How to remove Agho ransomware

Agho ransomware belongs to the Djvu/STOP ransomware family, which is responsible for hundreds of already released ransomware versions. This version adds the .agho file extension, hence the name Agho ransomware. Drops the typical _readme.txt ransom note.


Agho ransom note

Agho ransomware is fire-encrypting malware that comes from the notorious Djvu/STOP ransomware family. It’s a dangerous malware infection that will leave files encrypted with no way of being opened as they are. To open them, users would first need to decrypt them using the special decryptor. But getting it is not so easy. Cyber crooks behind this ransomware will try to sell the decryptor to victims for $980 (or $490 if victims make contact within 72 hours). However, the thing about paying the ransom is that there are no guarantees that a decryptor will be sent to those who pay. Many users have paid the ransom in the past, and certainly not all of them received the decryptor. In addition, the more users pay the ransom because they don’t have backup, the more encouraged ransomware developers/distributors will be to continue their malicious activities.

Users who have backup are currently the only ones who can recover files for free. All they need to do is remove Agho ransomware from their computers and they can then access their backup to start file recovery. For everyone else, waiting for malware researchers to develop a free decryptor is likely the only option. A free decryptor is available for older Djvu/STOP ransomware versions but it will not work for Agho because it uses online keys to encrypt users’ files. That means that the key is unique to each victim, and without those keys a free decryptor cannot be developed. There is a chance that the ransomware gang themselves will release the keys, or they may be caught by law enforcement, which could allow researchers to create a free decryptor. However small the chance of a free decryptor is, users should still back up those encrypted files and wait for a potential solution.

If a decryptor was to be released, it would appear on NoMoreRansom, and would likely be released by Emsisoft, other anti-virus vendors or malware researchers. Questionable forums may advertise fake decryptors that could be hiding malware, so users should be very careful about what they download.

How do users infect their computers with ransomware?

Users are encouraged to develop better browsing habits precisely because bad habits usually lead to some kind of malware infection, often ransomware. Bad habits include opening unknown email attachments, using torrents to pirate various copyrighted content, and clicking on questionable links.

Email is one of the easiest ways to distributed ransomware, so this method is often used by malware spreaders. Malicious parties purchase email addresses from various hacking forums and then proceed to spam those addresses with malware emails. The good thing is that they are usually quite obvious, and if users know what to look for, they should be able to avoid opening something malicious. Usually, signs that an unsolicited email with an attachment could be potentially dangerous include the email being riddled with grammar and spelling mistakes, a random-looking sender’s email address, and strong pressure to open the attachment. Even if the email seems legitimate, it’s still recommended to scan all unsolicited email attachments with anti-virus software or VirusTotal.

Users who pirate content via torrents are also risking infecting their computers with some kind of malware. Torrent sites are full of malware because they aren’t properly regulated, and it’s easy for malware creators to upload their malicious programs disguised as some kind of popular content. It’s particularly common for malware to be hidden in torrents for popular TV shows, movies and games.

Is it possible to recover Agho ransomware encrypted files?

When the ransomware starts encrypting files, it shows a fake Windows Update window to users to distract them. When users realize what’s going on, their important files are already encrypted, and have the .agho extension. For example, image.jpg would become image.jpg.agho. Files with that extension will not be openable until they are decrypted.

Once file encryption is complete, the ransomware will drop _readme.txt ransom notes in all folders containing encrypted files. The note is identical to the ones dropped by other versions of Djvu/STOP. It demands that users send an email to or to start the file recovery process. Users will be asked to pay $980 for the decryptor, or $490 if they make contact within 72 hours. Whatever the price users are asked to pay, giving into the demands is not recommended. Simply said, it does not guarantee file decryption. Whether users are sent a decryptor depends on how generous these cyber crooks are feeling. Countless users have not received the decryptor in the past, so users should consider all the risks before deciding to make the payment.

Here is the ransom note dropped by this ransomware:


Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

Only users who have backup can currently recover files for free. However, they should first make sure to remove Agho ransomware fully, as otherwise backed up files may become encrypted as well.

Agho ransomware removal

Users will need to use anti-virus software to delete Agho ransomware, as it’s a complicated malware infection. Unfortunately, ransomware removal does not mean files will be automatically decrypted, the decryptor is needed for that.

Agho ransomware is detected as:

  • Win32:CrypterX-gen [Trj] by Avast/AVG
  • Trojan.GenericKD.44410580 by BitDefender
  • Trojan.GenericKD.44410580 (B) by Emsisoft
  • A Variant Of Win32/Kryptik.HHIK by ESET
  • Trojan.MalPack.GS by Malwarebytes
  • ML.Attribute.HighConfidence by Symantec
  • Trojan:Win32/Glupteba by Microsoft
  • HEUR:Exploit.Win32.Shellcode.gen by Kaspersky