malwarebytes banner

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Infa Ransomware and decrypt .infa files

0
Infa is an example of ransomware infection, which ciphers different kinds of personal data stored on a system. After this process ends up officially over, victims will no longer be able to access their data. Infa Ransomware assigns one common extension (.infa) to all compromised files. This means a file like 1.pdf will be changed to 1.pdf.infa or similarly depending on the original name. Straight after all files have been renamed, the virus forces a text note called readnow.txt to drop on your desktop. This contains general information on how to recover your data. As stated down the note, files like photos, videos, documents, and other formats have been encrypted. To erase the appended ciphers, victims are desired to contact cyber criminals (via stevegabriel2000@gmail.com) and buy a special decryption key. The price equals 0.0022 BTC, which is about 95$ the time we are writing this article. It is also mentioned there are 2 days allocated for file decryption. Unless you complete the payment in time, your files will be wiped out of the system. Choosing to pay decryption is up to your own decision.

How to remove MedusaLocker Ransomware and decrypt .krlock, .L54, .ever101 files

0
MedusaLocker is one of the biggest ransomware aggregators that spreads a number of malware infections. Just like other ransomware programs, the virus is meant to encrypt PC-stored data and demand a monetary ransom in exchange for decryption software. .krlock, .L54, and .ever101 are the most recent versions published by MedusaLocker Ransomware. They are also the extensions assigned to each compromised piece. For instance, a file like 1.pdf will change to 1.pdf.krlock, 1.pdf.L54, or 1.ever101 depending on which version hacked your system. There is no real difference in which version pounced your network. All of them use a combo of AES and RSA algorithms to write secure ciphers over the data. The only aspect that varies is ransom text notes created after encryption is done. Although the content may differ but still contain more-less the same message to infected victims. You may face ransom notes named Recovery_Instructions.html, HOW_TO_RECOVER_DATA.html, or similar leading to browser pages.

How to remove Venomous Ransomware and decrypt .venomous files

0
Venomous is a ransomware-type virus that puts most of the stored data under lock and demands the so-called ransom to get it back. This process is more known as file encryption as there are cryptographic ciphers applied by malware with the help of AES-256 algorithms. Besides encrypting files on the configuration level, Venomous also changes them visually. It combines original file names, victims' IDs, and .venomous extension to rename compromised data. For instance, a file like "1.pdf" will emerge as 1.pdf.FB5MMSJUD2WP.venomous at the end of encryption. Soon after this, Venomous moves next to creating a text file called SORRY-FOR-FILES.txt that stores decryption instructions. The note states all data held on your system has been infected with strong algorithms. It is also forewarned to not rename or edit encrypted files as it may cause them to break. To ensure guaranteed and corruption-free recovery of data, victims are offered to buy decryption keys stored by cybercriminals. For this, users should send their personal ID to @venomous_support via the Telegram app or contact extortionists using venomous.files@tutanota.com e-mail address. On top of that, it is also proposed to test free decryption before paying the ransom. To do this, victims are guided to open a Tor link attached to the note and upload 1 encrypted sample of data.

How to remove Dharma-TOR Ransomware and decrypt .TOR files

0
Being part of the Dharma Ransomware family, Dharma-TOR is another malicious program that runs encryption over personal data. By committing this act, developers force victims into paying the so-called ransom. The first sign of Dharma-Tor infecting your system reflects in new file extensions. Cybercriminals assign the victim's personal ID, contact address, and .TOR extension to the end of each file. For instance, 1.pdf or any other files stored on your system will get a new look of 1.pdf.id-C279F237.[todecrypt@disroot.org].TOR, or something similar. Soon after all data becomes successfully changed, Dharma-TOR features a pop-up window along with a text file called FILES ENCRYPTED.txt, which is dropped onto the desktop. Both pop-up window and text note are meant to instruct victims through the recovery process. It is said that users should contact developers by e-mail stated in the extension with their personal ID. In case of no response, victims are guided to choose another e-mail address attached in the note. After establishing successful contact with cybercriminals, users are likely to get payment instructions to purchase decryption of data.

