How to remove RYUK Ransomware and decrypt .RYK or .rcrypted files
RYUK Ransomware is virulent ransomware threat, based on the code of Hermes 2.1 and BitPaymer viruses. Researchers believe, that famous Lazarus Group is responsible for the development and implementation of the virus. Latest variations of this virus append .RYK or .rcrypted extension to encrypted files. Hackers demand 15-50 BTC for decryption, which is great amount. RYUK Ransomware does not bypass UAC, requires permission to run, which means user granted access to the computer for virus executable file. Ransomware encrypts all files except ones in following folders: "Windows", "Mozilla", "Chrome", "RecycleBin", "Ahnlab". Before the onset of destructive activity, malware stops more than 180 services and 40 processes, by using taskkill and net stop commands. Stopped services and processes mainly belong to antivirus software, running databases, software for backup and editing documents that can prevent file encryption.
How to remove STOP Ransomware and decrypt .DATAWAIT, .INFOWAIT or .shadow files
This is fourth iteration of notorious STOP Ransomware, that was launched in November, 2018. Now it adds .DATAWAIT, .INFOWAIT or .shadow extensions to encrypted files. Virus uses new name for ransom note: !readme.txt. It pretends to be a Windows update and uses the TeamViewer resource. Ransomware still uses RSA-1024 encryption algorithm. Current version of STOP Ransomware was developed in Visual Studio 2017. This variation of STOP Ransomware demands $290 ransom for decryption. Malefactors offer 50% discount, if users pay in 72 hours. At the moment, there are no decryption tools availabe for STOP Ransomware.
How to remove STOP (Puma) Ransomware and decrypt .puma, .pumax or .pumas files
Puma Ransomware, that started to hit thousands of computers in November, 2018, is, actually, nothing but another variation of STOP Ransomware. Current version appends .puma, .pumax or .pumas extensions to encrypted files, and that is why it has such nickname. Virus uses the same name for ransom note file: !readme.txt. Developers tried to confuse ransomware identification services and users by adding new extensions, but using the same templates, code and other signs unequivocally indicate belonging to a certain family. As we see from the name of the executable: updatewin.exe, it pretends to be a Windows update. Puma (STOP) Ransomware still uses RSA-1024 encryption algorithm. Current version of Puma Ransomware was developed in Visual Studio 2017.
How to remove Everbe 2.0 Ransomware and decrypt .lightning or .neverdies@tutanota.com files
Everbe 2.0 Ransomware is second generation of wide-spread Everbe Ransomware. It is file-encryption virus, that encrypts user files using combination of AES (or DES) and RSA-2048 encryption algorithms and then extorts certain amount in BitCoins for decryption. The initial virus first appeared in March, 2018 and was very active since that time. Security researchers consider, that Everbe 2.0 Ransomware started its distribution on 4th of July 2018. Everbe 2.0 Ransomware authors demand from $300 to $1500 in BTC (BitCoins) for decryption, but offer to decrypt any 3 files for free. It is worth mentioning, that Everbe 2.0 Ransomware works only on Windows 64-bit versions of OS. Currently, there is no decryption tools available for Everbe 2.0 Ransomware, however, we recommend you to try using instructions and tools below.
How to remove GandCrab v5.0.4 Ransomware and decrypt .[random-letters] files
GandCrab V4 Ransomware fourth generation of notorious GandCrab Ransomware. Virus uses complex combination of AES-256 (CBC-mode), RSA-2048 and Salsa20 encryption algorithms. This particular version adds .KRAB extension to encrypted files and creates slightly different ransom note called KRAB-DECRYPT.txt. GandCrab V4 Ransomware demands ransom in BitCoins. Usually, it varies from $200 to $1000. Malware encrypts all types of files except ones in the whitelist and some necessary for Windows operation. All photos, documents, videos, databases get exncrypted after indection. Virus uses WMIC.exe shadowcopy delete command to remove shadow copies and reduce the chances of recovery. Unfortunately, at the moment we write this article, current decryption tools cannot decrypt GandCrab V4 Ransomware, but we will still provide links to this utilities as they can be updated any day.
How to remove Qweuirtksd Ransomware and decrypt .qweuirtksd files
Qweuirtksd Ransomware is dangerous ransomware-type virus, that encrypts user files using AES-128 cryptography algorithm and demands $500 ransom in Bitcoins for decryption. All files encrypted by this malware receive .qweuirtksd extension. In most cases, Qweuirtksd Ransomware is initiated after manual (or semi-automatic) hacking of the computer. Attacks are coming from IP adresses in Russia, and according to the information on BleepingComputer forum malefactors are russians. Hackers offer to negotiate to reduce ransom amount for private users. We do not recommend to pay the ransom and attempt restoring encrypted files with help of instructions on this page.
How to remove Dharma-AUDIT Ransomware and decrypt .AUDIT files
AUDIT Ransomware is yet another version of notorious ransomware virus from Crysis-Dharma-Cezar family. Now it adds .AUDIT extension to encrypted files (please, do not confuse with Nessus Pro's report files). This variation of ransomware currently doesn't have decryptor, however, we recommend you to try instructions below to recover affected files. Dharma-AUDIT Ransomware appends suffix, that consists of several parts, such as: unique user's id, developer's e-mail address and, finally, .AUDIT suffix, from which it got its name. The pattern of filename modification looks like this: file called 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].AUDIT. According to our information, hackers demand $10000 ransom from the victims. Bad news are, that using cryptocurrency and TOR-hosted payment websites makes it almost impossible to track the payee. Besides, victims of such viruses often get scammed, and malefactors don't send any keys even after paying the ransom. Unfortunately, manual or automatic decryption is impossible unless ransomware was developed with mistakes or has certain execution errors, flaws or vulnerabilities. We do not recommend to pay any money to malefactors. However, good news are, that often, after some period of time security specialists from antivirus companies or individual researchers decode the algorithms and release decryption keys or police finds servers and unveils the master keys.
How to remove CryptConsole 3 Ransomware and decrypt your files
CryptConsole 3 Ransomware is the successor of CryptConsole and CryptConsole 2 ransomware viruses. This crypto-extortionist encrypts data on servers and PCs using AES, and then requires a ransom of 0.14 BTC (or sometimes $50) to return files. Virus was created on C# for the Microsoft .NET Framework. The third generation of CryptConsole started spreading in June, 2018. Most of variations extort 50$. They offer to decrypt 1 file for free, but the overall cost will then increase on 50$. Mention that CryptConsole 1 and CryptConsole 2 can be decrypted with a tool developed by Michael Gillespie (download below). The third version is currently undecryptable. You can restore files form bacckups, but if you don't have backups, follow instructions below to attmempt restoring files using standard Windows featutes or using file-recovery software.