malwarebytes banner


Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove WastedLocker Ransomware and decrypt .***wasted files

WastedLocker is a file-encrypting malware categorized as ransomware. Programs within this category block access to stored data and require paying a fee to get decryption tools. When ransomware gets settled on your system, all files (videos, images, documents, text files, etc.) will be updated with new extensions. There is a range of extensions used by WastedLocker to highlight encrypted files. Most basic variants include 3 random letters alongside .***wasted extension at the end. For example, files affected by WastedLocker might get a new look of 1.mp4.bbawasted, 1.mp4.rlhwasted or similar. After this, unlike other ransomware that use one common note to explain ransom details, WastedLocker creates separate notes for each infected file. The best thing you can do safe and definite is to get rid of WastedLocker and try to recover data from external backups, if possible. Follow our guide below to find out how.

How to remove Fonix Ransomware and decrypt .fonix, .repter or .XINOF files

Also known as FonixCrypter, Fonix Ransomware is an infection, that uses Salsa20 and RSA 4098 algorithms to restrict data accessibility. It encrypts the stored files of various formats - photos, videos, documents, audios, and others that seem to be valuable around regular users. Along the encryption process, the virus assigns compound extensions including e-mail of cybercriminals, personal ID, and .fonix extension at the end. Some versions of Fonix exploit other extensions like .repter and .XINOF. For example, a file like 1.mp4 will be transformed into 1.mp4.EMAIL=[]ID=[1E857D00].Fonix and reset its shortcut as well. It is said that no third-parties tools will be able to decrypt your files because their key is stored on cybercriminal's servers. Instead, developers propose you to buy their decryption key in Bitcoin. If you fail to do this within 2 days, your fee will be doubled immediately. Also, they offer detailed info on how to convert money to BTC in case you have never done it before. As a consolation bonus, extortionists provide decryption of 1 small file for free. Despite this, it is dangerous to pay for the key, because they tend to dumb gullible users, as statistics say. Unfortunately, it is true that there are no feasible methods to unlock files encrypted by Fonix Ransomware. The best way to restore it is by using an external backup of lost files, if possible.

How to remove HE-HELP Ransomware and decrypt ._HE or ._HE._LP files

HE-HELP Ransomware (Normanzak Ransomware) is a type of malware that encrypts files of users or business holders. Ransomware is considered to be the most dangerous piece since your files get locked forever unless you pay them a certain fee. Unfortunately, because HE-HELP popped in June 2020, security experts have not found a crack to decrypt users’ data for free. Like other infections, the virus assigns new extensions to normal files - either ._HE or ._HE._LP. For instance, 1.mp4 will appear like 1.mp4._HE or similarly after the encryption process is done. Thereafter, the ransomware triggers an automatic opening of a text file called READ_ME_.txt, which is dropped on the victim's desktop. In this note, people can see the encryption report including instructions on how to revive your data. They say that you should contact them via one of the attached e-mails and mention your company name. Cybercriminals also offer a free option to decrypt up to 3 files as a proof sign towards their honesty. Furthermore, they terrify you with threats of publishing your data worldwide. However, if you do not have anything precious to worry about, then you can simply delete it from your computer. In other cases, there is no feasible option to retrieve the affected files with the help of third-parties tools. Either way, we recommend you to wait some time until security experts find a way to handle HE-HELP Ransomware.

How to remove PL Ransomware and decrypt .encoded_PL files

PL is a ransomware infection recently found by cyber experts. The malware of this type encrypts files and demands a fee to get them back. Developers of PL Ransomware simply assign the .encoded_PL, unlike others that use complex combinations of ID numbers with random characters. For instance, a file like 1.mp4 will be changed to 1.mp4.encoded_PL and reset its icon as well. After this, the ransomware script creates a text note (!ALL_YOUR_FILES_ARE_ENCRYPTED) that explains how to decrypt your data. To do so, you should contact them via e-mail to get further instructions for buying a decryption key. It also provides an ability to restore a couple of files for free to prove their integrity. Unfortunately, the research is still underway because security experts have not found a way to decrypt files just yet. However, we can help you with the uninstallation of PL Ransomware to secure further protection in the article below.

How to remove Outsider Ransomware and decrypt .protected, .gomer or .edab files

Outsider is a ransomware family that has developed multiple versions of file-encrypting malware. This specific version (Outsider) encrypts files located on servers and users' PCs. Recently, Outsider has been identified as GarrantyDecrypt-Outsider because it looks very similar to another ransomware called GarrantyDecrypt with minor differences. The range of extensions that can be assigned to encrypted files includes .protected, .gomer, .edab, .crypt, .popotic1, .popoticus, .sguard, .guarded, .mapo, .sivo, and .mbit. To illustrate, the original file 1.txt will be altered to 1.txt.protected or similarly. After this, the virus creates a usual txt file called HOW_TO_RESTORE_FILES.txt.

How to remove Dharma-Pgp Ransomware and decrypt .pgp files

Being part of the Dharma family, Dharma-Pgp Ransomware is a dangerous infection that puts your data under a lock and demands to pay a ransom. During the encryption process, all files get altered according to such pattern[].pgp. Following this, the ransomware creates a text file called FILES ENCRYPTED.txt representing encryption notes. In this note, users are alerted against using third-parties tools since they can lead to permanent loss. To buy your files back, you should contact cyber criminals via e-mail, attach personal ID that is given in the note, and pay for the decryption software eventually. You are also offered to try test decryption by sending one small file which must be less than 1 MB and non-archived as well.

How to remove Kupidon Ransomware and decrypt .kupidon files

Kupidon is a type of crypto-malware that popped up on 5th May 2020. This ransomware encrypts a variety of files including images, ZIP archives, text files, documents, and other regular data. To highlight them from original files, it adds the .kupidon extension at the end of each file. For example, 1.mp4 that was previously non-encrypted, will be retitled to 1.mp4.kupidon after encryption. After successful encryption, the virus drops a text file called !KUPIDON_DECRYPT.txt that reflects ransom information. In order to get your files back, you should make a very harsh decision - pay 1200$ (for commercial users) or 300$ (for regular) in BTC which is not affordable for many people. To finish the payment, you are asked to open the attached link in the Tor browser and follow on-screen instructions. Whatever the case, it is risky to trust cybercriminals and pay a ransom, especially when it exceeds all the limits. Kupidon Ransomware also uses a crafty trick - it allows users to decrypt up to 3 files (not more than 10MB) by sending it to their e-mail.

How to remove Avaddon Ransomware and decrypt .avdn files

Avaddon is a ransomware-type infection discovered by GrujaRS. It strengthens its encryption with AES and RSA algorithms so that regular users could not unlock their data. Affected files will be altered with the .avdn extension that is assigned at the end. For example, a file like 1.mp4 will experience an immediate change after encryption to 1.mp4.avdn. This change makes the file inaccessible and requires paying a ransom to decrypt it. Instructions on how to do so are presented in an HTML file ("[random_numbers]-readme.html") that is generated after the encryption process is complete.