Tutorials

GarrantyDecrypt has taken cemented position around the ransomware category and already deprived a fair amount of nerves and money of its victims. Like other ransomware, it infiltrates your computer by running encryption scripts that scan your device and therefore assign unbreakable cipher to each file. The first versions of this malware used .garrantydecrypt, .decryptgarranty, .protected, .NOSTRO, .odin, .cosanostra, .cammora, .metan, .spyhunter, .tater, .zorin extensions. However, encryption virus gets constantly modified and suffixes are changed too. Most recent extensions used by GarrantyDecrypt Ransomware are: .bigbosshorse, .heronpiston or .horsedeal. To illustrate, after encryption, 1.mp4 will be changed to 1.mp4.bigbosshorse or other abovementioned extensions. Unfortunately, any manual attempts to unlock the data are desperate. Once the encryption is finished, you will be presented with a ransom note created on desktop notifying that your data has been blocked.

The odds of getting hacked are progressively escalating each day because of the wide distribution of malware and other social engineering tricks. NEMTY Ransomware is not an exception either, that was originally revealed in 2019 and revived with a new force with NEMTY 2.5 REVENGE Ransomware in 2020. Like other types of ransomware, it is meant to encrypt files stored on the user's PCs by using the AES-256 encryption algorithm. However, the algorithm is used with a mistake and looks more like AES-128/192. It appends unbreakable code that restricts access to data like .docx, .xlsx, .pptx, .mp3, .mp4, .png and other types of files. Once it has encrypted your data, the virus, therefore, alters the extension name to .NEMTY. The most recent varieties use the complex extension .NEMTY_XXXXXXX, where XXXXXXX is a random 7-digit alphanumerical sequence. After the encryption process is finished NEMTY leaves a note on desktop notifying that your data was encrypted and the only way you to recover it is by paying a ransom (approximately 1000$).

With the latest Windows 1903 KB4517211 Update users started facing the Ss3svc32.exe issue that pops up on startup. It appears as a permission tab with the following message Do you want to allow this app from an unknown publisher to make changes to your device?. Therefore, most users get perplexed seeing this message and have already spread a rumor that it is a virus trying to attack their computers. However, this is not a virus at all!

Dharma-Wiki Ransomware is a file-encrypting type of malware designed to deprive the money and nerves of its victims. It belongs to the notorious Dharma/Crysis Ransomware family. It interferes with file extensions by changing them to .id-{random-8-digit-alphanumerical-sequence}.[bitlocker@foxmail.com].wiki and remains encrypted until a ransom is paid. After the blocking process is finished, it will leave a ransom note on your desktop notifying that your data was successfully encrypted and requires action. To encrypt your files, you have got to contact hackers via one of the methods presented in the note and pay a specific fee to get your files back. This kind of frauds is trying to encrypt the most precious data stored on your PC like text documents, videos, images, and others. Therefore, they gamble on the value of your data to push you into paying an equal exchange. Of course, cybercriminals are trying to hurry you up by threatening that if you do not pay within 24 hours, they will raise the price up. If you refuse paying a ransom, they might also begin saying that they will spread your data to third parties and they will make a bad use of it. The ransom must be paid solely in Bitcoin cryptocurrency apparently because of its secure blockchain technology. Unfortunately, there has not been any free tool that could take off the blocking algorithm from files so far.

Paradise Ransomware is file-encryption virus, that encrypts user's files using RSA-1024 encryption algorithm. Latest versions of this threat append .VACv2, .CORP or .xyz extensions. Previously, Paradise Ransomware used .paradise, .sell, .ransom, .logger, .prt and .b29. Among all variations, only last one can be decrypted. Ransomware has many similarities with Dharma Ransomware, as it has very look-a-like design and uses similar patterns for file modifications. Authors of the virus offer e-mail to contact them for decryption negotiation: admin@prt-decrypt.xyz. They demand several thousand dollars for decryption, that have to be paid in BitCoins. It is also stated, that 1-3 useless files can be decrypted for free as a prove, that decryption is possible. However, malefactors cannot be trusted. Instead, we recommend you to try instructions below to restore files encrypted by Paradise Ransomware.

Muhstik Ransomware is nasty cipher virus, that encrypts user data on QNAP NAS network drives using AES-256 (CBC mode) + SHA256 algorithms, and then requires a ransom of 0.045 - 0.09 BTC (currently ~$700) to return the files. According to researchers, this program is not directly related to eCh0raix Ransomware, although there is a certain external similarity. After finishing encryption procedure, malware adds .muhstik extension to affected files. The malware first checks the system language and does not start encryption on systems with Russian, Belorus or Ukranian languages. At the moment, there is a public decryption tool called EmsiSoft Decrypter for Muhstik available. It is able to decrypt files encrypted by most versions of this virus. If it is unable to recover the data, full recovery is only possible with the help of backups.

Sodinokibi Ransomware (a.k.a. BlueBackground Ransomware or REvil Ransomware) is disruptive cryptovirus, that encrypts user data using Salsa20 algorithm with the ECDH-based key exchange method, and then requires a ransom around 0.475–0.950 BTC to return the files. In other words, if the amount is set at $2500, then without paying within 7 days, it doubles to $5000. It appeared in April 2019 for the first time. Inside the JSON configuration file is a list of 1079 domains. Sodinokibi establishes a connection with each domain of this list by generating a URL using a domain generation algorithm, although, they are not Sodinokibi servers. Follow the detailed guide on this page to remove Sodinokibi Ransomware and decrypt your files in Windows 10, 8/8.1, Windows 7.

CryptON Ransomware or Nemesis Ransomware or X3M Ransomware is one of the most dangerous and wide-spread ransomware families. Currently, there are multiple successors of initial virus and several deviations built on another platforms. Cry9, Cry36 and Cry128 Ransomware came from this series. Virus uses mix of AES-256, RSA-2048 and SHA-256 encryption algorithms Latest discovered version is actually called CryptON Ransomware and uses .ransomed@india.com extension for affected files. Ransom demand from 0.2 to 1 BitCoin for decryption. It is not recommended to pay the ransom as there are no guarantee malefactors will send decryption key. Use instructions on this page to remove CryptON Ransomware and decrypt .ransomed@india.com, _x3m or _locked files from Windows 10, Windows 8 or Windows 7.