Viruses

How to remove STOP Ransomware and decrypt .mosk, .lokf, .meka or .toec files

STOP Ransomware is a sophisticated encryption virus, that uses the Salsa20 algorithm to encode sensitive personal data, such as photos, videos, and documents. The latest appeared versions in November add .mosk, .lokf, .meka or .toec extensions to files and make them unreadable. To date, the family includes about 180 representatives, and the total number of affected users is approaching a million. Most of the attacks are in Europe and South America, India and Southeast Asia. The threat also affected the United States, Australia, and South Africa. Although the STOP virus is less known than GandCrab, Dharma, and other ransomware trojans, it is this year that accounts for more than half of the detected attacks. Moreover, the next rating participant, the aforementioned Dharma, lags behind him by this indicator by more than four times.

How to remove Paradise Ransomware and decrypt .paradise, .2ksys19, .p3rf0rm4 or .FC files

Paradise Ransomware is file-encryption virus, that encrypts user's files using RSA-1024 encryption algorithm. Latest versions of this threat append .VACv2, .CORP or .xyz extensions. Previously, Paradise Ransomware used .paradise, .sell, .ransom, .logger, .prt and .b29. Among all variations, only last one can be decrypted. Ransomware has many similarities with Dharma Ransomware, as it has very look-a-like design and uses similar patterns for file modifications. Authors of the virus offer e-mail to contact them for decryption negotiation: admin@prt-decrypt.xyz. They demand several thousand dollars for decryption, that have to be paid in BitCoins. It is also stated, that 1-3 useless files can be decrypted for free as a prove, that decryption is possible. However, malefactors cannot be trusted. Instead, we recommend you to try instructions below to restore files encrypted by Paradise Ransomware.

How to remove STOP Ransomware and decrypt .derp, .nakw, .coot or .nols files

STOP Ransomware (a.k.a Djvu Ransomware) encrypts victim's files with Salsa20 (stream encryption system) and appends one of the hundreds of possible extensions including latest discovered .derp, .nakw, .coot or .nols. STOP is one of the most active ransomware today, but they hardly talk about it. The prevalence of STOP is also confirmed by the extremely active forum thread on Bleeping Computer, where victims seek help. The fact is that this malware attacks mainly fans of pirated content, visitors to suspicious sites and is distributed as part of advertising bundles. There is a possibility for successful decryption, however, to date, there are more than 174 STOP variants that are known to researchers, and such a variety significantly complicates the situation.

How to remove Muhstik (QNAPCrypt) Ransomware and decrypt .muhstik files

Muhstik Ransomware is nasty cipher virus, that encrypts user data on QNAP NAS network drives using AES-256 (CBC mode) + SHA256 algorithms, and then requires a ransom of 0.045 - 0.09 BTC (currently ~$700) to return the files. According to researchers, this program is not directly related to eCh0raix Ransomware, although there is a certain external similarity. After finishing encryption procedure, malware adds .muhstik extension to affected files. The malware first checks the system language and does not start encryption on systems with Russian, Belorus or Ukranian languages. At the moment, there is a public decryption tool called EmsiSoft Decrypter for Muhstik available. It is able to decrypt files encrypted by most versions of this virus. If it is unable to recover the data, full recovery is only possible with the help of backups.

How to remove STOP Ransomware and decrypt .leto, .werd, .bora or .xoza files

STOP Ransomware (sometimes called DJVU Ransomware) is an obnoxious virus, that encrypts files on computers using the AES encryption algorithm, makes them unavailable and demands money in exchange for so-called "decryptor". Files processed by the latest version of STOP Ransomware, in particular, can be distinguished by the .leto, .werd, .bora or .xoza extensions. The analysis showed that the cryptographic installer loaded with the "crack" or adware is installed under an arbitrary name in the %LocalAppData%\ folder. When executed, it loads four executable files there: 1.exe, 2.exe, 3.exe and updatewin.exe. The first of them is responsible for neutralizing Windows Defender, the second is for blocking access to information security sites. After the malware is launched, a fake message appears on the screen that says about installing the update for Windows. In fact, at this moment, almost all user files on the computer are encrypted. In each folder containing encrypted documents, a text file (_readme.txt) appears in which attackers explain the operation of the virus. They offer to pay them a ransom for decryption, urging them not to use third-party programs, as this can lead to the deletion of all documents.