malwarebytes banner

Tutorials

Useful tutorials on various PC troubleshooting topics. Video tutorials.

How to remove LOTUS Ransomware and decrypt .LOTUS files

0
LOTUS Ransomware is a type of malware that encrypts files on a victim's computer, rendering them inaccessible until a ransom is paid. It belongs to the Dharma ransomware family and is designed to extort money from victims by holding their data hostage. After installation, it displays a ransom message in a pop-up window and creates a text file named MANUAL.txt containing further instructions. LOTUS Ransomware appends the .LOTUS extension to the names of encrypted files. Additionally, it includes the victim's ID and the attacker's email address in the filename. For example, a file named 1.jpg would be renamed to 1.jpg.id-B4M9F983.[paymei@cock.li].LOTUS. After encrypting files, LOTUS ransomware creates a ransom note named "MANUAL.txt" and places it in each folder containing encrypted files. The note typically includes a notification of file encryption, instructions on how to pay the ransom (often in cryptocurrency like Bitcoin), and contact information for the attackers (e.g., paymei@cock.li, paymei@tuta.io). It also warns victims not to rename files or try to decrypt them with third-party software, as this may cause permanent damage to the files. The ransom note emphasizes that victims can only receive a decryption key or software from the attackers.

How to remove Wormhole Ransomware and decrypt .Wormhole files

0
Wormhole Ransomware is a type of malicious software designed to encrypt files on a victim's computer, rendering them inaccessible until a ransom is paid. This ransomware variant is part of a broader category of malware that uses encryption to hold data hostage, demanding payment for the decryption key. The name "Wormhole" is derived from the file extension it appends to encrypted files. Once Wormhole ransomware encrypts files on a victim's computer, it appends the .Wormhole extension to the encrypted files. This extension helps victims and cybersecurity professionals identify the type of ransomware that has infected the system. Wormhole ransomware employs strong encryption algorithms to secure the victim's files. Typically, ransomware uses a combination of symmetric and asymmetric encryption. Symmetric encryption involves using a single key for both encryption and decryption, with AES (Advanced Encryption Standard) being commonly used due to its efficiency and security. Asymmetric encryption involves a pair of keys – a public key for encryption and a private key for decryption, with RSA (Rivest-Shamir-Adleman) often used for this purpose. The exact encryption methods used by Wormhole ransomware are not detailed in the sources, but it is likely to use a combination of AES for file encryption and RSA for securing the AES key, similar to other ransomware variants. After encrypting the files, Wormhole ransomware typically creates a ransom note to inform the victim of the attack and provide instructions for payment (How to recover files encrypted by Wormhole.txt). This note is usually placed in prominent locations such as the desktop or in each directory containing encrypted files. The ransom note may include instructions on how to pay the ransom, often in cryptocurrency like Bitcoin, a deadline for payment to avoid permanent data loss, and contact information for the attackers, often an email address or a link to a dark web site.

How to remove TellYouThePass Ransomware and decrypt .locked files

0
TellYouThePass is a type of ransomware that first emerged in 2019. It is known for encrypting files on infected systems and demanding a ransom for their decryption. This ransomware has seen a resurgence, particularly in exploiting vulnerabilities such as the Apache Log4j and more recently, a critical PHP vulnerability (CVE-2024-4577). The ransomware targets both Windows and Linux operating systems and has been rewritten in Golang to facilitate cross-platform attacks. Once TellYouThePass encrypts files on an infected system, it appends the .locked extension to the filenames. For example, a file named document.docx would be renamed to document.docx.locked. TellYouThePass ransomware uses a combination of RSA-1024 and AES-256 cryptographic algorithms to encrypt files. This combination ensures that the encryption is robust and difficult to break without the decryption key. After encrypting the files, TellYouThePass creates a ransom note named README.html in each affected directory. This note contains instructions for the victim on how to pay the ransom, typically in Bitcoin, and how to contact the attackers to receive the decryption tool. The note warns victims not to rename the encrypted files or attempt to decrypt them using other tools, as this could result in permanent data loss.

