Ransomware

Matrix Ransomware is ransomware virus that encrypts user files with either symmetric or asymmetric cryptography. It adds .matrix extension to encrypted files. After finishing encryption process, Matrix creates a text file matrix-readme.rtf or Readme-Matrix.rtf. Virus places this files in every folder with affected files. This text file contains instruction to pay the ransom, where malefactors encourage users to contact them via e-mails: bluetablet9643@yandex.ru, matrix9643@yahoo.com or redtablet9643@yahoo.com.

Cr1ptT0r Ransomware is new type of ransomware, that uses network disk array vulnerability to infect user's computers. This crypto ransomware encrypts data on network (cloud, NAS, Network Attached Storage) storage using a special encryption algorithm, and then requires a ransom of ~ 0.3 BTC to return files. Original title Cr1ptT0r is indicated in the ransom note and on the page on the OpenBazaar website. Developers call themselves a Cr1ptT0r team. The ELF ARM binary is used for Linux systems with a focus on embedded devices, but depending on the manufacturer it can be adapted for Windows. Virus creates 2 files: _FILES_ENCRYPTED_README.txt and _cr1ptt0r_support.txt. The Sodium crypto library and the asymmetric encryption algorithm "curve25519xsalsa20poly1305" (Curve25519, Salsa20, Poly1305) are used for encryption. The open 256-bit encryption key is located in the cr1ptt0r_logs.txt file, which also stores the list of encrypted files, and it is also added to the end of the encrypted files, just before the marker. Cr1ptT0r Ransomware uses the OpenBazaar site to "support" the affected and selling the decoder. There are no decryption tool available yet, however, using instructions in this article can help you recover encrypted files. Follow the guide below to remove Cr1ptT0r Ransomware and decrypt your files in Windows 10, 8/8.1, Windows 7.

This particular sample of Adobe Ransomware is, in fact, a continuation of STOP Ransomware family. This virus attacks files, that can be important for average user, like documents, photos, databases, music, enciphers them with AES encryption and adds .adobe (one "e" in the end), .adobee (two "e"s in the end) extensions to affected files. This creates a mess, because there are several different ransomware families using this extension after encryption. All these viruses use different algorithms, however .adobe files encrypted by STOP Ransomware can be deciphered using STOPDecrypter (provided below). Unlike previous versions, this one gives clear information about the cost of decryption, which is $980 (or $490 if it is paid within 72 hours). However, this is just a trick, to encourage people to pay the ransom. Often authors of the ransomware don't send any decryptor. We recommend you to remove executables of STOP Ransomware and use decryption tools available for .adobe files.

GandCrab v5.2 Ransomware was released just few hours before Europol, Romanian Police and Bitdefender released full-functional decryption tool for all previous versions of virus, up to GandCrab v5.1 Ransomware. Updated version of GandCrab adds .[5-6-7-8-9-10-random-letters] extension and ransom note file will get such name: [5-6-7-8-9-10-random-letters]-DECRYPT.txt and [random-letters]-DECRYPT.html. It is reported that many IT companies and managed service providers have been infected and affected by the GandCrab Ransomware. Some of the previous versions had decryptor from BitDefender, we will provide download link for this tool below. There is a possibility, that program will be updated to work with GandCrab v5.2 Ransomware. Meanwhile, we recommend you to use standard Windows functions, such as shadow copies, previous versions of files, restore point to attempt recovering your files. Using special file-recovery software often helps to restore many files, remover by the user earlier and not touched by the virus.

Dharma-ETH Ransomware is new generation of high-risk Crysis-Dharma-Cezar ransomware family, particularly, its Dharma variation. It was named after the extension it appends to encrypted files: .ETH. In fact, virus adds complex suffix, that consists of several parts: e-mail address, unique 8-digit identification number (completely random) and .ETH extension. In the end, affected files get complex suffix, that looks like this - .id-{8-digit-id}.[{email-address}].ETH. Ransom notes do not contain information about the amount users need to pay to return the files. There is also no information about encryption algorithms it uses. However, from the experience of previous infections of this type, we can say it, probably, uses AES or RSA-2048 encryption and will try to rip you off on a sum from $500 to $1500, that have to be paid in Monero, Dash or BTC (BitCoins).

Dharma-KARLS Ransomware is new virulent file-encryption threat, built on well-known platform of Crysis-Dharma-Cezar ransomware family. Unlike other variations, this version adds .KARLS extension to encrypted files. Actually, Dharma-KARLS Ransomware creates complicated appendix, that consists of unique user id, developer's e-mail address and .KARLS suffix, from which it got its name. The template of filename modification looks like this: file called 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].KARLS. Authors of Dharma-KARLS Ransomware can extort from $500 to $5000 ransom in BTC (BitCoins) for decryption. Using cryptocurrency and TOR-hosted payment websites makes it impossible to track the payee. Besides, victims of such viruses often get scammed, and malefactors don't send any keys even after paying the ransom. Unfortunately, manual or automatic decryption is impossible unless ransomware was developed with mistakes or has certain execution errors, flaws or vulnerabilities.

Dharma-Frend Ransomware is typical embranchment of Crysis-Dharma-Cezar ransomware virus family. This particular variation appends .frend extension to encrypted files and makes them unusable. Dharma-Frend Ransomware doesn't have effective decryptor, however, we recommend you to try instructions below to attempt restoring your files. Dharma-Frend Ransomware adds suffix, that consists of multiple parts, such as: unique user's id, developer's e-mail address and .frend suffix. The pattern of filename after encryption looks like this: file called 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].frend. Authors of Dharma-Frend Ransomware extort $10000 ransom from the victims. Using cryptocurrency and TOR-hosted payment websites makes it impossible to track malefactors. Besides, victims of such viruses often get scammed, and malefactors don't send any keys even after paying the ransom. Unfortunately, manual or automatic decryption is impossible unless ransomware was developed with mistakes or had certain execution errors, flaws or vulnerabilities. We do not recommend to pay any money to malefactors. Often, after some period of time security specialists from antivirus companies or individual researchers decode the algorithms and release decryption keys.

Dharma-Amber Ransomware is nearly identical to previous versions of Crysis-Dharma-Cezar ransomware family, except that now it adds .amber extension to encrypted files. Dharma-Amber Ransomware constructs file extension from several parts: e-mail address, unique 8-digit identification number (randomly generated) and .amber extension. ID number is also used for victim identification, when hackers send decryption key (although they do it rarely). Dharma-Amber Ransomware authors demand from $500 to $15000 ransom, that can be paid in Monero, Dash or BTC (BitCoins), and in return they promise to send decryption key. This type of ransomware is coded and distributed as RaaS (Ransomware as service), and people your are trying to contact can be just resellers. That is why, amount of money they want for decryption can be very big. Using cryptocurrency makes it impossible to track the payee. We do not recommend to pay any money to malefactors. Usually, after some period of time security specialists from antivirus companies or individual researchers break the algorithms and release decryption keys.