Category Ransomware

Articles about removing ransomware that blocks Windows or browsers and can encrypt your data and demand ransom.

How to remove Sage 2.2 Ransomware and decrypt .sage files

Sage 2.2 Ransomware is successor of Sage 2.0 Ransomware and Sage Ransomware based on CryLocker family. It was changed in terms of design of desktop background and payment pages. It also uses new filenames for instructions file and image file (!HELP_SOS.hta and !HELP_SOS.bmp). Virus still adds .sage file extension to encrypted files and uses Microsoft SAPI voice to read the message on your desktop aloud. This is done to create negative psychological effect. Latest version of this ransomware demands 0.17720 BTC or almost $1000 for decryption.

How to remove Bad Rabbit Ransomware and decrypt your files

Bad Rabbit is new wide-spread ransomware, that uses RSA-2048 and AES cryptography. It mostly targets enterprises in Eastern Europe. Security experts claim, that Bad Rabbit is related to previously distributed Petya и NotPetya viruses. Currently, several governmental institutions and banks were attacked by this virus in Russia, Ukraine, Turkey, Germany. Hackers demand ransom of 0.05 BTC (BitCoins), which is ~280$ and threaten to increase this amount if not paid within certain time gap. We strongly recommend not to send money, as in most cases malefactors do not send keys.

How to remove Ykcol Ransomware and decrypt .ykcol files

Ykcol is new ransomware virus from Locky ransomware family. It uses RSA-2048 and AES-128 cryptography to encrypt user data. After encryption ransomware appends .ykcol extension to all affected files and modifies filenames using certain pattern. Malware changes filenames to random combination of 36 letters with the following sequence: [8_random_letters]-[4_random_letters]-[4_random_letters]-[8_random_letters]-[12_random_letters].ykcol. Malefactors offer users to decrypt their files for 0.15 BTC (Bitcoins) or ~290$. As a rule, no decryption key is sent after the payment. Malware also creates 3 files: Ykcol.html, Ykcol_[4_digit_number].html, and Ykcol.bmp.

How to remove BTCWare Ransomware and decrypt .btcware, .cryptowin, .cryptobyte files

BTCWare Ransomware is a big family of ransomware, the successor of Crptxxx Ransomware. Latest versions of BTCWare use AES-192 encryption. This malware encrypts most types of documents, music, photos in user folders and adds various extensions to encrypted files. Originally it was .btcware suffix. Latest version use .cryptobyte, .cryptowin and .theva extensions.

How to remove Amnesia Ransomware and decrypt .amnesia, .@decrypt_files2017, and .TRMT files

Amnesia Ransomware is another ransomware virus, that encrypts documents, photos, music and other types of personal user files. Virus was written in Delphi programming language. Earlier versions of Amnesia use AES-256 encryption, latest versions use AES-128. After encryption most variants of Amnesia append .amnesia or .TRMT extensions to affected files.

How to remove WannaCry ransomware and decrypt .WNCRY files

WannaCry Ransomware new dangerous encrypting virus, that targets sensitive user files like documents, photos, videos, music and infected more then 250000 machines worldwide. Unfortunately, currently there are no way to restore your files, but there is no point to pay the ransom either, as malefactors never send the key. Threat developers earned more the $50000 in a few days since several hundreds of users paid the demanded amount. There is no information whether they received decryption service or not.

How to remove Spora ransomware and decrypt your files

Spora Ransomware is file encryption virus possibly originating in Russia. It encrypts user files, documents, photos, videos using RSA encryption. Spora does not rename encrypted files. During the process virus generates private key, that, in turn, encrypted with AES encryption. Spora Ransomware is complex infection and certain efforts needed to break it encryption. Currently antivirus companies are unable to find decryption key, and the only way to restore files infected by Spora is backup.

How to remove Shade Ransomware and decrypt .no_more_ransom files

Shade is a ransomware that is very similar to Wildfire, Hades Locker, CryptFIle2 (or CryptMix) and MarsJoke (or JokeFromMars). Once Shade ransomware has infected your computer, it encrypts various data. After finishing encrypting process, this ransomware adds .no_more_ransom extension (what an irony) to the name of all the encrypted files. It will create a text note named nomoreransom_note_original.txt / YourID.txt / hacked.txt in each folder with the encrypted data and on your desktop. There are two features of this ransomware that differs it from other ransomware programs. First, it's the fee for decrypting files. 30$ is rather smaller ransom in opposition to 500-1000$ (usually ransomware developers demand this amount of money).

How to remove PayDay ransomware and decrypt .sexy files

Payday is a ransomware based on HiddenTear source code and developed by Portuguese hackers. Payday derives its name from popular game of the same name. The purpose of the infection is to deny access to the personal data so it encrypts them using complex AES cipher. At the time of encryption, Payday appends the names of encrypted files with the .sexy extension. Although, the data encryption is a time-consuming process, the users usually don’t notice nothing suspicious. The whole procedure runs in stealth mode. Once encrypted, virus creates HTML file saving it on the desktop.