How to play Bodycam on Mac

0
Bodycam is a first-person shooter (FPS) game developed by Reissad Studio, known for its ultra-realistic graphics and unique gameplay perspective. The game is played from the viewpoint of a body-worn camera, which adds a distinctive found-footage feel often seen in police or military operations. This perspective, combined with high-fidelity graphics and realistic audio, aims to create an immersive and intense gaming experience. The game leverages Unreal Engine 5 to deliver hyper-detailed environments and lifelike visuals, making the gameplay appear almost like real footage. The bodycam perspective offers a different take on the traditional FPS control scheme, requiring players to adjust their aim and movement more precisely. Bodycam includes three game modes: Free-For-All Deathmatch, Team Deathmatch, and Body Bomb. Maps feature a dynamic day and night cycle, adding another layer of strategy, especially with the use of flashlights in dark environments. Additionally, the game includes a global ranking system, allowing players to compete on a worldwide scale. Bodycam has garnered significant attention for several reasons. Its ultra-realistic graphics and audio create an immersive experience that stands out in the FPS genre. The bodycam POV offers a fresh take on FPS gameplay, differentiating it from other shooters. The game has been widely discussed on social media and streaming platforms, contributing to its popularity. Furthermore, Bodycam has often been compared to Unrecord, another bodycam-style game, which has helped it gain visibility. Currently, Bodycam is only available for Windows PCs and does not officially support macOS. To run Bodycam on a Mac, you would need to use a workaround such as installing Windows on your Mac using Boot Camp, using cloud gaming services or using compatibility layer called CrossOver.

How to remove Razy Ransomware and decrypt .razy or .razy1337 files

0
Razy Ransomware is a malicious software designed to encrypt files on a victim's computer using an asymmetric encryption algorithm. Once it infects a system, it appends either .razy or .razy1337 as extensions to the names of the encrypted files, making them inaccessible without the decryption key. Following the encryption process, Razy creates three specific files and places them on the desktop: css.vbs, index.html, and razy.jpg. The "razy.jpg" file serves as an initial alert to the user, indicating that their files have been encrypted and directing them to open the index.html file for further instructions. However, unlike typical ransomware that provides detailed payment instructions and demands a ransom in cryptocurrency (usually between 0.5 and 1.5 Bitcoin), Razy's approach is somewhat different. The "index.html" file contains four links: two for payment and two leading to Razy's social media pages on Twitter and Facebook. Notably, these links are broken, suggesting that they lead nowhere. This peculiarity has led to the assumption that Razy might still be in development or created for research purposes rather than for financial gain.

How to remove PartiZAN32 Ransomware and decrypt .qwertzuioplkjhgfyxcvbnmD files

0
PartiZAN32 Ransomware is a type of malware, which restricts access to data by encrypting files and demanding a ransom for their decryption. It was discovered during an analysis of samples uploaded to the VirusTotal website. This ransomware appends a unique extension to the encrypted files and changes the desktop wallpaper to notify the victim of the attack. Once PartiZAN32 infects a computer, it encrypts the files and appends a specific extension to the filenames. The extension used by PartiZAN32 is .qwertzuioplkjhgfyxcvbnmD. For example, a file named 1.jpg would be renamed to 1.jpg.qwertzuioplkjhgfyxcvbnmD. PartiZAN32 uses strong encryption algorithms to lock the files on the infected computer. The exact encryption algorithm used by PartiZAN32 is not specified in the sources, but ransomware from the Xorist family typically employs symmetric encryption methods, making decryption without the key extremely difficult. artiZAN32 creates two types of ransom notes to inform the victim about the encryption and the ransom demand. Text file - a file named HOW TO DECRYPT FILES.txt is created on the desktop and in various folders. Pop-up message - a pop-up window is displayed with the ransom message. The ransom note instructs the victim to contact the attackers via email (pasomnicadecryption@gmail.com) to receive a decryption key. It also warns against attempting to decrypt the files without the provided key, as this could result in permanent data loss. The note mentions that the victim has five attempts to enter the correct decryption key, after which the files and the victim's IP address will be sold on the dark web.

How to remove FOG Ransomware and decrypt .FOG or .FLOCKED files

0
FOG Ransomware is a newly identified strain of malicious software designed to encrypt files on infected devices, rendering them inaccessible until a ransom is paid. This ransomware variant was first detected in early May 2024 and has primarily targeted educational institutions and recreation sectors in the United States. Once Fog ransomware encrypts files, it appends either the .FOG or .FLOCKED extension to the filenames. For example, a file named document.docx would be renamed to document.docx.FOG or document.docx.FLOCKED. FOG Ransomware uses a multi-threaded encryption routine to encrypt files. It gathers system information, such as the number of logical processors, to allocate threads efficiently for encryption. The ransomware employs Windows API calls and references the NT API for system information. It also uses a JSON-based configuration block to control pre- and post-encryption activities, including the use of an embedded public key for encryption. After encrypting the files, Fog ransomware drops a ransom note named readme.txt in the affected directories. This note provides instructions for the victims on how to contact the attackers and negotiate the ransom payment. The note typically includes a link to a Tor dark website where victims can communicate with the attackers and view a list of stolen files.

How to stop “Saved Passwords Were Found Online” e-mail spam

0
Saved Passwords Were Found Online email scam is a type of phishing email that falsely claims that some of the recipient's saved passwords have been exposed online due to a data breach from a website or application they use. The email typically includes a call to action, urging the recipient to review their passwords immediately by clicking on a "Check passwords" button or link. This link, however, leads to a fraudulent webpage designed to capture the recipient's login credentials and other sensitive information.