Cdcc (.cdcc) ransomware virus - removal and decryption options

 What kind of malware is Cdcc?

Following a recent examination of malware samples submitted to VirusTotal, it has been established that Cdcc is associated with the Djvu ransomware family. Its main goal is to encrypt data, and it produces a ransom note ("_readme.txt") while adding the ".cdcc" extension to file names (for instance, transforming "1.jpg" into "1.jpg.cdcc", "2.png" into "2.png.cdcc", and so forth).

It should be noted that Djvu family variants are often disseminated in conjunction with information stealers like RedLine and Vidar.

Cdcc ransom note overview

The ransom note assures the victim that complete recovery of all files, encompassing pictures, databases, and crucial documents, is possible. The files have undergone encryption using strong algorithms and a distinctive key. The note asserts that the exclusive method for file restoration is through the acquisition of a decryption tool and key.

As a guarantee, the note presents an option for a complimentary decryption of one file, with the stipulation that the chosen file should not contain valuable information. The specified cost for obtaining the private key and decryption software is $1999, but a 50% discount is made available if contact is initiated within the initial 72 hours, thereby reducing the price to $999.

The note issues a caution that data restoration is unattainable without payment. In order to get the necessary tools, the victim is directed to reach out to the email address support@freshingmail.top or employ an alternative email address, datarestorehelpyou@airmail.cc.

More about ransomware

Victims are strongly advised to abstain from engaging in negotiations with ransomware attackers and to steer clear of making ransom payments. Regrettably, the chances of gaining free access to files are minimal unless third-party decryption tools are available or files have been backed up.

Additionally, victims should swiftly remove ransomware from compromised computers to thwart potential additional encryptions and prevent the further spread of the threat within a local network. Taking prompt action in this regard is essential to minimize the impact and halt the progression of the ransomware.

Ransomware in general

In summary, ransomware poses a significant threat. This malicious software encrypts files, compelling victims to pay for their decryption. To mitigate the impact of ransomware, individuals and organizations must adopt strong cybersecurity measures, including regular data backups and diligent preventive practices.

Some examples of different ransomware variants are PIRAT HACKER GROUP, CoV, and AeR.

How did ransomware infect my computer?

Threat actors utilize various techniques to distribute Djvu ransomware, such as pirated software, cracking tools, and key generators. Deceptive websites that falsely promise YouTube video downloads, along with emails containing harmful attachments or links, are additional channels through which users may unintentionally trigger ransomware on their systems.

Infections can also originate from interactions with malicious advertisements and acquiring files or programs from peer-to-peer (P2P) networks, torrent websites, third-party downloaders, and similar platforms. Using outdated software can also lead to computer infections.

How to protect yourself from ransomware infections?

Download software and files from trusted sources like official websites and authorized app stores. Be cautious when visiting questionable websites, especially those offering pirated software, cracking tools, key generators, and similar downloads. Always check the safety of email attachments or links before opening them.

Avoid clicking on ads and pop-ups on suspicious websites. Improve overall cybersecurity by installing reliable antivirus and anti-malware software. Keep the operating system, security tools, and other installed software up to date. If your computer is already infected with Cdcc. Read this Cdcc Removal Guide to remove Cdcc File Virus and decrypt your files.

There are currently two versions of Djvu ransomware infections: old and new. The old versions were designed to encrypt data by using a hard-coded "offline key" whenever the infected machine had no internet connection or the server was timing out/not responding.

Therefore, some victims were able to decrypt data using a tool developed by cyber security researcher, Michael Gillespie, however, since the encryption mechanism has been slightly changed (hence the new version, released in August, 2019), the decrypter no longer works and it is not supported anymore.

If your data has been encrypted by an older version, you might be able to restore it with the another tool developed by Emsisoft and Michael Gillespie. It supports a total of 148 Djvu's variants and you can find more information, as well as download link and decryption instructions in Emsisoft's official page.

Remove LPER Ransomware [Virus Removal Guide]

 LPER is a file-encrypting ransomware infection that restricts access to data (documents, images, videos) by encrypting files with the “.LPER” extension. It then attempts to extort money from victims by asking for “ransom”, in the form of Bitcoin cryptocurrency, in exchange for access to data.

When you are first infected with the LPER ransomware it will scan your computer for images, videos, and important productivity documents and files such as .doc, .docx, .xls, .pdf. When these files are detected, the ransomware will encrypt them and change their extension to “.LPER”, so that you are no longer able to open them.