How to remove Makop Ransomware and decrypt .hinduism, .gamigin or .dev0 files

0
Users infected with Makop Ransomware will see their data blocked from regular access and changed by visual means. There are different versions used by Makop developers to spread onto victims. The only real difference between them lies in various extensions and e-mail addresses (.hinduism, .gamigin, .dev0, etc.) used to rename the encrypted files. The rest can be described as pure replication of previous Makop versions by a template. Once this virus gets settled into a PC, almost all data available will be assigned with unique victims' ID, contact e-mail, and random extension depending on which version pounced your system. For instance, a file like 1.pdf will be changed to something like this 1.pdf.[9B83AE23].[hinduism0720@tutanota.com].hinduism, or similarly with other extensions like .gamigin, .dev0, or .makop. Soon after this part of encryption gets to a close, the virus drops a text note called readme-warning.txt into each folder containing compromised data. The note lists out a number of Q&A items explaining recovery details. Users are said they have the only way to restore data - pay for decryption in Bitcoins. The payment instructions will be obtained only after establishing contact by e-mail (hinduism0720@tutanota.com, gamigin0612@tutanota.com, xdatarecovery@msgsafe.io, or other address). Likewise extensions, contact addresses are one part of the equation varying from person to person as well.

How to remove Gooolag Ransomware and decrypt .crptd files

0
Gooolag is a ransomware infection that makes all stored data cut off from regular access to demand paying recovery ransom. It is more likely to see high-revenue companies infected with this ransomware version. Cybercriminals use the .crptd extension to each encrypted file. For instance, a data piece like 1.xls will change to 1.xls.crptd and reset its original icon. Following this stage of encryption, victims are met with decryption instructions presented inside of a text note called How To Restore Your Files.txt. The note unveils a world of agonizing information regarding the data. At first, cybercriminals state 600 Gigabytes of important data have been uploaded to anonymous servers. Then, victims are getting punched with some intimidation calls - DDoS (distributed denial-of-service) attacks on entire domains and company contacts. To prevent it from happening and losing the whole data, victims are obliged to contact extortionists using e-mail communication (Gooolag46@protonmail.com or guandong@mailfence.com). Should developers suspect something related to police or cyber authorities, the recovery process will be affected.

How to remove Kikiriki Ransomware and decrypt .kikiriki files

0
Kikiriki is a ransomware infection that isolates access to data stored on a PC. All important files end up encrypted and altered by visual means. Kikiriki developers append the new .kikiriki extension along with the victim's ID. To illustrate, a file like 1.pdf is likely to change to 1.pdf.kikiriki.19A-052-6D8 and similarly. Soon after this, the virus creates a text file called !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT. Ransomware developers state there is no other way to decrypt your data other than paying the ransom. The price for decryption is yet to be decided in further negotiations, however, victims are already informed it should be done in Bitcoin. To learn further payment instructions, victims are asked to contact extortionists via qTOX or Jabber platforms. It is also prompted to try free data decryption. Victims are free to send 2 blocked files of .jpg, .xls, .doc, or similar format except for databases (maximum 2MB in size). This should prove the decryption ability and elevate the trust of victims. Despite this, it is common to see many cybercriminals fool their victims even after receiving the ransom. Thus, paying the ransom is full of risks that should be considered by anyone infected with malware.

How to remove JanusLocker Ransomware and decrypt .HACKED files

0
Being part of the ByteLocker family, JanusLocker is a ransomware infection that blocks access to files stored on a system. By doing so, developers blackmail victims into paying a so-called ransom in exchange for the data. Both payment and decryption instructions are located inside of a text note, which is created after all files end up encrypted. JanusLocker assigns the .HACKED extension to each file piece. For instance, 1.pdf or any other file attacked on your PC will change to 1.pdf.HACKED and become no longer accessible. It is written that all-important data has been encrypted using AES-256 algorithms. To erase the appended cipher, users are guided to pay for unique decryption software. The software price equals roughly 0.018 BTC, which is about 618 USD at the moment of writing this article. After users complete the money transfer through the attached crypto address, they should notify cyber criminals with their transaction ID using e-mail (TwoHearts911@protonmail.com). Soon afterward, users should get the promised decryption tools purchased from cybercriminals. Unfortunately, this is not always the case. Many ransomware developers fool their victims even after receiving the payment. This is why trusting JanusLocker by monetary means is quite a huge risk.