Tutorials

Useful tutorials on various PC troubleshooting topics. Video tutorials.

How to remove Dharma-Frend Ransomware and decrypt .frend files

Dharma-Frend Ransomware is typical embranchment of Crysis-Dharma-Cezar ransomware virus family. This particular variation appends .frend extension to encrypted files and makes them unusable. Dharma-Frend Ransomware doesn't have effective decryptor, however, we recommend you to try instructions below to attempt restoring your files. Dharma-Frend Ransomware adds suffix, that consists of multiple parts, such as: unique user's id, developer's e-mail address and .frend suffix. The pattern of filename after encryption looks like this: file called 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].frend. Authors of Dharma-Frend Ransomware extort $10000 ransom from the victims. Using cryptocurrency and TOR-hosted payment websites makes it impossible to track malefactors. Besides, victims of such viruses often get scammed, and malefactors don't send any keys even after paying the ransom. Unfortunately, manual or automatic decryption is impossible unless ransomware was developed with mistakes or had certain execution errors, flaws or vulnerabilities. We do not recommend to pay any money to malefactors. Often, after some period of time security specialists from antivirus companies or individual researchers decode the algorithms and release decryption keys.

How to remove Dharma-Amber Ransomware and decrypt .amber files

Dharma-Amber Ransomware is nearly identical to previous versions of Crysis-Dharma-Cezar ransomware family, except that now it adds .amber extension to encrypted files. Dharma-Amber Ransomware constructs file extension from several parts: e-mail address, unique 8-digit identification number (randomly generated) and .amber extension. ID number is also used for victim identification, when hackers send decryption key (although they do it rarely). Dharma-Amber Ransomware authors demand from $500 to $15000 ransom, that can be paid in Monero, Dash or BTC (BitCoins), and in return they promise to send decryption key. This type of ransomware is coded and distributed as RaaS (Ransomware as service), and people your are trying to contact can be just resellers. That is why, amount of money they want for decryption can be very big. Using cryptocurrency makes it impossible to track the payee. We do not recommend to pay any money to malefactors. Usually, after some period of time security specialists from antivirus companies or individual researchers break the algorithms and release decryption keys.

How to remove STOP Ransomware and decrypt .djvu, .udjvu or .blower files

STOP Ransomware is file-encrypting ransomware-type virus, that encrypts user files using AES (режим CFB) encryption algorithm. DJVU Ransomware is identified as variation of STOP Ransomware. Virus appends .djvu, .udjvu or .djvuu extension to encrypted files, what can embarrass some users, as this is popular file format for e-books and storing scanned documents. When encryption is finished DJVU Ransomware places _openme.txt text file with following content in the folders with affected files and on the desktop.

How to remove Paradise Ransomware and decrypt .VACv2, .CORP or .xyz files

Paradise Ransomware is file-encryption virus, that encrypts user's files using RSA-1024 encryption algorithm. Latest versions of this threat append .VACv2, .CORP or .xyz extensions. Previously, Paradise Ransomware used .paradise, .sell, .ransom, .logger, .prt and .b29. Among all variations, only last one can be decrypted. Ransomware has many similarities with Dharma Ransomware, as it has very look-a-like design and uses similar patterns for file modifications. Authors of the virus offer e-mail to contact them for decryption negotiation: admin@prt-decrypt.xyz. They demand several thousand dollars for decryption, that have to be paid in BitCoins. It is also stated, that 1-3 useless files can be decrypted for free as a prove, that decryption is possible. However, malefactors cannot be trusted. Instead, we recommend you to try instructions below to restore files encrypted by Paradise Ransomware.

How to remove STOP Ransomware and decrypt .tfude, .tfudet or .tfudeq files

Tfude Ransomware, which is actually next generation of STOP Ransomware appeared in January of 2019. This virus encrypts user's essential files, such as documents, photos, databases, music with AES encryption and adds .tfude (later started to append .tfudet and .tfudeq) extensions to affected files. This ransomware is almost identical to .puma Ransomware and .djvu Ransomware, and belongs to the same authors, because it uses the same e-mail adresses (pdfhelp@india.com and pdfhelp@firemail.cc) and same BitCoin wallets. Tfude variation of STOP Ransomware displays fake Windows Update pop-up during the process of file encryption. From the file above we can understand, that hackers offer 50% discount for decryption, if ransom amount is paid within 72 hours. However, this is just a trick to encourage people to pay the ransom. Often hackers don't send decryptor after this. We recommend you to remove executables of STOP Ransomware and save those encrypted files to the time, when decryption tool appears. Before that, you can try manual instructions described in this article to restore files.