malwarebytes banner

Viruses

How to remove Babuck Locker Ransomware and decrypt .babyk or .babuk files

0
Discovered by a malware researcher named Glacius_, Babuk Locker (a.k.a. Vasa Locker, Babyk Locker, Babuk Locker) is a ransomware-type virus that targets commercial organizations including business ventures with turnovers equal to 4.000.000$. All because it demands a ransom of 60000-85000$ in BTC to be paid in exchange for the encrypted data. To make sure their victims are unable to decrypt them independently, cybercriminals use a combination of SHA252, ChaCha8, and ECDH algorithms to run secure encryption. Babuk Locker developers run extensive distribution campaigns to cover as many victims as possible. This is why users are also likely to witness other versions derived from Babuk Locker (e.g. Babyk, Vasa, etc). Depending on which version attacked the compromised network, victims will see different extensions applied to encrypted files. Normally, it is .__NIST_K571__; .babyk, or .babuk assigned to each data piece. For instance, a file like 1.pdf stored on a malware-affected device, will change its look to 1.pdf.__NIST_K571__, 1.pdf.babyk, or 1.pdf.babuk at the end of encryption. Then, as soon as this stage of infection is done, the virus creates a text note called "How To Restore Your Files.txt" to each folder with encrypted data.

How to remove Neflim Ransomware and decrypt .neflim or .f1 files

0
Neflim is a ransomware infection that encrypts data stored on the compromised devices. By doing so, cybercriminals have a good occasion to blackmail users into paying the so-called ransom. There are two forms of the Neflim virus known at the moment. First appends the .neflim extension, whilst another uses .f1 to rename the encrypted data. Some experts tend to classify these versions as separate ransomware infections, yet they are both parts of the common family. To illustrate how encrypted files are changed, let's take a look at the original 1.pdf data piece. At the end of encryption, it will change either to 1.pdf.neflim or 1.pdf.f1 depending on which versions captured your data. The same encryption pattern will be applied to the rest of the files stored on your device. As soon as all of the data appears under the lock of swindlers, victims have to read instructions on recovering data inside of the NEFLIM-DECRYPT.txt or f1-HELP.txt notes.

How to remove Hive Ransomware and decrypt .hive files

0
Hive is a malicious program classified as ransomware. Its main purpose lies in running file encryption to blackmail users into paying the ransom. This ransom is a certain amount required in exchange for the blocked data. Users can spot that their files have been encrypted by the change of their names. Specifically, victims are seeing a random string of characters along with the .hive extension assigned to each data piece. Such a change makes files encrypted, which declines access to them. To recover the lost access to data, users are instructed to follow the details stated inside of a text note called HOW_TO_DECRYPT.txt. Cybercriminals inform the affected victims that their network has been hijacked, which led to immediate data encryption. To decrypt the compromised files, victims have to contact extortionists via the link attached to the note and purchase the decryption software. The last thing written by cybercriminals is how to avoid irreversible data damage. They say it is forbidden to run any manipulations with your data, e.g. do not shut your PC intentionally, modify or change file names, use third-party software, and many other attempts to erase the encryption.

How to remove Poliex Ransomware and decrypt .poliex files

0
Poliex is a ransomware-type virus discovered by a malware hunter from South Korea known as dnwls0719. Likewise other infections of such type, Poliex does encrypt personal data to blackmail users into paying the ransom. Along with encrypting files by military-grade algorithms, the virus also appends the .poliex extension to each of the compromised pieces. To illustrate, a file named 1.pdf will experience a change to 1.pdf.poliex and drops its original icon at the end of encryption. Once such changes have been successfully applied, users will lose access to their data. Instructions on how to return it are stated inside of the README.txt note, which is created after encryption is done. There is not too much written by the developers, yet it is enough to understand what victims should do. As cybercriminals say, the decryption price is 500$. Right after this message extortionists attach their telegram address. To get involved in further conversations with swindlers, users should contact the frauds using the Telegram app. After establishing contact with them, victims will therefore get the necessary payment details to transfer the required amount of money. Unfortunately, there is little data on how cybercriminals behave themselves during private chat. They can offer to test free decryption of some files to elevate the trust of victims who hesitate on their trustworthiness.

