Ransomeware removal

Ransomware

If you have found yourself unfortunate enough to be hit by a virus that demands payment to deencrypt your files, I can help.  Email ransomware@shaunoconnor.co.uk with your situation, and I will reply with a cost for recovering your files remotely.  Below are some of the ransomware virus I have dealt with in the past successfully, without having to pay the culprits.

The fix comes in two parts, firstly remove the virus in its entirety, and then decrypt your files.  I can also show you how to backup in such a way that if you are ever hit again, you never have to pay anyone again (either the bandits who wrote the malware, or someone like me to help you regain your precious data)

Virus Name
How to identify
Alpha When
this ransomware infects your computer it will place the main executable at %APPDATA%\Windows\svchost.exe
and create an autorun called Microsoft.
This autorun allows the ransomware to continue the encryption process if the
computer is rebooted.
This ransomware executable will automatically be removed after the ransomware
finishes encrypting the victim’s data.
ApocalypseVM If your files have been encrypted and renamed to *.encrypted or *.locked with ransom notes named *.How_To_Decrypt.txt, *.README.txt or *.How_To_Get_Back.txt created for each encrypted file. The ransom note asks you to contact “decryptionservice@inbox.ru” or “decryptdata@inbox.ru” and contains a personal ID.
Apocalypse If your files have been encrypted and renamed to *.encrypted with ransom notes named *.How_To_Decrypt.txt created for each encrypted file. The ransom note asks you to contact “decryptionservice@mail.ru“.
AutoLocky if your files have been encrypted and renamed to *.locky, but the file base name is still unchanged, and you find a ransom note named info.txt or info.html on your Desktop.
BadBlock If your files have been encrypted but not renamed. The malware identifies itself as BadBlock both in the red ransomware screen as well as in the ransomnote “Help Decrypt.html” that can be found on the Desktop.

Coinvault

Coinvault will offer you the ability to decrypt one file for free, then are
asked to pay 0.5 bitcoin to decrypt the rest, with the cost increasing every 24
hours.

CrypBoss

CrypBoss is a ransomware family targeting Windows.
Encrypted files are renamed to either *.crypt or *.R16M01D05.
The malware drops ransom notes named HELP_DECRYPT.jpg or HELP_DECRYPT.txt into
various locations on the system.
The ransom notes instruct to contact a @dr.com email address.
CryptoDefense If the malware identifies itself as CryptoDefense and leaves ransom notes named HOW_DECRYPT.txt behind
CryptInfinite if your files have been encrypted and renamed to *.CRINF.