Once the LPER ransomware has encrypted the files on your computer, it will display the “_readme.txt” file that contains the ransom note and instructions on how to contact the authors of this ransomware. The victims of this ransomware will be asked to contact these malware developers via the support@fishmail.top and datarestorehelp@airmail.cc email addresses.

This is the ransom note that the LPER ransomware will show to its victims:

ATTENTION!

Don’t worry, you can return all your files!

All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.

The only method of recovering files is to purchase decrypt tool and unique key for you.

This software will decrypt all your encrypted files.

What guarantees you have?

You can send one of your encrypted file from your PC and we decrypt it for free.

But we can decrypt only 1 file for free. File must not contain valuable information.

You can get and look video overview decrypt tool:

https://we.tl/t-oTIha7SI4s

Price of private key and decrypt software is $980.

Discount 50% available if you contact us first 72 hours, that’s price for you is $490.

Please note that you’ll never restore your data without payment.

Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

support@fishmail.top

Reserve e-mail address to contact us:

datarestorehelp@airmail.cc

Here is a summary of the LPER ransomware:

Ransomware family: STOP/DJVU ransomware

Extensions: .LPER

Ransomware note: _readme.txt

Ransom: From $490 to $980 (in Bitcoins)

Contact: support@fishmail.top and datarestorehelp@airmail.cc emails

Symptoms: The images, videos, and other documents have the “.LPER” extension and cannot be opened by any programs

File recovery: Unfortunately, it is not currently possible to decrypt the files encrypted by the LPER ransomware. It may, though, be possible in the future if the decryption keys are recovered from the cybercriminals’ servers. Therefore, if you do not plan on paying the ransom, it is advised that you make an image of the encrypted drives so that you can decrypt them in the future.

How did the LPER ransomware get on my computer?

The LPER ransomware is distributed via spam email containing infected attachments, fake software cracks, or by exploiting vulnerabilities in the operating system and installed programs.

Here’s how the LPER ransomware might get on your computer:

Spam emails: Cybercriminals spam out an email, with forged header information, tricking you into believing that it is from a shipping company like DHL or FedEx. The email tells you that they tried to deliver a package to you, but failed for some reason. Sometimes the emails claim to be notifications of a shipment you have made. Either way, you can’t resist being curious as to what the email is referring to – and open the attached file (or click on a link inside the email). And with that, your computer is infected with the LPER ransomware.

Be alert for people trying to trick you. Whether it’s your email, phone, messenger, or other applications, always be alert and on guard for someone trying to trick you into clicking on links or replying to messages. Remember that it’s easy to spoof phone numbers, so a familiar name or number doesn’t make messages more trustworthy.

1. Cracks and keygens: The LPER ransomware is distributed using fake software cracks or through free programs you download off of the Internet.
2. Avoid using Peer-to-Peer (P2P) file-sharing programs, keygens, cracks, and other pirated software that can often compromise your data, privacy, or both.
3. Exploits: The LPER ransomware was also observed attacking victims by exploiting vulnerabilities in the program installed on the computer or the operating system itself. Commonly exploited software includes the operating system itself, browsers, Microsoft Office, and third-party applications.
4. Keep your operating system and apps up to date. Whenever an update is released for your device, download and install it right away. These updates often include security fixes, vulnerability patches, and other necessary maintenance.

For More info visit: Lper File Virus (Lper Ransomware) Removal + Decrypt Files

Remove Cdtt Ransomware Virus (+Decrypt .Cdtt files)

 After a recent analysis of malware samples uploaded to VirusTotal, it has been determined that Cdtt belongs to the Djvu ransomware family. Its primary objective is to encrypt data, and it generates a ransom note ("_readme.txt") while appending the ".cdtt" extension to filenames (e.g., it renames "1.jpg" to "1.jpg.cdtt", "2.png" to "2.png.cdtt", etc.).

It is crucial to highlight that Djvu family variants are frequently distributed alongside information stealers such as RedLine and Vidar.

Cdtt ransom note overview

The ransom note reassures the victim, claiming that they can recover all their files, including pictures, databases, and important documents. The files have been encrypted with robust encryption and a unique key. The note asserts that the only way to restore the files is by purchasing a decrypt tool and a personalized key.

It offers a free decryption of one file as a guarantee, with the condition that the file should not contain valuable information. The price for the private key and decryption software is stated as $1999, but a 50% discount is available if contacted within the initial 72 hours, reducing the price to $999.

