Dharma-Amber Ransomware is nearly identical to previous versions of Crysis-Dharma-Cezar ransomware family, except that now it adds .amber extension to encrypted files. Dharma-Amber Ransomware constructs file extension from several parts: e-mail address, unique 8-digit identification number (randomly generated) and .amber extension. ID number is also used for victim identification, when hackers send decryption key (although they do it rarely). Dharma-Amber Ransomware authors demand from $500 to $15000 ransom, that can be paid in Monero, Dash or BTC (BitCoins), and in return they promise to send decryption key. This type of ransomware is coded and distributed as RaaS (Ransomware as service), and people your are trying to contact can be just resellers. That is why, amount of money they want for decryption can be very big. Using cryptocurrency makes it impossible to track the payee. We do not recommend to pay any money to malefactors. Usually, after some period of time security specialists from antivirus companies or individual researchers break the algorithms and release decryption keys.
STOP Ransomware is file-encrypting ransomware-type virus, that encrypts user files using AES (режим CFB) encryption algorithm. DJVU Ransomware is identified as variation of STOP Ransomware. Virus appends .djvu, .udjvu or .djvuu extension to encrypted files, what can embarrass some users, as this is popular file format for e-books and storing scanned documents. When encryption is finished DJVU Ransomware places _openme.txt text file with following content in the folders with affected files and on the desktop.
Tfude Ransomware, which is actually next generation of STOP Ransomware appeared in January of 2019. This virus encrypts user's essential files, such as documents, photos, databases, music with AES encryption and adds .tfude (later started to append .tfudet and .tfudeq) extensions to affected files. This ransomware is almost identical to .puma Ransomware and .djvu Ransomware, and belongs to the same authors, because it uses the same e-mail adresses (email@example.com and firstname.lastname@example.org) and same BitCoin wallets. Tfude variation of STOP Ransomware displays fake Windows Update pop-up during the process of file encryption. From the file above we can understand, that hackers offer 50% discount for decryption, if ransom amount is paid within 72 hours. However, this is just a trick to encourage people to pay the ransom. Often hackers don't send decryptor after this. We recommend you to remove executables of STOP Ransomware and save those encrypted files to the time, when decryption tool appears. Before that, you can try manual instructions described in this article to restore files.
This article contains information about version of STOP Ransomware that adds .pdff, .tro or .rumba extensions to encrypted files, and creates _openme.txt ransom note file on the desktop and in the folders with affected files. This variation first appeared in January, 2019 and almost identical to previous .puma Ransomware and .djvu Ransomware. Ransomware virus still uses AES encryption algorithm and still demands ransom in BitCoins for decryption. All three varieties belong to one author, because they are using the same e-mail addresses for communication: email@example.com and firstname.lastname@example.org. From the file above we can learn, that hackers offer 50% discount for decryption, if ransom amount is paid within 72 hours. However, from our experience, this is just a trick to encourage person to pay the ransom. Often malefactors don't send decryptor after this. We recommend, that you remove active infection of STOP Ransomware and preserve your files until decryption tool appears. Until that time, you can try manual instructions on this page to attempt restoring encrypted files.
GandCrab v5.1 Ransomware is fifth generation of very dangerous and harmful GandCrab Ransomware. It is yet unknown what type of encryption algorithm it uses. Virus assigns randomly generated identification code to each particular user. It looks like set of 8 letters and GandCrab v5.1 Ransomware uses it to create .[random-letters] extension and ransom note filename will look like this: [random-letters]-DECRYPT.txt and [random-letters]-DECRYPT.html. The contents of this ransom note is slightly different from previous versions of this malware. Unfortunately, files encrypted by GandCrab v5.1 Ransomware are currently not decryptable. However, as some of the previous versions had decryptor from BitDefender, we will provide download link for this tool below. There is a possibility, that they will update the program to decrypt latest instances of GandCrab Ransomware. We also provide general manual instructions, that can, in many cases, help you restore some or even all encrypted files. All these methods are worth trying.
Monro Ransomware is subtype of Crysis-Dharma-Cezar ransomware family, that adds .monro extension to encrypted files. Virus uses composite extenion, that consists of e-mail adress and unique 8-digit identification number (randomly generated). Monro Ransomware developers extort from $500 to $1500, that have to be paid in Monero, Dash or BTC (BitCoins) for decryption. Due to the fact, that hackers often do not send decryption keys, or just ignore e-mails from victims, who paid the ransom, it is not recommended to send any funds. Usually, after some time security specialists and individual researchers break the algorithm and release master key. Also, some files can be recovered by using backups, recovery software and instructions given on this page.