Viruses Archives | Page 2 of 20

If you were attacked by the virus, your files are encrypted, not accessible, and got .poret, .heroset, .pidom or .pidon extensions, that means your PC is infected with STOP Ransomware (sometimes called DJVU Ransomware, named after .djvu extension, that was initially added to encrypted files). This encryption virus was very active in 2018 and 2019 and caused great financial damage to thousands of users. Unfortunately, there is very difficult to track down the malefactors, because they use anonymous TOR servers and cryptocurrency. However, with instructions, given in this article you will be able to remove STOP Ransomware and return your files.

June 5, 2019 James Kramer 0

How to remove STOP (DJVU) Ransomware and decrypt .stone, .davda, .lanset or .redmat files

Standard

STOP Ransomware (a.k.a. DJVU Ransomware) is wide-spread file-encrypting virus-extortionist. This is one of the most dangerous ransomware with high damaging effect and prevalence rate. It uses AES-256 encryption algorithm in CFB mode with zero IV and a single 32-byte key for all files. A maximum of 0x500000 bytes (~5 Mb) of data at the beginning of each file is encrypted. Virus appends .stone, .davda, .lanset or .redmat extensions to encoded files. Infection affects important and valuable files. These are MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives, application files, etc. DJVU Ransomware does not encrypt system files, to make sure Windows operates correctly and users are able to browse internet, visit payment page and pay the ransom. STOP Ransomware creates _readme.txt file, that is called “ransom note” and it contains instructions to make payment and contact details.

June 2, 2019 James Kramer 0

How to remove Phobos Ransomware and decrypt .phobos, .mamba, .phoenix or .actin files

Standard

Phobos Ransomware is a virus, that encrypts user files using AES encryption algorithm and demands ~$3000 for decryption. Ransomware adds .phobos, .phoenix, .actin, .karlos or .Frendi extensions to encoded files and makes them inaccessible. In order to confuse users and researchers Phobos Ransomware uses file-modification patterns and ransom notes similar to very wide-spread Dharma Ransomware. Especially after design change in January, 2019, when they started to look like identically. However, there are certain differences in file-markers and appearance. After contacting the developers via one of the provided e-mails, they demand $3000 in BitCoins for decryption to be paid in 6 hours. Otherwise, the cost of decryption will increase up to $5000. At the moment automated decryptors for Phobos Ransomware do not exist. There is no proof, that malefactors send decryptors to the victims, that is why we do not recommend paying the ransom. Instead, try using instructions on this page to recover encrypted files. File-recovery software can restore some files from your hard-drive.

May 28, 2019 James Kramer 0

How to remove STOP (DJVU) Ransomware and decrypt .rectot, .rezuc, .mogera or .skymap files

Standard

STOP Ransomware (a.k.a. DJVU Ransomware) is extremely dangerous virus that encrypts files using AES-256 encryption algorithm and adds .rectot, .rezuc .mogera or .skymap extensions to affected files. Infection mostly involves important and valuable files, like photos, documents, databases, e-mails, videos etc. Rectot Ransomware does not touch system files to allow Windows operate, so users will be able to pay the ransom. If the malware server is unavailable (computer is not connected to the Internet, remote hackers’s server does not work), then the encryption tool uses the key and identifier that is hard-coded in it and performs offline encryption. In this case, it will be possible to decrypt the files without paying the ransom. STOP Ransomware creates _readme.txt file, that contains ransom message and contact details, on the desktop and in the folders with encrypted files.

May 24, 2019 James Kramer 0

How to remove Dharma-Good Ransomware and decrypt .good files

Standard

Dharma-Good Ransomware is typical representative of encryption viruses from Crysis-Dharma-Cezar ransomware family. This sample appends .good extension to affected files. Dharma-Good Ransomware adds complex extension, that consists of unique id, developer’s e-mail and .good suffix. As a result, file named 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].good. Dharma-Good Ransomware developers can extort from $500 to $15000 ransom in BTC (BitCoins) for decryption. Usually, it is quite big amount of money, because hackers pay the commission to Dharma Ransomware as Service (RaaS) owners. Using cryptocurrency makes it impossible to track the payee. Besides, victims of such viruses often get scammed, and malefactors don’t send any keys even after paying the ransom. We do not recommend to pay any money to malefactors. Usually, after some period of time security specialists from antivirus companies or individual researchers break the algorithms and release decryption keys. Mention, that some files can be restored by using backups, shadow copies, previous versions of files or file-recovery software.