How to remove the Agho ransomware from your operating system?

Agho ransomware removal instructions

What is Agho ransomware?

Agho is the name of a malicious program, belonging to the Djvu ransomware family. It is designed to encrypt data and demand payment for the decryption tools/software. During the encryption process, all of the affected files are appended with the “.agho” extension. For example, a file originally named something like “1.jpg” would appear as “1.jpg.agho” – following encryption. After this process is complete, ransom notes – “_readme.txt” – are dropped into compromised folders.

The ransom-demanding message (“_readme.txt“) states that all of the victims files have been encrypted. To recover the data, the note informs users that they must purchase the decryption keys and tools from the cyber criminals behind the infection. The price of the recovery tools is stated to be $980. However, the ransom size can be reduced by 50% ($490) – by establishing contact with the criminals via email. Should no response arrive within 6 hours, victims are to check their “Spam/Junk” email folders. Prior to paying, decryption can be tested by attaching one encrypted file (which does not contain valuable information) to the emails. Unfortunately, in most cases of ransomware infections, decryption is impossible without interference of the cyber criminals responsible. It might be possible, if the malware is still in development and/or has significant flaws. Whatever the case, it is expressly advised against meeting the ransom demands. Since often, despite paying – victims do not receive the promised decryption keys/tools. Therefore, they experience financial loss and their data remains encrypted. To prevent Agho ransomware from further encryptions, it must be removed from the operating system. However, removal will not restore already compromised files. The only solution is recovering the data from a backup, if one was created prior to the infection and was stored in a separate location.

Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:

FUSION, Thcuhswza and Termit are a few examples of other ransomware-type programs. They operate by encrypting files and demanding ransoms for the decryption tools. There are several crucial differences between these programs/infections – the cryptographic algorithms they use (symmetric or asymmetric) and size of the demanded payment. To avoid permanent data loss, it is strongly recommended to keep backups in remote servers and/or unplugged storage devices. It is best to store backups in multiple different locations.

How did ransomware infect my computer?

Ransomware and other malware are mainly distributed via trojans, spam campaigns, illegal activation tools (“cracks”), illegitimate updaters and untrustworthy download sources. Trojans are malicious programs, some types of which are designed to cause chain infections (i.e. download/install additional malware). Scam emails are sent by the thousand during mass-scale operations – called “spam campaigns”. The deceptive letters contain download links of infectious files and/or the files are attached to the emails. Malicious files can be in different formats (e.g. PDF and Microsoft Office documents, archive and executable files, JavaScript, etc.) and when they are opened – the infection process is initiated. Rather than activate licensed programs, “cracking” tools can download/install malware. Fake updaters cause infections by abusing flaws of outdated programs and/or by simply installing malicious software, instead of the promised updates. Dubious download channels, e.g. unofficial and free file-hosting sites, Peer-to-Peer sharing networks and other third party downloaders – can offer malware for downloading, disguised as or bundled with ordinary content.

NameAgho virus
Threat TypeRansomware, Crypto Virus, Files locker
Encrypted Files Extension.agho
Ransom Demanding Message_readme.txt
Ransom Amount980 or 490 USD
Cyber Criminal Contacthelpmanager@mail.ch and restoremanager@airmail.cc
Detection NamesAVG (FileRepMalware), BitDefender (Trojan.GenericKD.44410580), ESET-NOD32 (A Variant Of Win32/Kryptik.HHIK), Kaspersky (HEUR:Exploit.Win32.Shellcode.gen), Full List Of Detections (VirusTotal)
SymptomsCannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files.
Additional InformationThis malware is designed to show a fake Windows Update window and modify the Windows “hosts” file to prevent users from accessing cyber security websites (more information below).
Distribution methodsInfected email attachments (macros), torrent websites, malicious ads, unofficial activation and updating tools.
DamageAll files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.
Malware Removal (Windows)To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Malwarebytes.

How to protect yourself from ransomware infections?

Suspicious and/or irrelevant emails should not be opened, especially any links or attachments found in them – as that can result is a serious system infection. All downloads must be done from official and verified sources. Additionally, programs must be activated and updated with tools/functions provided by legitimate developers. Illegal activation (“cracking”) tools and third party updaters are advised against use, since they are commonly employed to spread malware. To protect device integrity and user safety, it is paramount to have a dependable anti-virus/anti-spyware suite installed and kept updated. This software has to be used to run regular system scans and to remove detected/potential threats and issues. If your computer is already infected with Agho, we recommend running a scan with Malwarebytes for Windows to automatically eliminate this ransomware.

Text presented in Agho ransomware’s text file (“_readme.txt“):

ATTENTION!

Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
hxxps://we.tl/t-72VNKmoPkb
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.


To get this software you need write on our e-mail:
helpmanager@mail.ch

Reserve e-mail address to contact us:
restoremanager@airmail.cc

Your personal ID:

Screenshot of files encrypted by Agho (“.agho” extension):

Screenshot of fake Windows update pop-up displayed during the encryption:

IMPORTANT NOTE! – As well as encrypting data, ransomware-type infections from the Djvu malware family also add a number of entries to the Windows “hosts” file. The entries contain URLs of various websites, most of which are related to malware removal. This is done to prevent users from accessing malware security websites and seeking help. Our website (PCrisk.com) is also on the list. Removing these entries, however, is simple – you can find detailed instructions in this article (note that, although the steps are shown in the Windows 10 environment, the process is virtually identical on all versions of the Microsoft Windows operating system).

Screenshot of websites added to Windows hosts file:

There are currently two versions of Djvu ransomware infections: old and new. The old versions were designed to encrypt data by using a hard-coded “offline key” whenever the infected machine had no internet connection or the server was timing out/not responding. Therefore, some victims were able to decrypt data using a tool developed by cyber security researcher, Michael Gillespie, however, since the encryption mechanism has been slightly changed (hence the new version, released in August, 2019), the decrypter no longer works and it is not supported anymore. If your data has been encrypted by an older version, you might be able to restore it with the another tool developed by Emsisoft and Michael Gillespie. It supports a total of 148 Djvu’s variants and you can find more information, as well as download link and decryption instructions in Emsisoft’s official page.

Screenshot of Djvu decryption tool by Emsisoft and Michael Gillespie:

Additionally, Emsisoft is now providing a service that allows to decrypt data (again, only if it was encrypted by Djvu variants released before August, 2019) for those victims who have a pair of the same file before and after the encryption. All victims have to do is upload a pair of original and encrypted file to Emsisoft’s Djvu decryption page and download the aforementioned decryption tool (the download link will be provided after uploading files). Note that the file processing may take some time so be patient. It is also worth mentioning that the system must have an Internet connection during the entire decryption process, otherwise it will fail.

Screenshot of Emsisoft’s Djvu decryption service page:

NOTE:: This article  is copyright by  pcrisk.com  and we are using it  for educational or Information purpose only

The Best Ransomware Protection for 2020