malwarebytes banner

Viruses

How to remove Nigra Ransomware and decrypt .nigra files

0
Nigra is the name of a recently reported file encryptor that is considered to be a variant of Sojusz Ransomware. Cybercriminals behind the successful attack encrypt access to data and then attempt to extort money from victims for the decryption. Files encrypted by this infection will likely be altered according to this pattern [victim's ID>].[cybercriminals' e-mail address] or [victim's ID>].[filename] and the .nigra extension at the end. This means the affected file may appear like this .[9347652d51].[nigra@skiff.com].nigra or else wise. Note that the process of adding new extension to original filenames is only a visual formality and does not change the fact of file encryption in any way. Following complete encryption, the virus will leave a text file with decryption guidelines on a victim's desktop. The text note name by Nigra Ransomware has not been yet publicly disclosed, however, it is likely something same or similar to these examples -----README_WARNING-----.txt, #_README-WARNING_#.TXT, README_WARNING_.txt,!!!HOW_TO_DECRYPT!!!.txt, #HOW_TO_DECRYPT#.txt, #HOW_TO_DECRYPT#.txt.

How to remove Erqw Ransomware and decrypt .erqw files

0
Erqw Ransomware is a type of malware that encrypts the victim's files and demands a ransom payment in exchange for the decryption key. It belongs to the family of STOP Ransomware, that started its activity in 2017. This particular version appeared in the beginning of February 2023. The malware typically spreads through phishing emails, malicious software downloads, or exploiting vulnerabilities in the victim's computer or network. Once the malware infects a system, it will encrypt the victim's files and add the .erqw extension to the filenames. The attackers will then demand a ransom payment, often in the form of cryptocurrency, in exchange for the decryption key. Contact details and additional information is disclosed in ransom note file (_readme.txt). It is not recommended to pay the ransom as there is no guarantee that the attackers will actually provide the decryption key. Additionally, paying the ransom supports criminal activities and may make you a target for future attacks. Instead, victims of Erqw Ransomware should focus on removing the malware from their systems and restoring their files from a backup if possible. If you are unsure of how to do this, read this article from our team of trusted IT professionals and cybersecurity experts.

How to remove Assm Ransomware and decrypt .assm files

0
Notorious STOP Ransomware continues its distribution with minor modifications. Since the end of January 2023, new extension appeared: .assm. It encrypts victims' files the same way as hundreds of its predecessors. STOP Ransomware manages to infect tens of thousands of computers with each version, and new versions appear several times a week. At the same time, it distributes the AZORult trojan-stealer, which steals confidential information. It is capable of stealing various user data: information from files, browser history, passwords, cookies, online banking credentials, cryptocurrency wallets, and more. Virus modifies the hosts' file to block Windows updates, antivirus programs, and sites related to security news, selling antivirus software. This version of STOP Ransomware still uses the following e-mail addresses: support@freshmail.top and datarestorehelp@airmail.cc. Assm Ransomware creates _readme.txt ransom note file.

How to remove Sickfile Ransomware and decrypt .sickfile files

0
Sickfile Ransomware is a malicious infection that uses strong encryption to hold victims' data hostage and blackmail them into paying money for its decryption. If your files acquired the new .sickfile extension and lost their icons, then it is likely a sign indicating they have been encrypted successfully. The how_to_back_files.html file is where cybercriminals subsequently explain how to revert the effects of encryption – i.e., return access to data. Here is a full text presented within the note. Overall, threat actors say decryption is possible if victims contact the swindlers and pay for the special decryption software. The communication is to be established either through the attached link or one of the given e-mail addresses. In case victims fail to contact the cybercriminals within 72 hours, it is said the price for decryption will become higher. On top of that, extortionists threaten to leak the encrypted data to public resources or sell it to third-party figures in case no payment will be made eventually.

How to remove Bitenc Ransomware and decrypt .bitenc files

0
Bitenc is a new file encryptor originating from the Mallox ransomware family. Malware of this type is designed to encrypt victims' files and demand payment in exchange for the decryption key. Once Bitenc Ransomware infects a system, it will scan the system for potentially important file types (e.g., documents, images, videos, etc.) and write secure ciphers over the targeted data. In addition, the virus also appends its custom .bitenc extension. For instance, a file originally named 1.pdf will change to 1.pdf.bitenc and become no longer accessible. The appendance of new extensions is usually done to simply highlight the blocked data and make victims spot the effects of encryption. Following successful encryption, developers behind Bitenc Ransomware present their ransom demands within the FILE RECOVERY.txt text note which is created on the victim's desktop.

How to remove Buddyransome Ransomware and decrypt .buddyransome files

0
Buddyransome is a ransomware virus that functions by encrypting access to data. Cybercriminals use its capabilities to restrict potentially important files and blackmail victims into paying money for full decryption. Victims can see the malicious change once targeted files get altered with the new .buddyransome extension – for instance, a file like 1.pdf will change to 1.pdf.buddyransome and reset its original icon after successful encryption. After this, a text note containing decryption instructions (HOW_TO_RECOVERY_FILES.txt) will be created. Victims are said all the significant data has been encrypted and is now at risk of being published to online resources. To prevent this and decrypt the blocked data, cybercriminals instruct to write an e-mail message to buddyransome@aol.com and include their personal ID by copy-pasting it from the generated note. After this, threat actors should respond with the price for decryption/non-disclosure of data and provide instructions on how to perform the payment.

How to remove DeathOfShadow Ransomware and decrypt .Death_Of_Shadow files

0
DeathOfShadow is a ransomware virus that encodes access to system-stored files (using AES+RSA algorithms) and demands victims to pay money for decryption. During encryption, it also assigns its own .Death_Of_Shadow extension to highlight the blocked data. For instance, a file like 1.pdf will change to 1.pdf.Death_Of_Shadow and become inaccessible. After all targeted files end up restricted, the virus creates a text note called (Malakot@protonmail.com).txt or (malakot@tutanota.com).txt depending on what ransomware version attacked the system. The text note is where cybercriminals outline decryption instructions for their victims. Overall, it is said victims have to contact extortionists through their e-mail address. Following this, victims will supposedly be given further guidelines on how to pay money and return the files. As a rule, most cybercriminals make demands to pay ransoms in crypto as it is an untraceable and safe way to receive fraudulent earnings. In addition, threat actors offer to test their decryption abilities implying that victims can send a file (non-valuable and up to 10 MB) and get it decrypted for free. The text in the ransom note also warns that unless victims establish contact with cybercriminals within 48 hours, the decryption of files will no longer be possible.

How to remove Mztu Ransomware and decrypt .mztu files

0
If your files became unavailable, got weird icons, and got .mztu extension, that means your computer got hit by Mztu Ransomware (also known as STOP Ransomware or Djvu Ransomware). This is an extremely dangerous and harmful encryption virus, that encodes data on victims' computers and extorts ransom equivalent of $490/$960 in cryptocurrency to be paid on an anonymous electronic wallet. If you didn't have backups before the infection, there are only a few ways to return your files with a low probability of success. However, they are worth trying, and we describe them all in the following article. In the text box below, you can get acquainted with the contents of _readme.txt file, which is called "ransom note" among security specialists and serves as one of the symptoms of the infection. From this file, users get information about the technology behind the decryption, the price of the decryption, and the contact details of the authors of this piece of malware.