The note warns that data restoration is impossible without payment. To obtain the software, the victim is instructed to contact the email address support@freshingmail.top or use another email address, 

Cdtt Ransomware Encryption process

The Cdtt ransomware uses the Salsa20 encryption algorithm. That is not the strongest method, but it still provides an overwhelming amount of possible decryption keys. To brute force the 78-digit number of keys, you need 3.5 unvigintillion years (1*10^65), even if you use the most powerful regular PC. Quantum computers can show a bit better results, but it is still too slow to get your files back while you are alive.

The exact algorithm of encryption is next: malware scans each folder for the files it is able to encrypt. Then, when it finds the target, it makes a copy of your file, removes the original one, encrypts the copy and leaves it instead of the removed original. Such a procedure is done to prevent the situation when you have already opened the file, so ransomware is not able to read it because of the Windows restrictions. To each encrypted copy, the virus adds the specific extension - ".cdtt". Then, ransomware creates a _readme.txt file in the folder where the encrypted file is located and goes to the next folder.

Fore more info Read : Remove Cdtt Ransomware

Cdaz File Virus (Ransomware) Removal + Decrypt .Cdaz Files

The Cdaz virus, known as a ransomware, is part of the STOP family. This malware family is known for malignant file encryption operations. Once the Cdaz virus gets into a system, it scans the system for files such as photos, videos, documents, and more. It modifies the file structure and adds the “.cdaz” extension to each encrypted file, making them unusable without the decryption.

About Cdaz virus

The Cdaz virus is a type of malware that ciphers your files and forces you to pay for their restoration. This ransomware ciphers different file types. Encrypted files can be identified by a distinct “.cdaz” extension. The files touched by ransomware become impossible to access and use.

After that, the ransomware demands a file decryption payment in Bitcoin from the victims, that ranges from $490 to $980, depending on the time passed after the attack. Typically, a text file with ransom payment guidances is named as “_readme.txt“.

Cdaz Ransomware works with Salsa20 encryption algorithms to scramble the contents of the targeted files. Since Cdaz virus uses such a strong ciphering method, it becomes quite hard, if not impossible, to pick the decryption key without the assistance of the attackers.

Once Cdaz malware finishes the encryption, it shows a ransom note to the victim, asking for a ransom payment for the decryption key. The ransom note provides instructions on the ways of making the payment and often includes threats of system wipeout or ransom amounts surge if the demands are not met within a specified timeframe.

Cdaz employs a unique key for every victim, with one exception:

If Cdaz fails to establish a connection with its command and control server (C&C Server) before starting the encryption process, it uses offline keys. An offline key is not unique and is the same for all users, which allows for the decryption of files encrypted by the ransomware.

The Cdaz virus is highly similar to other DJVU ransomware samples like Isak, Cdmx, Cdqw, and Lomx. This virus encrypts a wide range of common file types and appends its distinct “.cdaz” extension to all files. For instance, a file named “1.jpg” would be altered to “1.jpg.cdaz” and “2.png” to “2.png.cdaz“.

Upon successful encryption, the virus creates a special text file named “_readme.txt” and places it in every folder containing the encrypted files. It also adds the readme file to the desktop, so the victim will not miss its appearance even without opening folders.

Cdaz ransomware arrives as a set of operations that are needed to perform certain tasks on a victim’s computer. One of the initial ones being launched is winupdate.exe, a deceptive process that shows a fake Windows update notification during the attack. That is needed to convince the victim that a sudden computer slowdown is caused by a Windows update.

Meanwhile, the ransomware runs another process (usually named by four random characters) which starts scanning the PC for target files and encrypting them. Next, the ransomware deletes Volume Shadow Copies from the system by the following CMD command:

vssadmin.exe Delete Shadows /All /Quiet

Once removed, it becomes virtually impossible to retrieve the previous computer state using System Restore Points. The problem is, ransomware operators are eliminating any built-in Windows methods that could assist the victim to recover files for free. In addition, the hackers modify the Windows HOSTS file by including a list of domains to it and directing them to the localhost IP. As a result, the victim will face a DNS_PROBE_FINISHED_NXDOMAIN error when trying to access one of the blacklisted websites.

It has come to our attention that ransomware endeavors to block websites that publish various how-to guides for computer users. It is obvious that by limiting specific domains, the crooks are trying to prevent the victim from reaching relevant and helpful ransomware-attack-related information online. This malware also stores two text files on the victim’s computer that offer attack-related information – the victim’s public key and personal ID. These two files are named bowsakkdestx.txt and PersonalID.txt.

