How to Post a Topic Asking for Help With Ransomware

How to Post a Topic Asking for Help With Ransomware

 
Hello and welcome to the Bleeping Computer Ransomware Tech Support and Help forum.
 
If you are reading this article, then you are most likely looking for support with a ransomware infection on your or someone else's computer. Please follow these steps in order to provide information that we can use to identify the specific ransomware. For us to try and help you, the more information you provide the better.
 
Important information:

• Please do not delete any files dropped by the ransomware. Removing these files will make it harder for us to identify what ransomware you have been hit with and we may not be able to help. If your antivirus has found an infection, please mention that in your topic.
• Waiting for a reply does not guarantee that you will get a reply, as all members are volunteers and we may miss some topics.
• Not every variant of ransomware is decryptable and if there is no other information about the ransomware then we may not be able to help other than providing information.

Before you perform the steps below, it is suggested that you first check to see if there already is an existing support topic for your ransomware infection in this...  

• List of 2016 Help Topics for ransomware infections

Since the list above is several years old, it is unlikely there is a topic which fits the ransomware which you were hit with. 

If you cannot find a topic for your specific ransomware which occurred AFTER 2016 then continue with STEPS 1-3 below for starting a new topic.

 
- Enable topic reply notification by default.

In order to be notified via email when your topic has a reply you need to enable topic notifications. To enable topic notifications you should do the following:

• Click on this My Settings Link.
• Click on Notification Options.
• Put a checkmark in the checkbox labeled Watch every topic I reply to.
• Set the If enabled, choose default notification type menu option to Immediate Notification to have an email sent immediately when someone replies.
• Then scroll down a little bit and under Topics & Posts make sure that the Email checkbox is checked for the Notification method to use for topic replies and reply digests option.
• Click on the Save Changes button.

- Create a new ransomware help topic

Now click on the following link to open a new browser windows where you will create a new topic in the Ransomware Tech Support and Help forum:
 
Post a new ransomware help topic
 
In the new browser window you will see a screen that asks you to fill in various information: 
 
For the Topic Title please enter a description of your problem containing the extension the ransomware added, the files the ransomware drops or name of the ransom note. For example; if the ransomware changes the extension of files to .vvv or drops HELP_DECRYPT.txt to the desktop then put that in your title. We have found that those people who enter in specific and detailed info about the ransomware infection tend to receive the appropriate help quicker. 

 
The next part that you must fill out is the actual message of the post. The more you can tell us about a problem, the better and easier it will be to help you. In other words, "Help, my files are encrypted" will only result in the helper having to asking you questions to guess which ransomware encrypted your files. Instead in your first post, tell us as much as you can. For example, if you know what file caused the infection, or if a suspicious file is running, please mention that in your message.  Inserting a picture (i.e. changed desktop, affected files, etc) into the body of the post or as an attachment can also be helpful.

Also, please submit (upload) samples of encrypted files, ransom notes and any contact email addresses provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. ID Ransomware can identify ransomware which adds a prefix instead of an extension and more accurately identifies ransomware by filemarkers if applicable. Uploading both encrypted files and ransom notes together along with any email addresses provided gives a more positive match with identification and helps to avoid false detections. Please provide a link to the ID Ransomware results.

Now that all the information has been entered into the post, scroll down and click on the Post New Topic button to actually post your new topic to the forums.
 
- What to expect now that you have created your topic.

Now that your topic is posted, you should be patient and wait for someone to look at your topic in order to advise as to what you should do. Everyone who works on this site is a volunteer, and not everyone is familiar with ransomware topics, or may be looking for the same advice as you. Please be patient, we will try to reply to every topic asking for help, but sometimes it may take a couple of days to get a reply. As mentioned above, we may not be able to help.

 - If you are just looking for information about preventing ransomware, please read:

• Most Effective Strategy Against Ransomware - Prevention (Mitigation) (Post #14)

Updated: 03/10/25

Edited by quietman7, 10 March 2025 - 07:25 AM.
Updated instructions

 - All assistance provided at Bleeping Computer is free of charge.
 
