iolo WW

Ransomware

Articles about removing Windows lockers, Browser lockers, Crypto-viruses and other types of blackmailing threats.

How to remove GANDCRAB V5.0.5 Ransomware and decrypt .[5-6-7-8-9-random-letters] files

0
GandCrab V5.0.5 Ransomware is fifth generation of high-risk GandCrab Ransomware. Probably, this virus was developed in Russia. This crypto-extortor encrypts user and server data using the Salsa20 algorithm, and RSA-2048 is used for auxiliary key encryption. 5-th version appends .[5-random-letters] extension to encrypted files and creates ransom note called [5-random-letters]-DECRYPT.txt. Examples of ransom notes: VSVDV-DECRYPT.html, FBKDP-DECRYPT.html, IBAGX-DECRYPT.html, QIKKA-DECRYPT.html. GandCrab V5.0.5 Ransomware demands $800 ransom in BitCoins or DASH cryptocurrencies for decryption. However, often, malefactors deceive users and don't send keys. Thus, victim won't recover her/his files, but put credentials at risk on doubtful exchange of cryptocurrencies.

How to remove Minotaur Ransomware and decrypt .Lock files

0
Minotaur Ransomware is new type of ransomware, that encrypts user files and demands 0.125 Bitcoins for decryption. All files encrypted by Minotaur receive .Lock extension. According to security specialists, Minotaur Ransomware firstly attacks data on flash drives, and only then switches to local drives. Currently, there is no way to return captured files. If you have backups, you need to remove Minotaur Ransomware from your computer, make sure it is not active and restore from backups. Otherwise, you can make attempt to recover files using instructions below (restore points, previous versions of files, data recovery software). Please, remember, that by paying to racketeers, you put your credentials at risk. Often, after some time antivirus companies or individual enthusiasts break encryption algorithms amd release decryption tools. Of you won't succeed in restoring your files today, preserve important data for possible recovery in future.

How to remove STOP Ransomware and decrypt .KEYPASS, .WHY or .SAVEfiles files

0
In this article we descrbe third generation of STOP Ransomware, previous two versions were described by our team earlier. This variation was actively spreaded in August and September, 2018. Virus already attacked users from 25 countries including Brazil, Chile, Vietnam, USA, United Arab Emirates, Egypt, Algeria, Indonesia, India, Iran, Poland, Belarus, Ukraine. This variation uses uses symmetric and asymmetric cryptography and adds .KEYPASS, .WHY or .SAVEfiles extensions to the files after encryption. Intruders demand $300 ransom for decryption. They offer to decrypt up to 3 random files for free, to prove that decryption is possible. Hackers also warn, that if amount is not paid within 72 hours data restoration will be impossible.

How to remove Gamma Ransomware and decrypt .gamma files

0
Gamma Ransomware is file-encrypting virus, categorized as ransomware and belonging to Crysis-Dharma-Cezar family. This is one of the most widespread ransomware families. It got its name due to file extension it adds to encrypted files. Virus uses complex extenion that consists of e-mail adress and unique 8-digit identification number (randomly generated). Gamma Ransomware developers demand from 0.05 to 0.5 BTC (BitCoins) for decryption, but offer to decrypt 1 non-archived file for free. The file should be less than 1 Mb. We recommend you to recover 1 random file, as it can help fo possible decoding in future. Keep the pair of encrypted and decrypted samples. Currently, there is no decryption tools available for Gamma Ransomware, however, we recommend you to use instructions and tools below. Often, users remove copies and duplicates of docmunets, photos, videos - infection may not affect deleted files. Some of removed files can be restored by using file recovery software.

How to remove Dharma-Java Ransomware and decrypt .java files

0
Java Ransomware is extremely harmful file-encrypting virus, that belongs to the family of Dharma/Crysis ransomware. It adds .java extension to all encrypted files. Usually, this is complex suffix that contains unique id and e-mail. Java Ransomware uses spam mailing with malicious .docx attachments. Such attachments have malicios macros, that runs when user opens the file. This macros downloads executable from the remote server, that, in its turn, starts encryption process.

How to remove Nozelesn Ransomware and decrypt .nozelesn files

0
Nozelesn Ransomware is new type of ransomware, that uses AES-128 encryption to encode user files. It appends .nozelesn extension to "in cipher" files. According ro researchers Nozelesn Ransomware firstly targeted Poland, but then expanded to other european countries. After successful encryption virus drops HOW_FIX_NOZELESN_FILES.htm file with ransom-demanding message on the desktop and in the folders with affected files. The price for decryption is 0.10 BitCoins, that is currently ~$650. Malefactors promise to send decryption key within 10 days. However, cybercrooks cannot be trusted as, according to our experience, oftne do not hold out promises not to put their encryption algorithm at risk. At the moment of writing this article there is no decryptors released, but we keep abreast of the situation.

How to remove JobCrypter Ransomware and decrypt .locked or .css files

0
JobCrypter Ransomware is crypto-virus ransomware based on Hidden Tear code. Virus adds .locked or .css extension sto encrypted files. This crypto-extortioner encrypts user data using 3DES, and then requires a redemption to return the files back. Judging by the text of the demand for the ransom, JobCrypter is focused only on French users. However, it is noteworthy that many infected JobCrypter PCs were in Lithuania. To remove the blocking of files, the affected party needs to pay a ransom of 300 euros from the PaySafeCard.

How to remove STOP Ransomware and decrypt .PAUSA, .CONTACTUS, .DATASTOP or .STOPDATA files

0
Updated version of STOP Ransomware ransomware appends .PAUSA, .CONTACTUS, .DATASTOP or .STOPDATA suffixes to encrypted files. Virus still uses RSA-1024 encryption algorithm. All versions, except .STOPDATA, demand $600 ransom in BTC (BitCoin cryptocurrency), last one offers decryption for $200. Still malefactors offer to decrypt from 1 to 3 files for free to prove, that decryption is possible. This can be used to attempt decoding in future. At the moment, unfortunately, the only way to restore your files is from backups.