After all these modifications, the malware doesn’t cease. Variants of STOP/DJVU have a tendency to deploy Vidar password-stealing Trojan on compromised systems. This threat possesses an extensive list of capabilities, including:

• Infiltrating the victim’s computer with malware and executing it to gain unauthorized access.
• Obtaining unauthorized access to login credentials of Steam, Telegram, and Skype.
• Manipulating and viewing files on the victim’s computer without their knowledge.
• Stealing cryptocurrency wallets from the victim’s system.
• Granting the hackers remote control over the victim’s computer for various malicious activities.
• Extracting sensitive information such as browser cookies, saved passwords, and browsing history.

The encryption algorithm used by DJVU/STOP virus is AES-256. So, if your data got encrypted with an online decryption key, the chances to get your files back without paying the ransom are quite low. Thing is, the key is unique for each victim, and finding a suitable one will take too much time.

Getting the online decryption key in another way is also merely impossible. It is stored on a server controlled by the crooks who spread the Cdaz malware. For receiving decryption key the payment should be $980. To see the payment details, the victims should contact the hackers by email (support@fishmail.top).

The message by the ransomware states the following information:

ATTENTION!

Don't worry, you can return all your files!

All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.

The only method of recovering files is to purchase decrypt tool and unique key for you.

This software will decrypt all your encrypted files.

What guarantees you have?

You can send one of your encrypted file from your PC and we decrypt it for free.

But we can decrypt only 1 file for free. File must not contain valuable information.

You can get and look video overview decrypt tool:

https://we.tl/t-WJa63R98Ku

Price of private key and decrypt software is $980.

Discount 50% available if you contact us first 72 hours, that's price for you is $490.

Please note that you'll never restore your data without payment.

Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.

To get this software you need write on our e-mail:

support@fishmail.top

Reserve e-mail address to contact us:

datarestorehelp@airmail.cc

Your personal ID:

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

To Remove and Decrypt Cdaz virus Visit: 

Cdaz File Virus (Ransomware) Removal + Decrypt .Cdaz Files

Isak Ransomware (.Isak File) 🔐Decrypt & Removal Guide

 Examining malware samples on the VirusTotal website, Isak was found. It has been discovered that Isak is a member of the Djvu ransomware family. Its primary function is encryption; in addition, it creates a ransom note called "_readme.txt" and modifies file names by appending the ".Isak" extension.

Given its ties to the Djvu family, it is possible that Isak will be transmitted with malware that steals data, such as RedLine, Vidar, or other like threats. To demonstrate the file renaming process, Isak changes file names such as "1.jpg" to "1.jpg.isak", "2.png" to "2.png.isak", and so on.

Overview of Isak ransom notes

The victim is informed by the ransom note that all of the files, including papers, databases, and images, have been safely encrypted. To recover the files, the victim has to buy a decryption tool and matching key. One worthless file can be decrypted for free according to the letter.

If the ransom is paid within the first 72 hours, the full sum of $980 will be discounted by 50%, making the final cost of $490. Contacting the attackers via email is possible.

Additional information on ransomware

Unless they have backups or can locate third-party decryption tools online, victims who fall victim to ransomware are required to pay attackers for decryption tools. It is highly advised against paying ransoms because there is no assurance that cybercriminals will keep their word.

Ransomware must be swiftly removed from infected devices to stop additional encryption and its possible propagation across a local network, damaging files on computers connected to it.

How was my PC infected with ransomware?

Users frequently employ key generators, cracking tools, and pirated software to infect their machines with Djvu ransomware. Scam websites that make deceptive claims about downloading YouTube videos are another common way to get infected. Malicious files or links sent in emails are another common way malware is introduced.

In order to distribute ransomware, threat actors also use Trojan horses and P2P networks, third-party downloaders, and fraudulent software upgrades, along with false pop-ups and advertising.

To identify and get rid of harmful software, install a reputable antivirus or anti-malware program and make sure it gets updated on a regular basis. Update the operating system and applications to fix security flaws. When clicking on links or attachments in emails from unknown senders, proceed with caution.

To distribute ransomware, threat actors also use Trojan horses and P2P networks, third-party downloaders, and fraudulent software upgrades, along with false pop-ups and advertising. videos are another common way to get infected. Malicious files or links sent in emails are another common way malware is introduced.

Avoid using unofficial app stores and pirated software by only downloading files and software from reliable sources. Use security software to do routine malware scans to find and remove Isak Ransomware along with other potential dangers from the computer.