There is no requirement to make a donation or pay a fee. None of our volunteer staff or experts will contact you via PM or email asking for money in order to decrypt your files. That includes the download and use of any decryption tools created by our Security Colleagues. Unfortunately, scammers, data recovery services and sometimes even the malware developers have been known to visit our forums and occasionally post comments or contact victims in private in an attempt to get them to pay a fee or the ransom demands in order to decrypt their data. See Who is helping me with Ransomware Infection? (Post #3).
 
 - What we know about those who claim they can decrypt your data.
 
Bleeping Computer cannot vouch for those who claim they can decrypt data or help in other ways. We have have no way of knowing the background, expertise and motives of all companies or individuals who indicate decryption is possible. We have no way of vetting whether a person has a true technical method of recovering files, is scamming users by just paying ransoms for the key, or are the ransomware operators themselves. For the same reason, members are discouraged from providing remote access to unknown individuals or to provide data that could potentially be stolen. We advise to be cautious with whomever you are dealing with, what services they are able to provide and what claims they make before sending money or paying a fee to anyone.
 
While the individual or company may be legitimate, our experts have found that many who claim they can decrypt your files actually represent data recovery services which typically act as a "middleman"...they just pay the criminals...pretend they cracked the decryption and charge the victim more than the ransom demands, in many cases not telling them that is how they acquired the means of decryption. Other data recovery services hide the actual ransom cost from clients and/or mark the cost up exponentially as noted here.
 
A forum member posted here offering ransomware decryption services for a fee which was more than the ransom amount...when asked to provide specific details this person refused to provide any information. Another member posted here claiming to be with a company which could decrypt data...when asked to provide specific details as to who they were and how the service worked so we could confirm if the offer was legitimate, this person never responded to our inquiry. We do not know if those posing as members are scammers, criminals or individuals working with data recovery services attempting to promote their business.
 
Scammers reported here and here contacted unsuspecting victims via PM/emails promising decryption of data or offering proof they could decrypt a few files. After negotiating a price and collecting payment, these criminals wanted more money and in the end, scammed thousands of dollars but never decrypted the victims' data. Do not be victimized again by attempting to negotiate with such criminals in private communications.

Scammers have become so prolific that the site owner of Bleeping Computer has had to make this public announcement.

• Important notice: Forum spam offering ransomware decryption services

Ransomware victims should IGNORE, (not reply back, deal with or negotiate payments with) anyone who may contact them via Private Message (PM) on this forum or by email making claims they can decrypt your data. Any solicitation for donations or fees (in regards to decryption of ransomware) via email or PM should be reported to BC Moderators or Admin.
 

Ransomware victims should ignore all Internet web searches which provide numerous links to bogus and untrustworthy ransomware decryption and removal guides, including Facebook and YouTube videos, many of which falsely claim to have decryption solutions. After expert researchers write about new ransomware variants, junk articles with misinformation are quickly written in order to scare, goad or trick desperate victims into using or purchasing mostly sham removal and decryption software. Victims typically are directed to download a multitude of unnecessary and useless tools. In some cases, unsuspecting victims may actually be downloading a malicious file or fake decryptor that makes the situation even worst. Only use trusted sources when searching for information. Do not let yourself be victimized twice.

• Report inappropriate videos, channels, and other content on YouTube

 - In regards to data recovery services specifically.
 
Some data recovery services operate more like scammers while others have been reported to make false claims to be able to decrypt data by ransomware which is not decryptable and charge an assessment fee. Infosec researcher Brett Callow of Emsisoft posed as a customer while contacting Fast Data Recovery, asking if the firm could decrypt encrypted files. The company responded with a standard auto-reply email indicating they had a proven track record of 100% ransomware data recovery, then followed up with another email.

