How to remove Epor ransomware

Epor ransomware is file-encrypting malware from the Djvu/STOP malware family. Differs from the other versions from this family by adding .epor to encrypted files. Drops the classic _readme.txt ransom note.


Epor ransomware note

Epor ransomware is a dangerous piece of malware that encrypts files and demands money for their decryption. It’s part of the notorious Djvu/STOP ransomware family, which is responsible for releasing more than two hundred ransomware, including Vvoa, Agho, Vpsh, Jdyi, and Iiss. Users will know which Djvu version they are dealing with by the extension added to encrypted files. In this case, it’s .epor. Files with that extension will be unopenable, until they are decrypted with a special decryptor, which cyber crooks behind this ransomware will try to sell to users. The decryptor will be offered to users in the _readme.txt ransom note it drops. The note demands that victims pay $980 for the decryptor (or $490 if users contact the cyber crooks behind this ransomware within 72 hours).

The note says that purchasing the decryption tool from the gang behind this ransomware is the only way to recover files, and that is, unfortunately, not entirely wrong. Users who have backup can easily recover files as soon as they delete Epor ransomware from their computers, but there aren’t many options left for everyone else. Nonetheless, paying the ransom is not a good idea for a couple of reasons. First of all, whether or not the cyber crooks behind this ransomware send the decryptor likely depends on their mood. It would be naive to expect them to feel obligated to send the decryptor, seeing as they are the ones who encrypted the files in the first place. Thus, paying is risky as there is a possibility a decryption tool would not be sent. Another reason is the fact that the money would go towards future criminals activities. The reality is that as long as users pay the ransom because they don’t have backup, ransomware will continue to strive.

In some cases, users can recover files using free decryptors released by malware researchers. There is one for older Djvu/STOP ransomware versions but it will not work on Epor ransomware or any other newer version because they use online keys to encrypt files. That means that all victims have unique keys, without which developing a decryptor is not possible. Nonetheless, users should back up the encrypted files in case a decryptor is ever released.

How does ransomware enter a computer

Ransomware doesn’t randomly enter a computer, users allow it to enter themselves. They are essentially tricked into doing it by cyber crooks. Among the tricks used to deceive users are adding malicious files to emails and inserting malware into torrents. Users can avoid many malware threats by simply developing better browsing habits.

Malspam is one of the most common ways ransomware tries to trick users. Malicious actors use email addresses purchased from hacker forums to launch spam campaigns that spread malware. They attach the malicious file to an email that claims opening the file is essential. If users do open it, they initiate the malware. In most cases, users should be able to tell when an email is potentially malicious, as long as they do not rush. Malicious emails are usually sent from random-looking email addresses, contain loads of grammar and spelling mistakes, and demand that users open the attachments. Not all malicious emails are as obvious, so it’s recommended to scan all unsolicited email attachments with anti-virus software or VirusTotal.

Users who use torrents to pirate copyrighted content are also at an increased risk of picking up some kind of malware infection. Malware is especially common in torrents for popular movies, TV shows and video games. Torrent sites are often poorly regulated, which allows malicious actors to easily upload malware disguised as a movie or an episode of a TV show.

Can Epor ransomware be decrypted

In order to distract users from what’s happening, the malware shows a fake windows update window. In the meantime, it encrypts files that are most important to users, including photos, videos, and documents. Once the encryption process is complete, files names will have .epor added to them, hence why this is referred to Epor ransomware. For example, image.jpg would become image.jpg.epor. Files with that extension will not be openable unless they are first decrypted. However, in order to obtain the decryptor, users would need to pay the ransom.

The ransomware drops the typical _readme.txt ransom note and it’s identical to the ones dropped by other Djvu ransomware versions. It contains information on what users need to do to recover files, and that includes paying $980 in ransom. Apparently, if users make contact within the first 72 hours, they will get a 50% discount. Whether that is actually true or not, paying the ransom is still not recommended as there are no guarantees that a decryptor will be sent. Furthermore, it only encourages cyber crooks to continue.

Here is the ransom note dropped by Epor ransomware:


Don’t worry, you can return all your files!
All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
You can get and look video overview decrypt tool:
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.
Please note that you’ll never restore your data without payment.
Check your e-mail “Spam” or “Junk” folder if you don’t get answer more than 6 hours.

To get this software you need write on our e-mail:

Reserve e-mail address to contact us:

Your personal ID:

Unfortunately, only users who have backup can recover files. However, they first need to delete Epor ransomware fully, otherwise the backed up files may become encrypted as well.

Epor ransomware removal

In order to remove Epor ransomware, users need to use anti-virus software, or reinstall Windows. Trying to manually delete Epor ransomware could lead to even more damage. Once the ransomware is no longer present, users can access backup to start file recovery. Unfortunately, removing the ransomware does not mean files will automatically be decrypted.