malwarebytes banner

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Sheeva Ransomware and decrypt .sheeva files

0
Sheeva is a recently-discovered ransomware infection that targets Windows systems to encrypt potentially important data and demand payment from victims for its decryption. While executing the virus system on our machine, Sheeva encrypted mostly business-related files which involved accounting, finance, and database information. It also renamed each file according to this pattern id[victim's_ID].[Sheeva@onionmail.org].[original_filename].sheeva. For instance, a file named 1.xlsx was renamed to id[xmrJ9Lve].[Sheeva@onionmail.org].1.xlsx.sheeva and dropped its original icon. After this, the ransomware infection created a text file named sheeva.txt to feature decryption instructions. Cybercriminals say that victims will have to pay some amount of money (unspecified) in Bitcoins to retrieve unique decryption tools. For this, users are instructed to contact swindlers using either Sheeva@onionmail.org or Sheeva@cyberfear.com e-mail addresses and also include their personally-generated ID. It is also allowed to send two files (under 5 MB) and get them decrypted for free. Many cybercriminals use this trick to show their decryption abilities and also motivate victims into further collaboration with them. Since Sheeva Ransomware targets business-related data, it is reasonable to assume that its scope narrows down to corporate rather than home users. This means the further announced price for decryption may be quite high and shy many victims away from decryption. Unfortunately, unless there are serious bugs and underdevelopment inside a ransomware virus, manual decryption without the help of extortionists is almost impossible.

How to remove Checkmate Ransomware and decrypt .checkmate files

0
Checkmate is a new ransomware infection that encrypts large volumes of office data and demands victims to pay 15,000 USD for its decryption. The virus uses secure algorithms to encipher important pieces of data (e.g., documents, tables, databases, photos, etc.). During this process, all affected files get visually changed with the .checkmate extension. For instance, a file named 1.xlsx will change to 1.xlsx.checkmate and reset its original icon to blank. As a result, the data will become no longer accessible. Lastly, developers create a text note called !CHECKMATE_DECRYPTION_README.txt to explain how files can be decrypted. The text note states how many files have been encrypted and what can be done to reclaim them. As mentioned above, extortionists require victims to pay an equivalent of 15,000 USD in Bitcoin to their crypto wallet address. Additionally, swindlers also offer to try free decryption - by sending 3 encrypted files (no more than 15 MB each) through the Telegram Messenger. They will afterwards supply the victim with free decrypted samples and provide the wallet address for the ransom payment. After transferring money, cybercriminals promise to respond back with decryption tools to unlock access to data. Unfortunately, at the moment of writing this article, there are no third-party tools that could allow free decryption without the direct help of cybercriminals. Means of encryption used by ransomware are usually very strong, making independent tools oftentimes useless with regard to decryption.

How to remove LIZARD (LANDSLIDE) Ransomware and decrypt .LIZARD or .LANDSLIDE files

0
LIZARD and LANDSLIDE are two very similar ransomware infections developed by the same group of extortionists. They both encrypt personal data and create identical text files (#ReadThis.HTA and #ReadThis.TXT) explaining how users can restore access to the restricted data. The two ransomware variants are also identical in how they rename encrypted files with slight differences. Depending on which of the two ransomware affected your system, targetted files will be altered according to [DeathSpicy@yandex.ru][id=victim's_ID]original_filename.LIZARD or [nataliaburduniuc96@gmail.com][id=victim's_ID]original_filename.LANDSLIDE different only in e-mail of cybercriminals and final extension (.LIZARD or .LANDSLIDE) used at the end. After encryption is done, the virus creates text files we mentioned above with identical content. Victims are informed that, in order to decrypt the files, they have to contact swindlers through one of the given e-mail addresses. Cybercriminals say they will set an exact price for decryption to be paid by victims in Bitcoin (BTC). After this, they promise to send the decryption tool that will help affected users unlock the restricted data. In addition to this, cybercriminals offer to send a 100-200 KB size file along with the e-mail message. It will be decrypted for free and returned to victims as proof that ransomware developers are capable of decryption. Although cybercriminals are usually the only figures able to decrypt files completely, many security experts advise against paying the ransom.

How to remove Makop Ransomware and decrypt .mkp, .baseus or .harmagedon files

0
If you wonder why you are unable to access your data, then this could be because Mkp Ransomware, Baseus Ransomware or Harmagedon Ransomware attacked your system. These file-encryptors belong to the Makop ransomware group, which has produced a number of similar infections including Mammon, Tomas, Oled, and more. Whilst encrypting all valuable data stored on a PC, this versions of Makop assigns victims' unique ID, cyber criminals' email address, and the new .mkp, .baseus or .harmagedon extensions to highlight the blocked files. For instance, 1.pdf, which was previously safe, will change its name to something like 1.pdf.[10FG67KL].[icq-is-firefox20@ctemplar.com].mkp, 1.pdf.[7C94BE12].[baseus0906@goat.si].baseus or 1.pdf.[90YMH67R].[harmagedon0707@airmail.cc].harmagedon at the end of encryption. Soon after all files end up successfully renamed, the virus goes forward and creates a text file (readme-warning.txt) with ransom instructions.

