malwarebytes banner

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Erica Encoder Ransomware and decrypt your files

0
Erica Encoder is a ransomware infection that uses AES algorithms to encrypt user's data. All files that experience a touch of the virus, change their names to a randomly-generated string of symbols. As an example, the original 1.mp4 will lose its initial name and appear as something like this R29vZ24lIENocm9tZS5s3ms9.qgazlb. Then, once all files get assigned with an encryption cipher, Erica Encoder creates a ransom note called HOW TO RESTORE ENCRYPTED FILES.TXT that is supposed to explain how to restore your data.

How to remove Encrp Ransomware and decrypt .encrp files

0
Encrp is another drastic infection that encrypts personal data and demands victims to pay a ransom. It was discovered by Jirehlov Solace who therefore categorized it as ransomware. During the study, it turned out that Encrp infects stored data assigning the .encrp extension. This means that after encryption, you will see all files look like this 1.mp4.encrp. This is not the end of the process yet, users are then presented with a text note (__READ_ME_TO_RECOVER_YOUR_FILES.txt) which contains information upon decryption. It is said that victims should send approximately 200$ in BTC to the account of cybercriminals. Then, the final step is to send an e-mail message including transfer and computer IDs. If everything works out, you will be given the necessary tools to decrypt files. In other cases, there is a chance that swindlers decide to ignore their promises and leave you nothing, but disappointment.

How to remove Ragnarok Ransomware and decrypt .thor or .ragnarok_cry files

0
Ragnarok is a ransomware infection discovered by Karsten Hahn. The consequences of this attack are similar to other threats of such type - encryption of stored data by adding a new extension. Developers of Ragnarok Ransomware may have other versions of the virus, however, this case involves the assignment of .thor or .ragnarok_cry extensions. No additional symbols are included, you will see a file with the malicious extension at the end (1.mp4.ragnarok_cry). Once the encryption process is complete, users receive a note with decryption steps called How_To_Decrypt_My_Files.txt (alternatively, !!Read_me_How_To_Recover_My_Files.html). The text note states that encrypted files can be unlocked only with a special tool, which is held by cybercriminals. In order to get it, people have to contact swindlers and send the required fee of BTC to their address. You can also provide a file (less than 3Mb) for free decryption. This way, extortionists are allegedly proving that they can be trusted. In reality, they can dump you and ignore the fact that you have paid for the recovery. The deletion of Ragnarok Ransomware will not decipher your files, however, this is important to do to prevent further encryption of data.

How to remove Solve Ransomware and decrypt .encrypted files

0
Solve Ransomware is a malicious piece that specifies in encrypting network storage. Victims who had their NAS storage infected, experienced files change with the new .encrypted extension, so one of them would appear like this 1.mp4.encrypted. This extension is more generic and has been used by many ransomware developers. Solve Ransomware has not had enough examination to provide tools for unlocking the assigned cipher. This is why the extortionists offer to contact them and pay the ransom in BTC via instructions presented in a text note (SOLVE ENCRYPTED FILES.txt) that is created after the encryption process gets done. Unfortunately, this option does not guarantee transparency and honesty of swindlers. You can be fooled and not given any decryption tools even after making payment. This is why we recommend you delete Solve Ransomware and try to decrypt data via some basic instruments provided below.

How to remove Egregor Ransomware and decrypt your files

0
Egregor is ransomware that belongs to Sekhmet family and promotes various versions of malware. This time around, users reported dealing with the virus called Egregor that encrypts private data and demands paid decryption. Depending on which version attacked your system, the encryption process may vary a little bit. For example, Egregor adds .egregor extension to each of the infected files so they look like this 1.mp4.egregor. Alternatively, files can receive a string of randomly-generated characters (1.mp4.WaBuD). After the encryption gets finished, the virus goes further creating a note called RECOVER-FILES.txt that contains step-by-step instructions to recover the compromised data. It is said that victims have to get in touch with cybercriminals no later than 3 days via the attached browser link. If the announced deadline comes to an end, extortionists will publish sensitive data all over the web. Cybercriminals can ask different fees for the recovery. Sometimes the amount can exceed thousands of dollars, especially if data has a significant value to owners. Unfortunately, you will not be able to find any free tools to decrypt the files affected by Egregor. At this moment, the only feasible way to recover data is by using an external backup if one was created prior to the encryption.

How to remove RenameX12 Ransomware and decrypt your files

0
RenameX12 is a ransomware infection that encrypts files of different sorts. Unlike similar infections of this type, it does not add any extensions or symbols to identify the blocked files. All data appear original even after the actual attack. This is made by extortionists intentionally to prevent users from detecting the name of the ransomware as well as finding ways to decrypt files. Despite this, cyber experts managed to crack the mystery and established the virus name via the text note (New Text Document) that is created after encryption. This note contains instructions to help you recover the locked data. Swindlers ask victims to contact them via one of the attached e-mails. After you pay the ransom (usually in Bitcoin) you will receive decryption tools to decipher the data. However, this is a huge risk since there is no evidence that could testify their trustworthiness. The best way to decrypt files is to delete the ransomware itself and recover data from external backups if one was created prior to the encryption.

How to remove Mount Locker Ransomware and decrypt your files

0
Mount Locker is a file-encrypting program that targets data of business networks. It isolates different kinds of data by appending a new extension that includes ReadManual and a string of random characters. For instance, after encryption, victims will see their file change from 1.mp4 to 1.mp4.ReadManual.5B975F6B. Interesting fact: as one of the victims stated, some files that changed their names after penetration, were not encrypted at all. They were only affected visually. Whatever the case, Mount Locker always drops a note called RecoveryManual.html that explains step-by-step instructions on how to recover the locked files. It says that no files should be attempted to decrypt manually. Otherwise, it can turn out in a permanent loss. To restore your data, cyber criminals ask to follow the Tor browser link and pay the ransom in BTC. Because Mount Locker aims at IT companies, the required fee can boil over the limits. However, this still remains the only feasible way to revive files since there are no free methods to make a recovery. You can only restore them from an external backup if one was created and unplugged prior to the infection.

How to remove FindZip Ransomware and decrypt .crypt files (Mac)

0
A long time back in 2017, the world of Mac experienced a new threat - FindZip Ransomware. It was found disguised as cracks for Adobe Premiere Pro and Microsoft Office promoted on piracy websites. When you open the downloaded file, you will be presented with a transparent window. FindZip does not infect users by force. To launch the encryption, you have to click on the "Start" button. Then, the client starts imitating the cracking process, which will turn your desktop into an encrypted mess. All files are getting ciphered using the zip folders to contain files with the .crypt extension. Amazingly, the encryption keys created by FindZip are not stored on the hacker's server. Even after sending 0.25 BTC to purchase the decryption key, you will not receive any promised tools to recover the data. Interestingly, the virus acts uncertainly, it does not touch Time Machine backups and external devices as well. Even though FindZip used strong algorithms at that time, experts from Malwarebytes laboratory found a way to decrypt files without permanent loss.