At this point, Callow broke off contact with the firm [Fast Data Recovery], but the case smells similar to other companies claiming to be able to decrypt ransomware when all they do is act as a middleman, taking money on the pretense of "decrypting" ransomware, then paying the ransom and in turn banking a margin for doing so

Many data recovery services instruct victims to submit one or two limited size files for free decryption as proof they can decrypt the files with claims of 100% guaranteed success, collect the victim's money and either ask for more or end communications. The criminals behind creating and spreading ransomware do the same. Just because they can successfully decrypt a few files does not mean they can decrypt all files...in many cases decryption in bulk does not work.
.
Experts have identified Proven Data, Red Mosquito, MonsterCloud, Dr. Shifro and Fast Data Recovery as some of the most dishonest and predatory data recovery services.
 
Connecticut-based Coveware CEO Bill Siege refers to such data recovery services as "ransomware payment mills".

These ransomware payment mills demonstrate how easily intermediaries can prey on the emotions of a ransomware victim. They advertise guaranteed decryption without having to pay the hacker. Although it might not be illegal to obfuscate how encrypted data is recovered, it is certainly dishonest and predatory.

In fact many security experts have written about these data recovery service's predatory practice of deceiving victims and taking their money after falsely guaranteeing a decryption solution.

• TRADE SECRET: Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers
• Company Pretends to Decrypt Ransomware But Just Pays Ransom
• Sting Catches Another Ransomware Firm Negotiating With “Hackers
• Beware of Dishonest Ransomware Recovery firms
• The Ransomware Doctor Without A Cure
• If it sounds too good to be true, it most likely is
• GandCrab Ransomware Helps Shady Data Recovery Firms Hide Ransom Costs

Others who offer to help may just be scammers who instruct victims to submit one or two limited size files for free decryption as proof they can decrypt the files, collect the victim's money and are never heard from again...many malware developers do the same. Some of these criminals, including data recovery reps, have been known to visit our forums, read through topics and post inviting comments in an attempt to entice victims to pay the ransom. These scammers have no intention or capability of decrypting files after the ransom is paid. Further, your personal and financial information are at risk when dealing with scammers.
 
We advise everyone to be cautious with whomever you are dealing with, what services they are able to provide and what claims they make before sending money or paying a fee to anyone. 

 
 - Should you pay the Ransom?
 
If you are thinking about paying the ransom or negotiating with the ransomware developers, (which is not advisable) you may want to read Should you pay the ransom? (Post #17) first.
 

Ransomware Reality Shock: 92% Who Pay Don’t Get Their Data Back

Paying a ransom doesn't guarantee data recovery...According to the Sophos State of Ransomware 2021 report, the number of organizations deciding to pay a ransom has risen to 32% in 2021 compared to 26% last year. Here's the thing though, that same global survey discovered that only 8% of them got all their data back despite doing so.

Rather than paying a ransom, folks should focus on prevention and resilience beginning with addressing vulnerabilities, security awareness, data backup (redundancy) and building a strong cybersecurity strategy with layered protection as I explain here (Post #14 and #15).
 
If there were a free solution and decrypter available, we would post that information in these support topics and on the Bleeping Computer front page.
 
Again, we advise everyone to be cautious with whomever you are dealing with, what services they are able to provide and what claims they make before sending money or paying a fee to anyone. 

 - WARNING: Promoting "ransomware recovery services" at Bleeping Computer is strictly prohibited
 
Promoting "ransomware recovery services" will lead to the banning of accounts and the removal of posts as noted here by the site owner (Lawrence Abrams).
 
Ransomware victims should IGNORE, (not reply back, deal with or negotiate payments with) anyone who may contact them via Private Message (PM) on this forum or by email making claims they can decrypt your data. Any solicitation for donations or fees (in regards to decryption of ransomware) via email or PM should be reported to BC Moderators or Admin.
 
Many of these scammers are associated with data recovery services which instruct victims to submit one or two limited size files for free decryption as proof they can decrypt the files with claims of 100% guaranteed success, collect the victim's money and either ask for more or end communications. The criminals behind creating and spreading ransomware do the same. Scammers typically will provide links to YouTube videos as further proof they can decrypt your data.
 