How to remove 0xxx Ransomware and decrypt .0xxx files

0
0xxx is a ransomware infection that encrypts various data using AES+RSA algorithms on NAS devices (Western Digital My Book). This measure is done to force victims into paying the so-called ransom in exchange for the blocked data. Just like other malware of this type, 0xxx uses its own extension (.0xxx) to rename the data. For example, a file piece titled as 1.pdf will change its look to 1.pdf.0xxx after encryption. All of these changes indicate that your data is no longer accessible. In other words, there is no way to open it anymore. In order to fix it, victims are called into following ransom instructions inside of the !0XXX_DECRYPTION_README.TXT text note. This note is dropped into each folder containing encrypted files. It is said that victims can decrypt their data by paying a 300 USD ransom in Bitcoin. At first, users are instructed to contact cyber criminals via e-mail. It is necessary to include your unique ID along with 3 files to test free decryption. As soon as contact with cybercriminals becomes established, victims will get the payment details to perform a transfer of money. Although extortionists claim they have no intention to fool you, there have been multiple cases when users did not receive the decryption tools even after the payment.

How to remove Redeemer Ransomware and decrypt .redeem files

0
Before getting to the removal, it is worth knowing what Redeemer Ransomware actually is. It is classified as a file-encrypting virus that blocks access to data stored on a compromised system. In order to show whether it is encrypted or not, Redeemer developers append the .redeem extension to each of the files. For instance, a file like 1.pdf will change its look to 1.pdf.redeem and reset its original icon. The system will no longer be able to open the files whilst they are encrypted. To return control over your data, it is necessary to buy special decryption software along with a unique key. More detailed information on that can be located inside of the Read Me.TXT note, which is created after encryption is over. Just below the Redeemer logo drawn from numbers, cybercriminals ask users to pay 20 XMR (Monero) cryptocurrency, which is about 4000$ for the decryption of data. Once you will be ready to do so, the next step is to contact extortionists attaching your personal ID key via their e-mail address (test@test.test). This is necessary to obtain the payment address for committing a transfer. As soon as they receive your decryption ransom, you should be given the promised tools to recover your data.

How to remove Poteston Ransomware and decrypt .poteston files

0
Poteston is classified as a ransomware infection that runs encryption of databases, photos, documents, and other valuable data. The whole encryption process can be easily spotted by users looking at new extensions assigned to files. This virus involves the .poteston extension to rename the stored data. To illustrate, a file named 1.pdf will change its look to 1.pdf.poteston as a result of encryption. As soon as these changes are seen, victims will no longer be able to access the data. As soon as these changes are seen, victims will no longer be able to access the data. To restore it, users are given instructions inside of the readme.txt note. Within the note, victims are greeted with bad news - all data we mentioned above has been encrypted. To redeem it back, victims are instructed to contact cyber criminals using their e-mail address (recovery_Potes@firemail.de). After establishing contact with them, you will be supposedly given the necessary details to perform a money transfer. Before doing so, you are also offered to send one of the blocked files for free decryption. This is a trick used by many extortionists to elevate the trust of victims. In addition to that, Poteston developers also inform against renaming encrypted data as you can potentially damage its configuration.

How to remove MANSORY Ransomware and decrypt .MANSORY files

0
MANSORY is a ransomware infection that runs vigorous encryption on personal and business data. This process involves cryptographic algorithms along with the appendance of new extensions. MANSORY uses the .MANSORY extension to each file piece that has been restricted. For instance, a file like 1.pdf will be changed to 1.pdf.mansory. After experiencing such changes, the blocked files will be no longer accessible. In order to regain access to them, victims have to pay a certain ransom in money. More information on that is presented inside a text note called MANSORY-MESSAGE.txt, which is created after the encryption is done. The first thing cybercriminals say is that gigabytes of valuable data have been downloaded to a secure location. Extortionists use it as collateral for intimidating users with the publication of data in case they refuse to pay money. Victims have a right to know how much data has been uploaded after contacting the cybercriminals via e-mail (selawilsen2021@tutanota.com; dennisdqalih35@tutanota.com; josephpehrhart@protonmail.com). Therefore, they can analyze the value of data that leaked into the hands of extortionists. As we already mentioned, not contacting cybercriminals will result in the gradual publication of data that has been hijacked from your network. To avoid it, victims are required to purchase the decryption software stored by cyber criminals themselves. This will also allow you to unlock all of the blocked data. Besides that, developers of MANSORY Ransomware offer to try free decryption by sending 2 random files from other computers to their e-mail.