malwarebytes banner


How to remove Ragnarok Ransomware and decrypt .thor or .ragnarok_cry files

Ragnarok is a ransomware infection discovered by Karsten Hahn. The consequences of this attack are similar to other threats of such type - encryption of stored data by adding a new extension. Developers of Ragnarok Ransomware may have other versions of the virus, however, this case involves the assignment of .thor or .ragnarok_cry extensions. No additional symbols are included, you will see a file with the malicious extension at the end (1.mp4.ragnarok_cry). Once the encryption process is complete, users receive a note with decryption steps called How_To_Decrypt_My_Files.txt (alternatively, !!Read_me_How_To_Recover_My_Files.html). The text note states that encrypted files can be unlocked only with a special tool, which is held by cybercriminals. In order to get it, people have to contact swindlers and send the required fee of BTC to their address. You can also provide a file (less than 3Mb) for free decryption. This way, extortionists are allegedly proving that they can be trusted. In reality, they can dump you and ignore the fact that you have paid for the recovery. The deletion of Ragnarok Ransomware will not decipher your files, however, this is important to do to prevent further encryption of data.

How to remove Foqe Ransomware and decrypt .foqe files

Foqe Ransomware is the subtype of STOP Ransomware (or DJVU Ransomware) and has all the characteristics of this family of viruses. Malware blocks access to the data on the victim's computers by encrypting it with the AES encryption algorithm. STOP Ransomware is one of the longest living ransomware. First infections were registered in December 2017. FoqeRansomware with such suffix is yet another generation of it and appends .foqe extensions to encrypted files. Following the encryption, the malware creates a ransom note file: _readme.txt on the desktop and in the folders with encoded files. In this file, hackers provide information about decryption and contact details, such as e-mails:, and Telegram account: @datarestore. The good news is: there is a possibility for successful file decryption. However, several conditions should match. If the affected PC was not connected to the internet, or a malicious server, that generates keys was not accessible at the moment of infection there is a tool called STOP Djvu Decryptor, can decrypt files, encrypted by Foqe Ransomware. We provide a download link and instructions on how to use it below in the article. There are also some alternative ways to recover your photos, documents, videos, etc. Using file-recovery software and certain default Windows system functions, such as restore points, the shadow copies, previous versions of files, can be helpful.

How to remove Solve Ransomware and decrypt .encrypted files

Solve Ransomware is a malicious piece that specifies in encrypting network storage. Victims who had their NAS storage infected, experienced files change with the new .encrypted extension, so one of them would appear like this 1.mp4.encrypted. This extension is more generic and has been used by many ransomware developers. Solve Ransomware has not had enough examination to provide tools for unlocking the assigned cipher. This is why the extortionists offer to contact them and pay the ransom in BTC via instructions presented in a text note (SOLVE ENCRYPTED FILES.txt) that is created after the encryption process gets done. Unfortunately, this option does not guarantee transparency and honesty of swindlers. You can be fooled and not given any decryption tools even after making payment. This is why we recommend you delete Solve Ransomware and try to decrypt data via some basic instruments provided below.

How to remove Moss Ransomware and decrypt .moss files

Moss Ransomware is devastating encryption virus from the series of STOP Ransomware (DJVU Ransomware). It has got its names from .moss extension, that ransomware adds to the end of encrypted files. From a technical point of view, the virus remains the same as previous versions. Malware uses identical ransom note, called _readme.txt. From this note, we can learn, that malefactors offer to decrypt 1 file for free and can provide a "discount" if the user pays fast (within the first 72 hours). Our experience and reports from multiple victims show, that those are false promises. Hackers rarely reply back after receiving the payment. However, do not despair - there are cases when your files can be decrypted. If during the encryption process there was some internet connection loss or malfunction of the hacker's servers, Moss Ransomware uses an offline key, that can be retrieved by a special tool called STOP Djvu Decryptor. Please, download it below, and read instructions on how to use it carefully. If STOP Djvu Decryptor is unable to help you, you can try some alternative methods to restore your photos, documents, videos, etc. There are standard Windows system functions, such as restore points, the shadow copies, previous versions of files, can be useful, although, malicious algorithms often prevent such opportunities.

How to remove Egregor Ransomware and decrypt your files

Egregor is ransomware that belongs to Sekhmet family and promotes various versions of malware. This time around, users reported dealing with the virus called Egregor that encrypts private data and demands paid decryption. Depending on which version attacked your system, the encryption process may vary a little bit. For example, Egregor adds .egregor extension to each of the infected files so they look like this 1.mp4.egregor. Alternatively, files can receive a string of randomly-generated characters (1.mp4.WaBuD). After the encryption gets finished, the virus goes further creating a note called RECOVER-FILES.txt that contains step-by-step instructions to recover the compromised data. It is said that victims have to get in touch with cybercriminals no later than 3 days via the attached browser link. If the announced deadline comes to an end, extortionists will publish sensitive data all over the web. Cybercriminals can ask different fees for the recovery. Sometimes the amount can exceed thousands of dollars, especially if data has a significant value to owners. Unfortunately, you will not be able to find any free tools to decrypt the files affected by Egregor. At this moment, the only feasible way to recover data is by using an external backup if one was created prior to the encryption.

How to remove RenameX12 Ransomware and decrypt your files

RenameX12 is a ransomware infection that encrypts files of different sorts. Unlike similar infections of this type, it does not add any extensions or symbols to identify the blocked files. All data appear original even after the actual attack. This is made by extortionists intentionally to prevent users from detecting the name of the ransomware as well as finding ways to decrypt files. Despite this, cyber experts managed to crack the mystery and established the virus name via the text note (New Text Document) that is created after encryption. This note contains instructions to help you recover the locked data. Swindlers ask victims to contact them via one of the attached e-mails. After you pay the ransom (usually in Bitcoin) you will receive decryption tools to decipher the data. However, this is a huge risk since there is no evidence that could testify their trustworthiness. The best way to decrypt files is to delete the ransomware itself and recover data from external backups if one was created prior to the encryption.