encryption, the virus also appends its .LOL! extension to each file affected. For an instance, if it was 1.pdf attacked by the encryptor, it would change to 1.pdf.LOL! and become no longer usable. As soon as all targeted files end up access-restricted, the virus drops the get data.txt file to each folder containing encrypted data (including desktop). This file is meant to explain what happened and most importantly instruct victims through the recovery process.

How to remove IceFire Ransomware and decrypt .iFire files

0
IceFire is the name of a computer infection classified as ransomware. Cybercriminals behind it target data encryption of business users and then extort money (in Monero cryptocurrency) for file decryption. While analyzing technical reports of the virus, we saw it using a combination of cryptographic AES + RSA algorithms to encipher important pieces of data. Just like other infections of such, IceFire Ransomware uses its own extension - .iFire to highlight the restricted data. To illustrate, a file previously titled 1.pdf will change to 1.pdf.iFire and become no longer accessible. Following successful encryption, cybercriminals lay out instructions on what recovery steps should be taken within the iFire-readme.txt note.

How to remove Venus Ransomware and decrypt .venus files

0
Venus is a ransomware-type virus that was recently discovered by a malware researcher called S!Ri. Its main function is file encryption and also the extortion of money for decryption from victims. While enciphering data with cryptographic algorithms, all the affected files get changed with the .venus extension. To illustrate, if 1.pdf ends up affected by the infection, it will become 1.pdf.venus also and reset its original icon. After this, victims get to familiarize themselves with decryption instructions inside of the README.txt note. Desktop wallpapers get replaced as well.

How to remove WildFire Locker Ransomware and decrypt .wflx files

0
WildFire Locker is a malicious program categorized as ransomware. It operates by restricting access to data (with AES-256 CBC encryption algorithms) and then demanding money from victims. During the data encryption process, all targeted files acquire this long and written format #WildFire_Locker#[original file name]##.[original extension].wflx. Cybercriminals do so to highlight encryption and make victims spot it. For instance, a file previously named documents.pdf will therefore become something like #WildFire_Locker#documents##.pdf.wflx and reset its original icon as well. Following this, the virus creates three files with .txt, .html, and .bmp extensions providing relevant information about the decryption procedure. Most detailed instructions are given inside the HOW_TO_UNLOCK_FILES_README_(victim's unique ID).txt text note.

How to remove PLAY Ransomware and decrypt .PLAY files

0
PLAY is a ransomware-type virus that runs encryption of important data and extorts money from victims. While rendering files inaccessible, it assigns the .PLAY extension and also creates a text note called ReadMe.txt. For instance, a file previously titled 1.pdf will change to 1.pdf.PLAY and reset it's icon after encryption. Since then, victims lose control over their data and have to read instructions on its recovery in the created text note. It is common for ransomware infections to be distributed via phishing techniques. A virus may be disguised as some legitimate-looking file (e.g., Word, Excel, PDF, EXE, JavaScript, RAR, ZIP, etc.) and be sent inside of an e-mail spam letter. Such a letter may present information explaining the “importance” of opening attached files or links.

How to remove Ransomcrow Ransomware and decrypt .encrypted files

0
Ransomcrow is a ransomware infection designed to encrypt valuable data and blackmail victims into paying money for its retrieval. During encryption, it assigns the .encrypted extension, which is generic to many file-encryptors. To illustrate, a file initially named 1.pdf will change to 1.pdf.encrypted and also drop its icon. After this, the virus creates a text note called readme.txt and also replaces desktop wallpapers. Information within the generated note is meant to guide victims through the recovery process. It is said a payment equivalent to €50 in Bitcoins is necessary for transfer to get special decryption tools and return the data. Victims can also contact swindlers for in-person communication via the given email address (ransomcrow@proton.me). As a rule, decryption without the help of cybercriminals is very complex and even impossible - it may be the opposite if there are some bugs or flaws alleviating third-party interference.