malwarebytes banner


Useful tutorials on various PC troubleshooting topics. Video tutorials.

How to remove Tomas Ransomware and decrypt .tomas files

Tomas is a high-risk threat, classified as ransomware. Using special algorithms, infections of such type encrypt personal data and demand money from victims. Tomas is not an exception, it targets various kinds of data including images, videos, text files, and other valuable sorts. When Tomas appears on your system, it disables protectionary services and activates the encryption of data. During the process, the virus changes the stored files beyond recognition. For instance, a file like 1.mp4 will be changed using a long string of symbols like this 1.mp4.[E3CEFA3F].[].tomas. This model consists of the original filename, personal ID, cybercriminal's email address, and the .tomas extension to finish. After the process is done, Tomas creates a note called readme-warning.txt that states how to decrypt your data. Cybercriminals are trying to wind you down after such a big loss saying that your files can be decrypted. The only thing required to do is buying a decryption key that may cost you over a monthly salary - approximately 3000 dollars, which are accepted only in Bitcoin.

How to remove Npph Ransomware and decrypt .npph files

STOP Ransomware is a sophisticated encryption virus, that uses the Salsa20 algorithm to encode sensitive personal data, such as photos, videos, and documents. The latest appeared version (Npph Ransomware) in September 2020 adds .npph extension to files and makes them unreadable. To date, the family includes about 180 representatives, and the total number of affected users is approaching a million. Most of the attacks are in Europe and South America, India, and Southeast Asia. The threat also affected the United States, Australia, and South Africa. Although the Npph virus is less known than GandCrab, Dharma, and other ransomware trojans, it is this year that accounts for more than half of the detected attacks. Moreover, the next rating participant, the aforementioned Dharma, lags behind him by this indicator by more than four times. A significant role in the prevalence of STOP Ransomware is played by its diversity: in the most active periods, experts found three or four new versions daily, each of which hit several thousand victims.

How to remove Ogdo Ransomware and decrypt .ogdo files

STOP Ransomware (DJVU Ransomware) is officially the most common virus-encrypter in the world. The encryptor operates according to the classical scheme: it encrypts files, adds a new extension to them, and places a ransom note on the infected machine. More than 50% of ransomware-infected computers are infected with STOP Ransomware. It has got second name - DJVU Ransomware, after the extension .djvu, that was appended to the files on first infected computers. With several minor and major modifications virus continues its devastating activity in present days. Recent variation of malware (Ogdo Ransomware) adds .ogdo extension to files. Of course, affected files become inaccessible without special "decrypter", that have to be bought from hackers. Here is _readme.txt ransom note, that ransomware places in every folder and on the desktop.

How to remove KeRanger Ransomware and decrypt .encrypted files (Mac)

Back in 2016, KeRanger became the very first ransomware that attacked Mac users. Most users were mind-blown when realized that their data is locked because they downloaded a legitimate BitTorrent Client called Transmission. At that time, cybercriminals managed to hack their website and ingrain a file-encrypting virus into a new version that was about to come out. Therefore, users inadvertently caught a malware attack by updating the previously installed application. Unfortunately, laboratories have not identified the appropriate measure to decrypt the inflicted data. Instead, victims offer a paid solution which is buying a decryption program. The transaction has to be made via the Tor browser by paying 1 BTC (around 407 at that time), now Bitcoin accounts for roughly $5,260. Extortionists also claim that they will answer any of your questions if you are really motivated to pay a ransom. You can also decrypt 1 file via the Tor page linked in the note. As mentioned, third-parties tools are currently unable to decipher the locked data.

How to remove AgeLocker Ransomware and decrypt your files (Mac)

Whilst most ransomware developers focus on infecting Windows-based systems, AgeLocker targets Mac and Linux, instead. The ransomware positions itself as a business-oriented virus that spreads on corporative companies, however, attacks on regular users happen as well. The encryption process looks pretty similar to Windows, the only difference is using different extensions and file formats. AgeLocker applies its personal command prompt to run the encryption process. Files that have been impacted by AgeLocker get assigned with personalized extensions based on user's names. It is impossible to identify which file was infected because of AgeLocker ciphers the original name and adds a random extension at the end. Some people reported that their files were added with the .sthd2 extension and the name of encrypted files starts with the URL-address. Once all files get locked successfully, the virus sends a ransom note (security_audit_.eml) to the victim's e-mail.

How to remove AESMewLocker Ransomware and decrypt .locked files

AESMewLocker Ransomware is a real menace that targets your data by encrypting it with AES File Format algorithms. It is nothing peculiar to the ransomware world. The virus popped up on multiple forums a couple of days ago and raised a big question around its victims - how to decrypt files? For now, there are no viable ways to unlock files that are getting encrypted with the .locked extension after penetration. All of your files become inaccessible and can be unlocked, only if you meet the swindler's requirements and pay for the decryption key. The key itself is not cheap, you have to spend 0.05 BTC and contact extortionists to get decryption instructions. All of this information is stated in a ransom note (READ_IT.txt) created after successful encryption.