DecryptorMax

CryptInfinite or DecryptorMax is a ransomware family targetting Windows.
It creates ransom notes called ReadDecryptFilesHere.txt on your system and
encrypts the following file types:
*.ACCDB,
*.BAY, *.DBF, *.DER, *.DNG, *.DOCX, *.DXF, *.ERF, *.INDD, *.MEF, *.MRW, *.ODB,
*.ODP, *.PDD, *.PEF, *.PPTM, *.PSD, *.PTX, *.RAW, *.SRF, *.XLK, *.XLS, *.ach, *.aiff,
*.arw, *.asf, *.asx, *.avi, *.back, *.backup, *.bak, *.bin, *.blend, *.cdr, *.cer,
*.cpp, *.crt, *.crw, *.dat, *.dcr, *.dds, *.des, *.dit, *.doc, *.docm, *.dtd, *.dwg,
*.dxg, *.edb, *.eml, *.eps, *.fla, *.flac, *.flvv, *.gif, *.groups, *.hdd, *.hpp,
*.iif, *.java, *.kdc, *.key, *.kwm, *.log, *.lua, *.m2ts, *.max, *.mdb, *.mdf,
*.mkv, *.mov, *.mpeg, *.mpg, *.msg, *.ndf, *.nef, *.nrw, *.nvram, *.oab, *.obj,
*.odc, *.odm, *.ods, *.odt, *.ogg, *.orf, *.ost, *.pab, *.pas, *.pct, *.pdb, *.pdf,
*.pem, *.pfx, *.pif, *.png, *.pps, *.ppt, *.pptx, *.prf, *.pst, *.pwm, *.qba, *.qbb,
*.qbm, *.qbr, *.qbw, *.qbx, *.qby, *.qcow, *.qcow2, *.qed, *.raf, *.rtf, *.rvt,
*.rwl, *.safe, *.sav, *.sql, *.srt, *.srw, *.stm, *.svg, *.swf, *.tex, *.tga, *.thm,
*.tlg, *.vbox, *.vdi, *.vhd, *.vhdx, *.vmdk, *.vmsd, *.vmx, *.vmxf, *.vob,
*.wav, *.wma, *.wmv, *.wpd, *.wps, *.xlr, *.xlsb, *.xlsm, *.xlsx, *.yuv,*.JPEG,*.jpe,
*.jpg
DMALocker if your files have been encrypted but not renamed. The malware identifies itself as DMA Locker and the ID is “DMALOCK 41:55:16:13:51:76:67:99”.
DMALocker2  If your files have been encrypted but not renamed. The malware identifies itself as DMA Locker and the ID is “DMALOCK 43:41:90:35:25:13:61:92”
.
Gomasom If files have been encrypted, renamed to *.crypt and the file name contains an email address to contact.
Harasom If your files have been converted into *.html files and the ransom note pretends to originate either from Spamhaus or the US Department of Justice.
HydraCrypt If your files have been encrypted and renamed to either *.hydracrypt* or *.umbrecrypt*.
KeyBTC if you find a ransom note called DECRYPT_YOUR_FILES.txt on your system that asks you to contact keybtc@inbox.com for decryption.
Jigsaw When
the Jigsaw ransomware is launched it will scan your drives for certain file
extension,
encrypt them using AES encryption, and append a .FUN, .KKK, or, .BTC extension
to the filename depending on the version.
LeChiffre If your files have been encrypted and renamed to *.LeChiffre and the ransom note asks you to contact decrypt.my.files@gmail.com via email.

NanoLocker

NanoLocker is distributed via email attachments where when opened,


creates a Fake PDF Error.


In reality, though, the program is now running silently in the background and
scanning your drives for data to encrypt.


When it finds a targeted data file it will encrypt it using AES encryption and
then an add the filename and its path to the %LocalAppData%\lansrv.ini file. 
Nemucod If your files have been renamed to *.crypted and you find a ransomnote named DECRYPT.txt on your desktop.
PClock If your files have been encrypted without a change in file extension, the malware identifies itself as “CryptoLocker” and you find a “enc_files.txt” in your user profile directory.

PClock2

PClock2 usually enters the user’s system via infected torrent downloads.
Petya Petya
Ransomware is a little different to other forms of ransom
in that it will not just settle for encrypting files, but it will actually run
at start up and infect
a systems MBR.
Radamant If your files have been encrypted and renamed to either *.rdm or *.rrk.

Rector

Cybercriminals use Trojan-Ransom.Win32.Rector for disrupting normal performance
of computers
and for unauthorized modification of data making it unusable.
Once the data has been “taken hostage” (blocked), its owner (user) receives a
ransom demand.

Scraper
The
malicious program Trojan-Ransom.Win32.Scraper encrypts user files to block
access to them.
After the data has been blocked, the user is required to pay a ransom.
Xorist If your files have been encrypted by the Xorist ransomware. Typical extensions used by Xorist include *.EnCiPhErEd, *.0JELvV, *.p5tkjw, *.6FKR8d, *.UslJ6m, *.n1wLp0, *.5vypSa and *.YNhlv1. The ransom note can usually be found on the Desktop with the name “HOW TO DECRYPT FILES.txt”.
777 If your files have been encrypted and renamed to *.777.