Viruses

Dharma-ETH Ransomware is new generation of high-risk Crysis-Dharma-Cezar ransomware family, particularly, its Dharma variation. It was named after the extension it appends to encrypted files: .ETH. In fact, virus adds complex suffix, that consists of several parts: e-mail address, unique 8-digit identification number (completely random) and .ETH extension. In the end, affected files get complex suffix, that looks like this - .id-{8-digit-id}.[{email-address}].ETH. Ransom notes do not contain information about the amount users need to pay to return the files. There is also no information about encryption algorithms it uses. However, from the experience of previous infections of this type, we can say it, probably, uses AES or RSA-2048 encryption and will try to rip you off on a sum from $500 to $1500, that have to be paid in Monero, Dash or BTC (BitCoins).

Dharma-KARLS Ransomware is new virulent file-encryption threat, built on well-known platform of Crysis-Dharma-Cezar ransomware family. Unlike other variations, this version adds .KARLS extension to encrypted files. Actually, Dharma-KARLS Ransomware creates complicated appendix, that consists of unique user id, developer's e-mail address and .KARLS suffix, from which it got its name. The template of filename modification looks like this: file called 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].KARLS. Authors of Dharma-KARLS Ransomware can extort from $500 to $5000 ransom in BTC (BitCoins) for decryption. Using cryptocurrency and TOR-hosted payment websites makes it impossible to track the payee. Besides, victims of such viruses often get scammed, and malefactors don't send any keys even after paying the ransom. Unfortunately, manual or automatic decryption is impossible unless ransomware was developed with mistakes or has certain execution errors, flaws or vulnerabilities.

Dharma-Frend Ransomware is typical embranchment of Crysis-Dharma-Cezar ransomware virus family. This particular variation appends .frend extension to encrypted files and makes them unusable. Dharma-Frend Ransomware doesn't have effective decryptor, however, we recommend you to try instructions below to attempt restoring your files. Dharma-Frend Ransomware adds suffix, that consists of multiple parts, such as: unique user's id, developer's e-mail address and .frend suffix. The pattern of filename after encryption looks like this: file called 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].frend. Authors of Dharma-Frend Ransomware extort $10000 ransom from the victims. Using cryptocurrency and TOR-hosted payment websites makes it impossible to track malefactors. Besides, victims of such viruses often get scammed, and malefactors don't send any keys even after paying the ransom. Unfortunately, manual or automatic decryption is impossible unless ransomware was developed with mistakes or had certain execution errors, flaws or vulnerabilities. We do not recommend to pay any money to malefactors. Often, after some period of time security specialists from antivirus companies or individual researchers decode the algorithms and release decryption keys.

Dharma-Amber Ransomware is nearly identical to previous versions of Crysis-Dharma-Cezar ransomware family, except that now it adds .amber extension to encrypted files. Dharma-Amber Ransomware constructs file extension from several parts: e-mail address, unique 8-digit identification number (randomly generated) and .amber extension. ID number is also used for victim identification, when hackers send decryption key (although they do it rarely). Dharma-Amber Ransomware authors demand from $500 to $15000 ransom, that can be paid in Monero, Dash or BTC (BitCoins), and in return they promise to send decryption key. This type of ransomware is coded and distributed as RaaS (Ransomware as service), and people your are trying to contact can be just resellers. That is why, amount of money they want for decryption can be very big. Using cryptocurrency makes it impossible to track the payee. We do not recommend to pay any money to malefactors. Usually, after some period of time security specialists from antivirus companies or individual researchers break the algorithms and release decryption keys.

STOP Ransomware is file-encrypting ransomware-type virus, that encrypts user files using AES (режим CFB) encryption algorithm. DJVU Ransomware is identified as variation of STOP Ransomware. Virus appends .djvu, .udjvu or .djvuu extension to encrypted files, what can embarrass some users, as this is popular file format for e-books and storing scanned documents. When encryption is finished DJVU Ransomware places _openme.txt text file with following content in the folders with affected files and on the desktop.

GandCrab v5.1 Ransomware is fifth generation of very dangerous and harmful GandCrab Ransomware. It is yet unknown what type of encryption algorithm it uses. Virus assigns randomly generated identification code to each particular user. It looks like set of 8 letters and GandCrab v5.1 Ransomware uses it to create .[random-letters] extension and ransom note filename will look like this: [random-letters]-DECRYPT.txt and [random-letters]-DECRYPT.html. The contents of this ransom note is slightly different from previous versions of this malware. Unfortunately, files encrypted by GandCrab v5.1 Ransomware are currently not decryptable. However, as some of the previous versions had decryptor from BitDefender, we will provide download link for this tool below. There is a possibility, that they will update the program to decrypt latest instances of GandCrab Ransomware. We also provide general manual instructions, that can, in many cases, help you restore some or even all encrypted files. All these methods are worth trying.

Monro Ransomware is subtype of Crysis-Dharma-Cezar ransomware family, that adds .monro extension to encrypted files. Virus uses composite extenion, that consists of e-mail adress and unique 8-digit identification number (randomly generated). Monro Ransomware developers extort from $500 to $1500, that have to be paid in Monero, Dash or BTC (BitCoins) for decryption. Due to the fact, that hackers often do not send decryption keys, or just ignore e-mails from victims, who paid the ransom, it is not recommended to send any funds. Usually, after some time security specialists and individual researchers break the algorithm and release master key. Also, some files can be recovered by using backups, recovery software and instructions given on this page.

Scarab-Enter Ransomware is one of the varieties of Scarab Ransomware family. Scarab Ransomware has typical malicious activity: it encrypts user files using AES encryption and demands ransom of 0.3 BitCoins for decryption. Virus-extorsionist appends .enter or .lol extensions to encrypted files. Depending on version, after encryption Scarab Ransomware creates text files HELP HELP HELP.TXT or HOW TO RECOVER ENCRYPTED FILES.TXT text files with instructions to pay the ransom. Some of the previous Scarab versions were decryptable, however, if you won't succeed in decryption, do not pay the ransom. There are a lot of reports from the victims, that malefactors don't send decryptors. If Dr. Web Decryption Service fails for you, try manual instructions on this page and file-recovery software. In most cases this helps to restore some important files. In this article we collected, consolidated and structured available information about this malware and possible ways of removal and decryption.