Tutorials

DCRTR-WDM Ransomware is encryption virus, endangering unprotected user's data on Windows computers. It is a successor of DCRTR Ransomware and uses the AES encryption algorithm to cipher information and demand ransom of $1270 in BTC (BitCoins). The virus was allocated to a separate subspecies in November 2018 and continued its activity in 2019 and 2020. DCRTR-WDM developers have been hiding their malware under fake "Windows Defender Monitor" updaters that can be downloaded from the web. Regrettably, once installed, it breaks all expectations because, instead of defending your PC, it instantly starts running scripts to encrypt the data stored on your computer. Currently, several generations of malware are active and distributed in the web. Besides that, frauds offer to decrypt one low-weight file that can be sent through the e-mail. This is just a trick to prove integrity and fool users into paying a ransom. However, you should never rely on their promises, because their main purpose is to deflate money and continue hunting for other victims. Unfortunately, bypassing the encryption often brings no fruits whatsoever, because developers use intricate AES-256 algorithms to encipher the data. However, with the help of our instructions, you will be able to remove it from your computer to prevent further data loss.

BitPyLock was discovered by MalwareHunterTeam and therefore categorized as ransomware. The penetration of this kind of malware leads to instant encryption to all of the files stored on your computer. BitPyLock primarily attacks photos, videos, databases and office projects which appear to be most valuable for regular users. The program uses strong military-grade encryption algorithm, RSA-4096 to be exact, thereafter changing each file extension to .bitpy. For example, 1.mp4 will be transformed into 1.mp4.bitpy which makes it impossible to open any of those. There are also other forms of this ransomware that exploit data with .domain_name or .andradegalvao extensions. BitPyLock Ransomware makes everything possible to restrict you from manual recovery by deleting backup files from the system as well. By the end of encryption, it creates an HTML note with ransom payment details.

We have already deconstructed lots of ransomware like Ouroboros, Ako, NEMTY, and others. Today, we are topping up our list with MedusaLocker Ransomware. This dreadful software is known to be encrypting the files of innocent users, therefore, making them unretrievable until a ransom is paid. Virus got its name because of the name of the project file, that says: MedusaLocker.pdb. Also, the "Medusa" section is created in the registry. Once installed on a computer, it rapidly blocks off the access to your data by assigning a unique .encrypted or .readtheinstructions or .readinstructions extensions to each file. This way, 1.jpg changes itself to 1.jpg.readtheinstructions. Unfortunately, any manipulations are useless because of the strong cipher that is hard to break manually. When encrypting files, AES encryption will be used to encrypt each file, and then the AES key will be encrypted with the RSA-2048 public key included in the Ransomware executable. Depending on ransomware edition, extensions may also look like .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet as well. After successful encryption of data, extortionists add an HTML or text file, called ransom note, that contains the necessary information on how to recover your data.

GarrantyDecrypt has taken cemented position around the ransomware category and already deprived a fair amount of nerves and money of its victims. Like other ransomware, it infiltrates your computer by running encryption scripts that scan your device and therefore assign unbreakable cipher to each file. The first versions of this malware used .garrantydecrypt, .decryptgarranty, .protected, .NOSTRO, .odin, .cosanostra, .cammora, .metan, .spyhunter, .tater, .zorin extensions. However, encryption virus gets constantly modified and suffixes are changed too. Most recent extensions used by GarrantyDecrypt Ransomware are: .bigbosshorse, .heronpiston or .horsedeal. To illustrate, after encryption, 1.mp4 will be changed to 1.mp4.bigbosshorse or other abovementioned extensions. Unfortunately, any manual attempts to unlock the data are desperate. Once the encryption is finished, you will be presented with a ransom note created on desktop notifying that your data has been blocked.

The odds of getting hacked are progressively escalating each day because of the wide distribution of malware and other social engineering tricks. NEMTY Ransomware is not an exception either, that was originally revealed in 2019 and revived with a new force with NEMTY 2.5 REVENGE Ransomware in 2020. Like other types of ransomware, it is meant to encrypt files stored on the user's PCs by using the AES-256 encryption algorithm. However, the algorithm is used with a mistake and looks more like AES-128/192. It appends unbreakable code that restricts access to data like .docx, .xlsx, .pptx, .mp3, .mp4, .png and other types of files. Once it has encrypted your data, the virus, therefore, alters the extension name to .NEMTY. The most recent varieties use the complex extension .NEMTY_XXXXXXX, where XXXXXXX is a random 7-digit alphanumerical sequence. After the encryption process is finished NEMTY leaves a note on desktop notifying that your data was encrypted and the only way you to recover it is by paying a ransom (approximately 1000$).

With the latest Windows 1903 KB4517211 Update users started facing the Ss3svc32.exe issue that pops up on startup. It appears as a permission tab with the following message Do you want to allow this app from an unknown publisher to make changes to your device?. Therefore, most users get perplexed seeing this message and have already spread a rumor that it is a virus trying to attack their computers. However, this is not a virus at all!

Dharma-Wiki Ransomware is a file-encrypting type of malware designed to deprive the money and nerves of its victims. It belongs to the notorious Dharma/Crysis Ransomware family. It interferes with file extensions by changing them to .id-{random-8-digit-alphanumerical-sequence}.[bitlocker@foxmail.com].wiki and remains encrypted until a ransom is paid. After the blocking process is finished, it will leave a ransom note on your desktop notifying that your data was successfully encrypted and requires action. To encrypt your files, you have got to contact hackers via one of the methods presented in the note and pay a specific fee to get your files back. This kind of frauds is trying to encrypt the most precious data stored on your PC like text documents, videos, images, and others. Therefore, they gamble on the value of your data to push you into paying an equal exchange. Of course, cybercriminals are trying to hurry you up by threatening that if you do not pay within 24 hours, they will raise the price up. If you refuse paying a ransom, they might also begin saying that they will spread your data to third parties and they will make a bad use of it. The ransom must be paid solely in Bitcoin cryptocurrency apparently because of its secure blockchain technology. Unfortunately, there has not been any free tool that could take off the blocking algorithm from files so far.

Paradise Ransomware is file-encryption virus, that encrypts user's files using RSA-1024 encryption algorithm. Latest versions of this threat append .VACv2, .CORP or .xyz extensions. Previously, Paradise Ransomware used .paradise, .sell, .ransom, .logger, .prt and .b29. Among all variations, only last one can be decrypted. Ransomware has many similarities with Dharma Ransomware, as it has very look-a-like design and uses similar patterns for file modifications. Authors of the virus offer e-mail to contact them for decryption negotiation: admin@prt-decrypt.xyz. They demand several thousand dollars for decryption, that have to be paid in BitCoins. It is also stated, that 1-3 useless files can be decrypted for free as a prove, that decryption is possible. However, malefactors cannot be trusted. Instead, we recommend you to try instructions below to restore files encrypted by Paradise Ransomware.