malwarebytes banner

Viruses

How to remove Btcware Ransomware and decrypt .btcware or .gryphon files

0
Btcware is a popular ransomware family counting a number of versions since 2017. The ransomware developed by this group of cybercriminals has evolved into using stronger and more secure algorithms. Since there are many versions of Btcware, the world has seen many types of encryption throughout its span of existence. For example, older versions used to apply old RC4 algorithms, until the rise of AES-192 and AES-256 in later samples. The same story goes with extensions. Each version of Btcware involves a brand new extension different from others. Traditionally, once the encryption is done, ransomware programs create a text note file containing instructions to recover your data. The name of a note also depends on which version pounced your system, but usually, it is #_HOW_TO_FIX_!.hta or READ ME.txt. Inside of this note, cybercriminals use clumsy introductions ostensibly meant to explain what happened. Then, they ask to contact them via attached e-mails to get in further touch. Once done, users will receive a set of instructions to buy the decryption software. Some versions of Btcware require 0.5 BTC for data encryption. If you do not have this money to pay, there is a chance that extortionists will threaten you with permanent loss or inappropriate data abuse. In most cases, files encrypted with AES algorithms are hard to decrypt unless you purchase the private key held by cybercriminals themselves.

How to remove Ziggy Ransomware and decrypt .ziggy or .optimus files

0
Ziggy is a new ransomware-infection recorded in December 2020. The virus sneaks into your system disabling all protectionary layers on your PC. Then, it gets the job done by running data encryption with AES256-GCM and RSA-4096 algorithms. These ensure strong encryption, which is hard to decipher. Before going deeper into details, it is important to say that there are two versions of Ziggy Ransomware. The first uses the .ziggy extension along with victims' ID and cybercriminals' e-mail to configure the data. The later version of Ziggy Ransomware detected recently started involving the same string of information but changed the extension at the end to .optimus. For example, a file like 1.docx would change to 1.docx.id=[88F54427].email=[khomeyni@yahooweb.co].ziggy or 1.docx.id[B68A285D].[sikbeker@tuta.io].optimus depending on which version affected your PC. Following successful encryption, the malicious program creates a text file containing decryption instructions. The name of the files can vary from version to version, so there is no commonly-used, but initially, it was called ## HOW TO DECRYPT ##.exe.

How to remove Matroska Ransomware and decrypt .happyness or .siliconegun@tutanota.com files

0
Matroska Ransomware is a malicious piece aimed at data encryption. Matroska used to show its activity a couple of years ago until it went dormant. Within some time, it started a series of new infections on users' PCs. Whilst older examples of Matroska applied the .HUSTONWEHAVEAPROBLEM@KEEMAIL.ME, .happyness, .encrypted[Payfordecrypt@protonmail.com], .nefartanulo@protonmail.com extensions to encrypted files, recent attacks of this ransomware showed the new .siliconegun@tutanota.com extension being involved. Depending on which version impacted your system, a file like 1.mp4 will change to 1.mp4.happyness or 1.mp4.siliconegun@tutanota.com at the end of encryption. Once this process is finished, the virus goes further and creates a text file (HOW_TO_RECOVER_ENCRYPTED_FILES) with decryption instructions. Alike other ransomware infections, Matroska asks victims to pay a fee. The amount may vary from person to person, however, we do not recommend buying their software. Luckily, experts found that Dr.Web (leading antimalware software) is able to decrypt your data legitimately and risk-free. Before doing so, you've got to make sure you deleted Matroska Ransomware from your computer. Only then you can use third-party tools to recover the data. For more information on both removal and data decryption, follow the article down below.

How to remove DearCry Ransomware and decrypt .crypt files

0
DearCry Ransomware is a dangerous virus, which targets the encryption of personal data. Such malware makes everything sure that there is no way to decrypt the locked files. Knowing that, cybercriminals offer their own solution - to buy the decryption key stored on their servers. Because most users can find no way out of the trap, they agree on paying the ransom to recover the data. Unfortunately, this is a serious risk proven by multiple victims who did not receive the promised decryption. This is why it is better to delete DearCry Ransomware and reclaim your files via backup or data-recovery tools. If you are the one having files changed with the .crypt extension, which was then accompanied by the ransom note creation (readme.txt), chances are you are infected with DearCry Ransomware.

How to remove JoJoCrypter Ransomware and decrypt .jojocrypt files

0
Developed on Node.js, JoJoCrypter is a malicious program that functions as a data-encryptor. A thorough investigation conducted recently shows there is a .jojocrypt extension assigned to each of the files. To illustrate, a non-encrypted 1.mp4 will turn into 1.mp4.jojocrypt as a result of infection. Along with this, it is also known that JojoCrypter uses RSA-2048 and AES-192 algorithms to cipher innocent files. It also creates a short ransom note how to recover your files.txt with following content. Unfortunately, the decryption with third-party tools appears to be an impossible task. The encryption chains are too strong and flawless to crack. This is why the only option (apart from paying the ransom) is to recover your files using backup or data-recovery tools. Otherwise, you will be forced to pay for the keys proposed by cybercriminals, which is mentioned in the ransom note dropped on your PC after encryption. Swindlers are not using too many words for describing what happened, instead, they attach their e-mail address to be contacted for further instructions.

How to remove Parasite Ransomware and decrypt .parasite, .betarasite or .paras1te files

0
Parasite is one of the newest ransomware samples detected by cyber experts in recent days. Alike other malware of this type, Parasite encrypts personal data and demands money for the decryption. However, it was found that Parasite has a significant flaw - it encrypts data with the wrong cipher and overwrites data with 256 bytes. This means that all data encrypted by Parasite loses its value completely, simply because it gets replaced with empty space. For example, a word file, which weighs megabytes of data will decrease and start weighing mere 256 bytes. Such a bug instantly shows that Parasite is not able to decrypt your files, simply because they become damaged. Of course, they claim to decrypt them in HOW_CAN_GET_FILES_BACK.txt ransom note (alternatively @READ_ME_FILE_ENCRYPTED@.html or info.hta), which is created after encryption, but it does not make any sense due to the above-mentioned.

How to remove Perfection Ransomware and decrypt .perfection files

0
Perfection is a ransomware-infection that involves RSA and AES algorithms to encrypt personal data. The purpose of such attacks is about capitalizing on desperate victims willing to restore their files. As a result, developers behind Perfection offer to pay for the decryption tool that will help you regain access to data. Before that, however, Perfection Ransomware appends the .perfection extension to each of the files. For example, 1.mp4 will change to 1.mp4.perfection and so on. Then, once this process is done, extortionists create a number of identical browser files and place them into folders with encrypted data. The ransom note created by Perfection is known as Recovery_Instructions.html.

How to remove Assist Ransomware and decrypt .assist files

0
Using a set of cryptographic algorithms, Assist Ransomware encrypts personal data and claims money for its decryption. This practice is highly-popular around ransomware infections as they make everything possible to leave no choice to desperate victims. Because of powerful ciphers applied by Assist, manual decryption becomes quite an arduous task. This is why cybercriminals offer to contact them via the team-assist002@pm.me e-mail address and receive further instructions. This information is listed inside of the note (ASSIST-README.txt) created after your data is locked completely. Not to mention that this version of ransomware encrypts files using the .assist extension. To illustrate, a file like 1.mp4 will get a new look of 1.mp4.assist after the encryption is done. As mentioned, the only possible method to get 100% decryption is with the help of ransomware developers, however, this is not the best option since they can fool you and do not give any software for restoring the data. We strongly insist on deleting Assist Ransomware from your computer to prevent further encryption, especially if you do not regret the lost data that much.