How to remove PAY2DECRYPT Ransomware and decrypt .PAY2DECRYPT files

0
Pay2Decrypt is a ransomware-type virus that encrypts personal data and blackmails victims into paying the so-called ransom. A ransom is usually some amount of money cybercriminals demand from users for file decryption. Each file encrypted by the virus will appear with the .PAY2DECRYPT extension and a set of random characters. To illustrate, a sample originally named 1.pdf will be changed to 1.pdf.PAY2DECRYPTRLD0f5fRliZtqKrFctuRgH2 resetting its icon as well. After this, users will no longer be able to open and view the encrypted file. Immediately after successful encryption, the ransom creates hundred text files with identical content - Pay2Decrypt1.txt, Pay2Decrypt2.txt, and so forth until Pay2Decrypt100.txt.

How to remove Sojusz Ransomware and decrypt .sojusz, .likeoldboobs or .Gachimuchi files

0
Sojusz is the name of a ransomware infection. It belongs to the Makop ransomware family that designs a number of different file encryptors. Sojusz blocks access to data and demands money for its decryption. The research showed it highlights encrypted files by assigning a random string of characters, ustedesfil@safeswiss.com email address, and the .sojusz extension. Latest versions of Sojusz used following extensions: .bec, .nigra, .likeoldboobs, .[BillyHerrington].Gachimuchi, This means a file like 1.pdf will be changed to 1.pdf.[fd4702551a].[ustedesfil@safeswiss.com].sojusz and become no longer accessible. After all targeted files end up encrypted this way, the virus creates a text file called -----README_WARNING-----.txt (later versions created also: !!!HOW_TO_DECRYPT!!!.txt, Horse.txt, README_WARNING_.txt and #HOW_TO_DECRYPT#.txt ransom notes).

How to remove Rozbeh Ransomware and decrypt your files

0
Also known as R.Ransomware, Rozbeh is a ransomware infection that encrypts system-stored data to blackmail victims into paying money for its recovery. During encryption, it highlights blocked data by assigning random characters consisting of four symbols. For instance, a file like 1.pdf may change to 1.pdf.1ytu, 1.png to 1.png.7ufr, and so forth. Depending on what version of Rozbeh Ransomware made an attack on your system, instructions explaining how data can be recovered may be presented within text notes read_it.txt, readme.txt, or even in a separate pop-up window. It is also worth noting that the most recent ransom infection developed by Rozbeh swindlers is called Quax0r. Unlike other versions, it does not rename encrypted data and also displays its decryption guidelines in Command Prompt. In general, all the ransom notes mentioned above contain identical patterns of guiding victims to pay the ransom - contact malware creators through Discord or, in some cases, by e-mail and send 1 Bitcoin (about $29,000 now) to the crypto address of cybercriminals. After the payment is done, extortionists promise to send a file decryptor along with the necessary key to unlock encrypted data. Unfortunately, in the majority of cases, encryption methods used by cybercriminals to render files inaccessible are complex, making manual decryption near-impossible. You can give it a try using some third-party instruments in our tutorial below, however, we are unable to guarantee they will actually work.

How to remove ZareuS Ransomware and decrypt .ZareuS files

0
ZareuS is the name of a ransomware infection that encrypts files and extorts an amount in crypto from victims. During encryption, the virus alters file appearance using the .ZareuS extension. In other words, if a file like 1.pdf ends up affected by the infection, it will be changed to 1.pdf.ZareuS and reset its original icon as well. Thereafter, to guide victims through the decryption process, cybercriminals create a text file called HELP_DECRYPT_YOUR_FILES.txt to each folder with no longer accessible data. It says the encryption occurred with the use of strong RSA algorithms. Victims are therefore instructed to buy a special decryption key, which costs 980$ and the amount has to be sent to the cybercriminals' crypto address. After doing so, victims have to notify about the completed payment by writing to lock-ransom@protonmail.com (e-mail address provided by the attackers). As an additional measure to incentivize victims into paying the ransom, extortionists propose to decrypt 1 file for free. Victims can do it and receive one file fully unlocked to confirm that decryption actually works. It is unfortunate to say this, but files encrypted by ZareuS Ransomware are almost impossible to decrypt without the help of cybercriminals. It may be only if ransomware is bugged, contains flaws, or other drawbacks alleviating third-party decryption. A better and guaranteed method to get back your data is to recover it using backup copies. If such are available on some non-infected external storage, you can easily substitute your encrypted files with them.