Viruses

Darus Ransomware, Lapoi Ransomware, Gusau Ransomware and Tocue Ransomware are next generations of STOP Ransomware family from the same authors. This virus aims important user's files, such as documents, photos, databases, music, mail. Ransomware encodes them with AES encryption and adds .darus, .lapoi, .gusau or .tocue extensions to affected files. All these variations use similar algorithms, that are unbreakable, however, in certain conditions .darus, .lapoi, .gusau and .tocue files can be encrypted by STOP Ransomware can be decrypted using STOPDecrypter (provided below). This version of STOP Ransomware uses following e-mail addresses: gorentos@bitmessage.ch and varasto@firemail.cc. STOP Ransomware creates _readme.txt ransom note file. Authors of Darus, Lapoi, Gusau and Tocue Ransomware promise to send decryption tool for encrypted files in exchange for $980 (or for $490, if the ransom is paid within 72 hours). We must warn the victims, that malefactors often don't keep promises, and cheat users without sending a decoder. We recommend you to remove the active infection of STOP Ransomware and use decryption tools available for .darus, .lapoi, .gusau or .tocue files. If decryption is impossible at the moment, keep encrypted files, that cannot be decrypted yet, to the moment, when the decryption tool will be updated. It's easy to find and copy encrypted files on your computer using CryptoSearch utility. Now you should try manual guide in this article to restore files.

Notorious STOP Ransomware continues its distribution with minor modifications. Since the middle of July 2019, new extensions appeared: .vusad, .gehad, .madek or .berosuce. At the same time, it distributes the AZORult trojan-stealer, which steals confidential information. It is capable of stealing various user data: information from files, browser history, passwords, cookies, online banking credentials, crypto-currency wallets, and more. Virus modifies the hosts file to block Windows updates, antivirus programs, and sites related to security news, selling antivirus software. This version of STOP Ransomware still uses following e-mail addresses: gorentos@bitmessage.ch and varasto@firemail.cc. Authors of STOP Ransomware promise to send decryption tool for encrypted files in exchange for $980 (or for $490, if the ransom is paid within 72 hours). We must warn the victims, that malefactors often don't keep promises, and cheat users without sending a decoder. We recommend you to remove the active infection of STOP Ransomware and use decryption tools available for .vusad, .gehad, .madek or .berosuce files. STOPDecrypter can decrypt encrypted data in certain circumstances.

Sodinokibi Ransomware (a.k.a. BlueBackground Ransomware or REvil Ransomware) is disruptive cryptovirus, that encrypts user data using Salsa20 algorithm with the ECDH-based key exchange method, and then requires a ransom around 0.475–0.950 BTC to return the files. In other words, if the amount is set at $2500, then without paying within 7 days, it doubles to $5000. It appeared in April 2019 for the first time. Inside the JSON configuration file is a list of 1079 domains. Sodinokibi establishes a connection with each domain of this list by generating a URL using a domain generation algorithm, although, they are not Sodinokibi servers. Follow the detailed guide on this page to remove Sodinokibi Ransomware and decrypt your files in Windows 10, 8/8.1, Windows 7.

STOP Ransomware (in other classification DJVU Ransomware) is harmful malware, that blocks access to user's files by encrypting them and requires a buyout. The virus uses unbreakable encryption algorithm (AES-256 with RSA-1024 key) and demands ransom to be paid in BitCoins. However, due to some programming mistakes, there are cases when your files can be decrypted. Version of STOP Ransomware, that we are considering today adds .besub, .godes, .cezor or .lokas extensions to encrypted files. After the encryption it presents file _readme.txt to the victim. This text file contains information about the infection, contact details and false statements about decryption guarantees. The infection with STOP Ransomware is very unfortunate, but you should keep calm. Do not succumb to provocations, and do not trust the hackers. In most cases, they will never return your files after paying the ransom. Think of possible backups and duplicates of the affected data, that may be stored elsewhere. There is a great called STOPDecrypter, developed by Michael Gillespie, that, probably, will help you to decrypt sensitive information.

CryptON Ransomware or Nemesis Ransomware or X3M Ransomware is one of the most dangerous and wide-spread ransomware families. Currently, there are multiple successors of initial virus and several deviations built on another platforms. Cry9, Cry36 and Cry128 Ransomware came from this series. Virus uses mix of AES-256, RSA-2048 and SHA-256 encryption algorithms Latest discovered version is actually called CryptON Ransomware and uses .ransomed@india.com extension for affected files. Ransom demand from 0.2 to 1 BitCoin for decryption. It is not recommended to pay the ransom as there are no guarantee malefactors will send decryption key. Use instructions on this page to remove CryptON Ransomware and decrypt .ransomed@india.com, _x3m or _locked files from Windows 10, Windows 8 or Windows 7.