Tutorials

Useful tutorials on various PC troubleshooting topics. Video tutorials.

How to remove Muhstik (QNAPCrypt) Ransomware and decrypt .muhstik files

Muhstik Ransomware is nasty cipher virus, that encrypts user data on QNAP NAS network drives using AES-256 (CBC mode) + SHA256 algorithms, and then requires a ransom of 0.045 - 0.09 BTC (currently ~$700) to return the files. According to researchers, this program is not directly related to eCh0raix Ransomware, although there is a certain external similarity. After finishing encryption procedure, malware adds .muhstik extension to affected files. The malware first checks the system language and does not start encryption on systems with Russian, Belorus or Ukranian languages. At the moment, there is a public decryption tool called EmsiSoft Decrypter for Muhstik available. It is able to decrypt files encrypted by most versions of this virus. If it is unable to recover the data, full recovery is only possible with the help of backups.

How to remove STOP Ransomware and decrypt .leto, .werd, .bora or .xoza files

STOP Ransomware (sometimes called DJVU Ransomware) is an obnoxious virus, that encrypts files on computers using the AES encryption algorithm, makes them unavailable and demands money in exchange for so-called "decryptor". Files processed by the latest version of STOP Ransomware, in particular, can be distinguished by the .leto, .werd, .bora or .xoza extensions. The analysis showed that the cryptographic installer loaded with the "crack" or adware is installed under an arbitrary name in the %LocalAppData%\ folder. When executed, it loads four executable files there: 1.exe, 2.exe, 3.exe and updatewin.exe. The first of them is responsible for neutralizing Windows Defender, the second is for blocking access to information security sites. After the malware is launched, a fake message appears on the screen that says about installing the update for Windows. In fact, at this moment, almost all user files on the computer are encrypted. In each folder containing encrypted documents, a text file (_readme.txt) appears in which attackers explain the operation of the virus. They offer to pay them a ransom for decryption, urging them not to use third-party programs, as this can lead to the deletion of all documents.

How to remove STOP Ransomware and decrypt .reco, .mike, .noos or .kuub files

STOP Ransomware (DJVU Ransomware) is officially the most common virus-encrypter in the world. The encryptor operates according to the classical scheme: it encrypts files, adds a new extension to them, and places a ransom note on the infected machine. More than 50% of ransomware-infected computers are infected with STOP Ransomware. It has got second name - DJVU Ransomware, after the extension .djvu, that was appended to the files on first infected computers. With several minor and major modifications virus continues its devastating activity in present days. Recent variation of malware adds .reco, .mike, .noos or .kuub extensions to files. Of course, affected files become inaccessible without special "decrypter", that have to be bought from hackers.

How to remove STOP Ransomware and decrypt .nesa, .boot, .domn or .karl files

STOP Ransomware (DJVU Ransomware) is extremely harmful and one of the most active encryption viruses. More than half of ransomware submissions to ID-Ransomware (ransomware identification service) are made by victims of STOP Ransomware. Although it has been in circulation for a couple of years, the number of infections caused by the STOP Ransomware continues to increase. It may be somewhat ironic, but most of the victims (at the moment) are users of pirated software. The version of the virus, that is under consideration today, adds .nesa, .domn or .karl extensions to files. The malicious program also creates a text file (called _readme.txt) in each infected folder, which explains to the user that his computer is infected and he will not be able to access his data until he pays a ransom of $980. Tampering with encrypted files can cause permanent damage, and the chances of guessing the correct decryption key are virtually zero. Alternatively, of course, you can pay the ransom. But keep in mind that you are dealing with criminals who can still increase the size of the ransom. Or just steal your money without giving you the decryption key. Besides, funding the hackers is encouraging them to create new versions and variations of the virus. There is a tool called STOPDecrypter, that was able to retrieve the key for older versions of STOP Ransomware. However, currently, it is unable to decrypt .nesa, .domn or .karl files. There is a possibility, that STOPDecrypter will be updated and we provide download links and instructions on how to use the tool below.

How to remove STOP Ransomware and decrypt .meds, .kvag, .moka or .peta files

STOP Ransomware is devastating crypto-virus, that uses AES-256 asymmetrical encryption algorithm to restrict user access to their files without the key. Malware appends .meds, .kvag, .moka or .peta extensions to files, makes them unreadable and extorts ransom for decryption. Unfortunately, due to technical modifications in the newest version file recovery is impossible without backups. However, there are certain standard Windows features and tools, that may help you restore at least some files. File-recovery software may also be useful in this case. In the text box below, there is text message from _readme.txt file, called "ransom note". Even if you can afford the price of the decryption, there is no purpose to pay the ransom. Hackers rarely respond to victims and there is no method to track the payment as they use cryptocurrency, TOR-network websites and e-mails, and anonymous electronic wallets. There is a tool called STOPDecrypter, that was able to retrieve the key for older versions of STOP Ransomware. But according to its developers, it is practically useless against .meds, .kvag, .moka or .peta files.

How to remove STOP Ransomware and decrypt .seto, .shariz, .gero or .geno files

Since September 2019, the criminals have modified the malware code in newer versions. Now they are using asymmetrical encryption and decryption with old proven methods is temporarily impossible. The article will be updated with an effective decryption guide once it appears. Currently, there are certain chances to recover your files using instructions below. If your files became unavailable, got weird icons and got either .seto, .shariz, .gero or .geno extension, that means your computer got hit by STOP Ransomware. This is extremely dangerous and harmful encryption virus, that encodes data on victim's computers and extorts ransom equivalent of $490/$960 in cryptocurrency to be paid on an anonymous electronic wallet. If you didn't have backups before the infection, there are only a few ways to return your files with a low probability of success. However, they are worth trying and we describe them all in the following article. In the text box below, you can get acquainted with the contents of _readme.txt file, that is called "ransom note" among security specialists and serves as one of the symptoms of infection.