malwarebytes banner

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove Snatch Ransomware and decrypt .snatch, .wbqczq, .gdjlosvtnib or .FileSlack files

0
Snatch is another malicious piece discovered by Michael Gillespie and categorized as ransomware. This virus snatches your data by encrypting it with cryptographic algorithms. Once your files get locked, you will see a new extension appended to it right away (.snatch, .wbqczq, .gdjlosvtnib, .FileSlack). For instance, normal 1.mp4 will be changed to 1.mp4.FileSlack or similarly. As usual, after the encryption process is completed, the ransomware drops a text file called Readme_Restore_Files.txt (in recent cases HOW TO RESTORE YOUR FILES.TXT). In this document, ransomware developers provide brief instructions on how to salvage your data. For this, you should contact them via attached e-mail to get further commands. Unfortunately, because Snatch Ransomware always updates and improves its algorithms, there is no free tool that can decrypt files ciphered by Snatch. Even if you venture to pay for software offered by cybercriminals, there is a high risk that you will be dumbed and hijacked. The only workable way to get your files back is delete Snatch Ransomware and copy your files back from external backups.

How to remove Crypren Ransomware and decrypt .encrypted files

0
Crypren Ransomware is a type of malware that compromises your data by running encryption with the .ENCRYPTED extension. For instance, 1.mp4 or other regular files will be changed to 1.mp4.ENCRYPTED or similarly. Usually, due to asymmetric algorithms that are applied during encryption, the inflicted data becomes almost impossible to unlock. However, thanks to a security researcher named pekeinfo, there is no need in paying for decryption software. Besides that, we should point out that after the malware has finished the first step, it drops the READ_THIS_TO_DECRYPT.html file in each folder containing affected files. In this note, swindlers inform users about paid decryption service that requires buying a private key. Also, you are given 1 week to contact cybercriminals before your unique key will be destroyed. This key costs precisely 0.1 BTC (approximately 900 dollars). Luckily, you can download and use the decryption tool developed by pekeinfo in the article below. It turned out that Crypren Ransomware had a serious crack - they stored their keys locally.

How to remove Mr.Dec Ransomware and decrypt your files

0
Determined by Michael Gillespie (ransomware researcher), Mr.Dec Ransomware is a file-encrypting virus that makes money on desperate users who have their data locked. This virus exploits randomly-generated extension according to this pattern: [ID]victim's_ID[ID]. Extensions are meant to highlight encrypted files from normal ones. All files stored on your system including photos, videos, text documents, and other regular information, will be changed to 1.jpg[ID]gh839ag14hiol4ag[ID], for example. This makes your data impossible to open because of the generated gateway. After this, the ransomware drops a ransom note in the form of an HTML file (Decoding help.hta). In this message, you can see that extortionists prompt you to make a fast-pace decision on purchasing the decryption key. Otherwise, it will be destroyed and you will not be able to decrypt your data once the countdown is finished. To decode the compromised files, you should contact them via e-mail attached on top of the note. Most cybercriminals actively use cunning techniques to prompt users on buying the key by allowing them to send a couple of files for free decryption. Although it may seem like truth, you should never follow criminals' instructions unless you want to empty your pocket.

How to remove Xorist-EnCiPhErEd Ransomware and decrypt .EnCiPhErEd files

0
Xorist-EnCiPhErEd shed some light on the ransomware world a couple of years ago and still targets users until these days. Being part of the Xorist family, it encrypts data by using XOR or TEA algorithms and assigning .EnCiPhErEd extension to all files. For instance, 1.mp4 will suffer the change to 1.mp4.EnCiPhErEd. If you try to open any of the infected files, you will see a pop-up error window that displays ransom information. Unlike other ransomware, its developers ask victims to send an SMS message to the mentioned number. Besides that, the virus drops a text file called HOW TO DECRYPT FILES.txt which is identical to the pop-up window. If you fail to enter the code within 5 attempts, your files will be deleted completely, as extortionists claim. Once done, you will more likely get a browser-based link to pay for the decryption software. However, there is no need to meet ransom demands because Fabian Wosar of Emsisoft has found a way to decrypt files encrypted by Xorist.

How to remove Locky Ransomware and decrypt .locky files

12
Locky is a ransomware virus that encrypts you files using the RSA-2048 and AES-1024 algorithms and demands 0.5 BTC (bitcoins) (equivalent to $207) for receiving "Locky Decrypter" to allow user decrypt his documents and images. This is a very dangerous blackmailing virus and there are currently only a few ways to decrypt your files. In this guide, we collected all information available that can help you remove Locky ransomware virus and restore infected files.

How to remove RedRum Ransomware and decrypt .redrum or .grinch files

0
RedRum Ransomware is a malicious piece that encrypts your data and demands to pay a ransom. Once the penetration reaches success, all stored data including images, videos, and text files will be encrypted with .redrum or .grinch (another version of RedRum family) extension. Case in point, if 1.mp4 got attacked by this virus, it will transform itself into 1.mp4.redrum or 1.mp4.grinch. As soon as encryption completes, RedRum will drop a text file (decryption.txt) with ransom information. According to the note provided by RedRum, you should pay for the decryption key. For this, you are purposed to send them an e-mail message and get further instructions. Unfortunately, ransomware is indeed very stubborn and does not give any sign of relief due to strong algorithms that make the decryption process almost impossible. However, you should certainly remove it from your PC to protect other files and apply all of the necessary measures to no let it happen again.

How to remove Hakbit Ransomware and decrypt .crypted, .ravack, .part or .gesd files

0
If you are unable to open your files, then more likely it is because Hakbit Ransomware attacked your PC. Developers of this piece use AES algorithms to cipher the stored data (e.g. images, videos, documents, text files, etc.). In other words, everything that is located on your disks will be completely locked. There are a couple of extensions used by Hakbit to alter files - .crypted, .ravack, .part or .gesd. Examples of encrypted files look like this 1.mp4.crypted, 1.jpg.ravack, 1.doc.part or 1.xls.gesd. After this, Hakbit drops a text file called HELP_ME_RECOVER_MY_FILES.txt and wallpaper.bmp, that replaces desktop wallpapers in some cases. Both of them contain information on how to get your files back. To do so, users should pay 300 USD in Bitcoin through the attached address and ring creators via e-mail. Unfortunately, buying decryption software is the only way to decrypt your data since none of the third-parties tools can handle it. However, we strongly advise you against spending your money on this because there is no guarantee that your data will be brought back.

How to remove ShivaGood (Mimicry) Ransomware and decrypt .good files

0
Also known as Mimicry, ShivaGood Ransomware has by far no good intentions at all because it is designed to encrypt users' data and demand ransom payment in bitcoin. This malicious piece uses special cryptographic algorithms and assigns ".good" extension to multiple files (PDFs, documents, images, videos, etc.). For instance, 1.mp4 will be renamed to 1.mp4.good, and similarly. Once ShivaGood completes the encryption procedure, it will create a text file called HOW_TO_RECOVER_FILES.txt. This note contains information about data encryption. To decrypt it, extortionists ask you to contact them via e-mail and attach your personal ID that is mentioned in the note as well. Once done, frauds will reach back to you with payment instructions to obtain the decryption key. Additionally, cybercriminals propose to unlock 3 files (less than 10 MB) for free. This is a trick to prove their integrity since reality can differentiate significantly. They can simply extort money and forget about their promises.