- November 12, 2020
- Posted by: administrator
- Category: Ransomware, Virus Removal Guide
Agho ransomware removal instructions
What is Agho ransomware?
Agho is the name of a malicious program, belonging to the Djvu ransomware family. It is designed to encrypt data and demand payment for the decryption tools/software. During the encryption process, all of the affected files are appended with the “.agho” extension. For example, a file originally named something like “1.jpg” would appear as “1.jpg.agho” – following encryption. After this process is complete, ransom notes – “_readme.txt” – are dropped into compromised folders.
The ransom-demanding message (“_readme.txt“) states that all of the victims files have been encrypted. To recover the data, the note informs users that they must purchase the decryption keys and tools from the cyber criminals behind the infection. The price of the recovery tools is stated to be $980. However, the ransom size can be reduced by 50% ($490) – by establishing contact with the criminals via email. Should no response arrive within 6 hours, victims are to check their “Spam/Junk” email folders. Prior to paying, decryption can be tested by attaching one encrypted file (which does not contain valuable information) to the emails. Unfortunately, in most cases of ransomware infections, decryption is impossible without interference of the cyber criminals responsible. It might be possible, if the malware is still in development and/or has significant flaws. Whatever the case, it is expressly advised against meeting the ransom demands. Since often, despite paying – victims do not receive the promised decryption keys/tools. Therefore, they experience financial loss and their data remains encrypted. To prevent Agho ransomware from further encryptions, it must be removed from the operating system. However, removal will not restore already compromised files. The only solution is recovering the data from a backup, if one was created prior to the infection and was stored in a separate location.
Screenshot of a message encouraging users to pay a ransom to decrypt their compromised data:
FUSION, Thcuhswza and Termit are a few examples of other ransomware-type programs. They operate by encrypting files and demanding ransoms for the decryption tools. There are several crucial differences between these programs/infections – the cryptographic algorithms they use (symmetric or asymmetric) and size of the demanded payment. To avoid permanent data loss, it is strongly recommended to keep backups in remote servers and/or unplugged storage devices. It is best to store backups in multiple different locations.
How did ransomware infect my computer?
|Threat Type||Ransomware, Crypto Virus, Files locker|
|Encrypted Files Extension||.agho|
|Ransom Demanding Message||_readme.txt|
|Ransom Amount||980 or 490 USD|
|Cyber Criminal Contactfirstname.lastname@example.org and email@example.com|
|Detection Names||AVG (FileRepMalware), BitDefender (Trojan.GenericKD.44410580), ESET-NOD32 (A Variant Of Win32/Kryptik.HHIK), Kaspersky (HEUR:Exploit.Win32.Shellcode.gen), Full List Of Detections (VirusTotal)|
|Symptoms||Cannot open files stored on your computer, previously functional files now have a different extension (for example, my.docx.locked). A ransom demand message is displayed on your desktop. Cyber criminals demand payment of a ransom (usually in bitcoins) to unlock your files.|
|Additional Information||This malware is designed to show a fake Windows Update window and modify the Windows “hosts” file to prevent users from accessing cyber security websites (more information below).|
|Distribution methods||Infected email attachments (macros), torrent websites, malicious ads, unofficial activation and updating tools.|
|Damage||All files are encrypted and cannot be opened without paying a ransom. Additional password-stealing trojans and malware infections can be installed together with a ransomware infection.|
|Malware Removal (Windows)||To eliminate possible malware infections, scan your computer with legitimate antivirus software. Our security researchers recommend using Malwarebytes.|
How to protect yourself from ransomware infections?
Suspicious and/or irrelevant emails should not be opened, especially any links or attachments found in them – as that can result is a serious system infection. All downloads must be done from official and verified sources. Additionally, programs must be activated and updated with tools/functions provided by legitimate developers. Illegal activation (“cracking”) tools and third party updaters are advised against use, since they are commonly employed to spread malware. To protect device integrity and user safety, it is paramount to have a dependable anti-virus/anti-spyware suite installed and kept updated. This software has to be used to run regular system scans and to remove detected/potential threats and issues. If your computer is already infected with Agho, we recommend running a scan with Malwarebytes for Windows to automatically eliminate this ransomware.
Text presented in Agho ransomware’s text file (“_readme.txt“):
Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.
To get this software you need write on our e-mail:
Reserve e-mail address to contact us:
Your personal ID:
Screenshot of files encrypted by Agho (“.agho” extension):
Screenshot of fake Windows update pop-up displayed during the encryption:
IMPORTANT NOTE! – As well as encrypting data, ransomware-type infections from the Djvu malware family also add a number of entries to the Windows “hosts” file. The entries contain URLs of various websites, most of which are related to malware removal. This is done to prevent users from accessing malware security websites and seeking help. Our website (PCrisk.com) is also on the list. Removing these entries, however, is simple – you can find detailed instructions in this article (note that, although the steps are shown in the Windows 10 environment, the process is virtually identical on all versions of the Microsoft Windows operating system).
Screenshot of websites added to Windows hosts file:
There are currently two versions of Djvu ransomware infections: old and new. The old versions were designed to encrypt data by using a hard-coded “offline key” whenever the infected machine had no internet connection or the server was timing out/not responding. Therefore, some victims were able to decrypt data using a tool developed by cyber security researcher, Michael Gillespie, however, since the encryption mechanism has been slightly changed (hence the new version, released in August, 2019), the decrypter no longer works and it is not supported anymore. If your data has been encrypted by an older version, you might be able to restore it with the another tool developed by Emsisoft and Michael Gillespie. It supports a total of 148 Djvu’s variants and you can find more information, as well as download link and decryption instructions in Emsisoft’s official page.
Screenshot of Djvu decryption tool by Emsisoft and Michael Gillespie:
Additionally, Emsisoft is now providing a service that allows to decrypt data (again, only if it was encrypted by Djvu variants released before August, 2019) for those victims who have a pair of the same file before and after the encryption. All victims have to do is upload a pair of original and encrypted file to Emsisoft’s Djvu decryption page and download the aforementioned decryption tool (the download link will be provided after uploading files). Note that the file processing may take some time so be patient. It is also worth mentioning that the system must have an Internet connection during the entire decryption process, otherwise it will fail.
Screenshot of Emsisoft’s Djvu decryption service page:
NOTE:: This article is copyright by pcrisk.com and we are using it for educational or Information purpose only