Do not let yourself be victimized twice.
 
Updated: 05/16/25

Edited by quietman7, 14 December 2025 - 03:10 PM.

 - Who is helping me with Ransomware/Malware Infection?
 

As this is an open area, available for any member to post in, please use caution when following the advice given. Instructions from the following member groups/members can all be trusted:

Admin | Site Admin | Global Moderator | Moderator | Malware Study Hall Admin | Malware Response Instructor | Malware Response Team | BC Advisor

Other trusted helpers include Malware Study Hall Junior and Malware Study Hall Senior with "Member of the Bleeping Computer A.I.I. early response team!" in their signature, Security Developers and Security Colleagues.

Bleeping Computer Admin & Site Admins

Bleeping Computer Global Moderators
Bleeping Computer Moderators
Malware Response Instructors
Malware Study Hall Admins
.
Malware Response Team Members are all trained experts who have graduated from one of the various online UNITE Schools which include Bleeping Computer. MRT Members can assist victims with removing the malware responsible for the infection but they cannot help with decryption of your data.
 
Demonslay335 (Michael Gillespie) is a trusted Security Colleague (Expert), a ransomware researcher/analyst with the MalwareHunterTeam and our resident crypto malware expert. Michael Gillespie is also the creator of ID Ransomware (IDR), RansomNoteCleaner, CryptoSearch and numerous decryptor tools.

• Twitter @demonslay335
• Michael Gillespie, Ransomware Hero to Receive FBI Award
• The Ransomware Superhero of Normal, Illinois...Michael Gillespie

BloodDolly is a trusted Security Colleague and crypto malware expert who volunteers his time here to assist victims of ransomware infection. He has also created various decryption tools for some ransomware infections.
 
Fabian Wosar is a trusted Security Developer and the Chief Technology Officer for Emsisoft. He and his team research, analyze and investigate crypto malware as well as provide expert assistance to victims of ransomware infections. Fabian Wosar is often at the receiving end of hate from malware creators (see Fabiansomware: when hackers lose it) and at times has been forced into hiding from ransomware gangs.
 
rivitna (Andrey Zhdanov) is a trusted Security Colleague, a Chief Malware Analyst and Threat Hunter at the Group-IB DFIR Team, reverse engineer and APT researcher who volunteers his time here to assist victims of ransomware infection.
 
thyrex (Alex Svirid) is a trusted Security Colleague, expert and a Kaspersky Forum Moderator who also volunteers his time here to assist victims of ransomware infection. thyrex is also one of the foremost experts in regards to Xorist Ransomware.
 
Amigo-A (Andrew Ivanov) is a trusted Security Specialist and ransomware expert who volunteers his time here to assist victims of ransomware infection. He also maintains a very useful Coders Crypto-Ransomware Information Index Blog.

Note: In case your trusted helper asks you to download a specific tool or decryptor be aware of the following.

Most of the well known specialized tools and ransomware decrypters we use against malware are written by Security Experts/Security Colleagues at various security forums like Bleeping Computer, Malwarebytes, GeeksToGo and similar sites so they can be trusted...this includes any program hosted by Bleeping Computer for download. 
 
Unfortunately, many of these tools (or their embedded files) are falsely detected (false positive) by various anti-virus and security programs from time to time. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed, packed, or obfuscated to protect code, what behavior (routines, scripts, etc) it performs, unsigned/no certificate, any registry strings it may contain and the type of security program engine that was used during the scan. Other legitimate files which may be encrypted or password protected in order to conceal itself so they do not allow access for scanning often trigger alerts by anti-virus/security software as well.

 
Either have your anti-virus or security program ignore the detection or temporarily disable it until you download and run the tool. Another option is to add the file to the anti-virus/security program's exclusion list.

Updated: 12/14/25

Edited by quietman7, 14 December 2025 - 12:03 PM.