malwarebytes banner

Viruses

How to remove Alphaware Ransomware and decrypt .Alphaware files

0
Alphaware Ransomware, a malicious software, employs a sophisticated combination of algorithms to encrypt the valuable data of its victims. Upon successfully encrypting the files, this ransomware reveals its original name, Alphaware, in a note, while the associated file itself is labeled as Alphaware.exe. The perpetrators behind this insidious threat identify themselves as the Alpha group of hackers. Their modus operandi involves demanding a ransom of $300 in BTC (Bitcoin) in exchange for the decryption key, which is necessary to restore the compromised files back to their original state. Alphaware Ransomware, which first surfaced around mid-May 2023, is primarily targeted at English-speaking users but has the potential to infect systems worldwide. Infected files undergo a transformation in their naming conventions or encoding, accompanied by the addition of the .Alphaware extension. The ransom demand is delivered through a file named readme.txt.

How to remove Vatq Ransomware and decrypt .vatq files

0
New generation of STOP Ransomware (Djvu Ransomware) started to add .vatq extensions to encrypted files since the end of May 2023. We remind you, that Vatq Ransomware belongs to a family of crypto-viruses, that extort money in exchange for data decryption. The last examples of STOP Ransomware are sometimes categorized as Djvu Ransomware, as they use nearly identical templates of ransom notes since the beginning of 2019, when .djvu extensions were appended. Vatq Ransomware uses same email addresses, used in last dozens of versions: support@freshmail.top and datarestorehelp@airmail.cc. The full decryption is only possible in 1-2% of cases when offline encryption key was used (by means of STOP Djvu Decryptor). In other cases, use instructions and tools offered in this article. Vatq Ransomware creates _readme.txt ransom note file, that looks almost the same.

How to remove FAST Ransomware and decrypt .FAST files

0
FAST Ransomware is a type of malware that our research team recently discovered while investigating submissions on the VirusTotal website. This particular malicious program is classified as ransomware, which means it is designed to encrypt data on a victim's computer and demand a ransom in exchange for its decryption. When we tested the ransomware on our own machine, we observed that it encrypted files and modified their filenames. The original file titles were altered by appending the cyber criminals' email address, a unique victim ID, and the .FAST extension. For example, a file named sample.pdf would appear as sample.pdf.EMAIL=[fastdec@tutanota.com]ID=[RANDOM].FAST after encryption. After completing the encryption process, FAST ransomware dropped a ransom note titled #FILEENCRYPTED.txt onto the victim's desktop.

How to remove EXISC Ransomware and decrypt .EXISC files

0
EXISC is a form of malware known as ransomware that came to our attention during our investigation. Its primary purpose is to encrypt data and demand payment in exchange for the decryption key. Upon executing a sample of this ransomware on our test system, we observed that it encrypted files and appended the .EXISC extension to their original filenames. For instance, a file named sample.pdf would appear as sample.pdf.EXISC. The ransomware also created a ransom note titled Please Contact Us To Restore.txt. Based on the message contained in the note, it became evident that EXISC primarily targets large organizations rather than individual home users. Victims often do not receive the promised decryption keys or software, even after complying with the ransom demands. Therefore, we strongly discourage paying the ransom, as it does not guarantee data recovery and only perpetuates criminal activities.

How to remove Vaze Ransomware and decrypt .vaze files

0
Vaze Ransomware (a.k.a. STOP Ransomware or Djvu Ransomware) is wide-spread file-encrypting virus-extortionist. This is one of the most dangerous ransomware with a high damaging effect and prevalence rate. It uses the AES-256 encryption algorithm in CFB mode with zero IV and a single 32-byte key for all files. A maximum of 0x500000 bytes (~5 Mb) of data at the beginning of each file is encrypted. The virus appends .vaze extensions to encoded files. The infection affects important and valuable files. These are MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives, application files, etc. Djvu Ransomware does not encrypt system files, to make sure Windows operates correctly and users are able to browse the internet, visit the payment page and pay the ransom. Vaze Ransomware creates _readme.txt file, that is called "ransom note" and it contains instructions to make payment and contact details. The virus places it on the desktop and in the folders with encrypted files. Developers offer following contact details: support@freshmail.top and datarestorehelp@airmail.cc.

How to remove Vapo Ransomware and decrypt .vapo files

0
Disastrous virus known as STOP Ransomware, in particular, its latest variation Vapo Ransomware doesn't loosen up and continues its malicious activity even during the peak of actual human coronavirus pandemic. Hackers release new variations every 3-4 days, and it is still hard to prevent the infection and recover from it. Recent versions have modified extensions, that are added to the end of affected files, now they are: .vapo. Although, there are decryption tools from Emsisoft available for previous versions, the newest ones are usually non-decryptable. The penetration, infection, and encryption processes remain the same: spam malvertising campaigns, peer-to-peer downloads, user's inattentiveness, and lack of decent protection lead to a severe loss of data after encryption using strong AES-256 algorithms. After finishing its devastating activity Vapo Ransomware leaves the text file – a ransom note, called _readme.txt, from which we can learn, that decryption costs from $490 to $980, and it is impossible without a certain decryption key.

How to remove Gatq Ransomware and decrypt .gatq files

0
Gatq Ransomware is, in fact, a subtype of notorious STOP Ransomware (DjVu Ransomware), that has been active since December 2017. The virus uses AES-256 (CFB-mode) encryption algorithm. This new version appeared in the middle of May 2023 and adds .gatq extension to encrypted files. STOP Ransomware belongs to a family of crypto-viruses, that demand money in exchange for decryption. The good news is, that most of previous versions of Gatq Ransomware could be decrypted using a special tool called STOP Djvu Decryptor (download link below in the article), developed by EmsiSoft. Gatq Ransomware uses exactly the same e-mails, ransom note patterns and other parameters as dozens of its predecessors: support@freshmail.top and datarestorehelp@airmail.cc. Malware creates _readme.txt ransom note file with all the contact information and explanations.

How to remove Gaze Ransomware and decrypt .gaze files

0
Gaze Ransomware is one of many ransomware versions issued by the STOP/Djvu family. This particular version was released in the end of May 2023. Just like older versions, Gaze Ransomware encrypts PC-stored data and demands crypto ransom for unique decryption software that will unlock this data. Most often, malware like Gaze will scout through the available files and block access to the most valuable ones. The list of such usually consists of images, music, videos, and documents containing important information. After locating these files, the file-encryptor will write strong cryptographic algorithms over the targeted files to prevent users from manually approaching their decryption. Victims infected with this ransomware version will see their data changed with the .gaze extension. This means a compromised file like 1.pdf will change to something like 1.pdf.gaze. Then, Gaze developers set up their virus to create the _readme.txt file that features decryption guidelines.