Viruses

GandCrab v4.1 Ransomware represents a formidable evolution in the realm of cyber threats. As a part of the notorious GandCrab ransomware family, this version continues to employ advanced encryption techniques, specifically using AES-256 and RSA-2048 algorithms, to secure its hold over victims' files. Victims will notice that files previously accessible suddenly bear a new extension, specifically the .krab extension, rendering them unreadable without the decryption key. The ransomware stealthily infiltrates systems, often through vulnerabilities such as unprotected Remote Desktop Protocol connectors or through malicious email attachments and links. It further erases shadow copies from the system, which exacerbates the difficulty in restoring data. Upon successful encryption, GandCrab leaves behind a ransom note named krab-decrypt.txt on the infected machine. This note informs victims about the compromised state of their files and provides instructions to access a site via the TOR network. Victims are urged not to modify encrypted files, as these could become permanently damaged beyond recovery.

Scarab-CyberGod Ransomware is a malicious cryptovirus, belonging to the notorious Scarab Ransomware family. It infiltrates computers, encrypting user files and rendering them inaccessible. Victims of this ransomware will find their files with the new .CyberGod extension, indicating they have been encrypted. The malware employs strong encryption algorithms, making it difficult for users to decrypt their files without the attacker's key. Once the file encryption process is complete, the ransomware leaves a ransom note titled From Jobe Smith.TXT. This note can typically be found in every directory where files have been encrypted. The note contains payment instructions and threatens the permanent loss of data unless the ransom is paid, often amounting to several hundred dollars. Victims are urged not to trust these cybercriminals, as paying the ransom does not guarantee data recovery.

FenixLocker Ransomware is a malicious software that encrypts files on infected systems, rendering them inaccessible to the user. This ransomware typically adds the .centrumfr@india.com extension to the compromised files, which serves as a clear indicator of infection. Among other possible extensions for this ransomware are: .[help24decrypt@cock.li], .help24decrypt@qq.com!!. Through its process, it employs AES cryptography, a robust encryption method that effectively ensures the victim cannot access their data without the decryption key. After encrypting the files, FenixLocker leaves a ransom notes titled Help to decrypt.txt or Cryptolocker.txt on the desktop. The note instructs victims to contact the attackers via email to receive further steps, often requesting a ransom in Bitcoin to restore access to the files. Despite the compelling nature of these notes, paying the ransom is highly discouraged since it doesn't guarantee the decryption of files and may further expose victims to additional risks.

PSLoramyra is a sophisticated loader-type malware known for its file-less nature, executing its payload directly in memory. This malware leverages scripts such as PowerShell, VBS, and BAT to infiltrate systems and evade detection effectively. It initiates a chain infection process, starting with a PowerShell script that carries the main payload along with necessary execution scripts. To maintain persistence, PSLoramyra utilizes a VBScript that executes additional scripts every two minutes via Windows Task Scheduler. This malware is particularly dangerous as it injects malicious code into legitimate processes, such as RegSvcs.exe, a component of the .NET Framework. While its primary function is to download and install additional malicious components, the impacts of PSLoramyra can include severe privacy breaches, data loss, financial theft, and identity fraud. Its infection vectors often include phishing tactics, malicious email attachments, and social engineering methods, making it crucial for users to maintain vigilance and employ robust security measures.

WeHaveSolution Ransomware is a particularly severe form of malware designed to encrypt files on a victim's computer, effectively rendering them inaccessible until a ransom is paid. Upon infection, it appends the .wehavesolution247 extension to the encrypted files, indicating their compromised status. It employs strong encryption standards like RSA and AES to secure the files, which makes unauthorized decryption virtually impossible without the right decryption key. This ransomware does more than just encrypt files; it also drops a ransom note titled READ_NOTE.html on the infected device, usually on the desktop, where it delivers the attackers' demands. The note insists that victims should not attempt third-party decryption or modify the encrypted files, as such actions could lead to irreversible file damage. It further threatens to leak or sell stolen sensitive data if the ransom isn't paid within a specific timeframe, typically 72 hours. This creates a sense of urgency, pressuring victims into considering the payment to restore access to their data.

UwU Ransomware is a type of malicious software classified under ransomware, notorious for encrypting victims’ files and demanding a ransom for decryption. This ransomware particularly targets users' data by appending the file extension .MOONMAN to the encrypted files, making the data unusable without the specific decryption key held by the attackers. For instance, a file named document.docx would be transformed into document.docx.MOONMAN after encryption. The cryptographic algorithms utilized by UwU ransomware are typically robust, making decryption without the attacker’s key practically impossible. Once the encryption process is completed, UwU creates a ransom note named READTHISNOW.txt, which serves to notify the victim of their files’ encryption and demand a payment of $1,488, specifically in the form of cryptocurrency referred to as "shitcoin". The note, however, is unconventional as it does not directly convey that the files have been encrypted but instead is filled with obscure references and profanity.

GodLoader is a sophisticated piece of malware that leverages the flexibility of the Godot Engine, an open-source game development platform, to infiltrate systems across multiple operating environments, including Windows, macOS, Linux, Android, and iOS. This malware is propagated through a deceptive network known as the Stargazers Ghost Network on GitHub, where malicious actors disguise harmful scripts within legitimate game files. By exploiting the .pck file system used by the Godot Engine to store game assets, GodLoader manages to execute malicious code when these files are loaded, often bypassing traditional antivirus detection. This Trojan-type malware is primarily used to deliver payloads such as the RedLine information stealer and the XMRig cryptocurrency miner, which can lead to significant issues like identity theft, financial loss, and degraded system performance. Despite its complex nature, GodLoader remains undetectable by most antivirus tools, posing a severe threat to users who unknowingly download infected game mods or other content. The absence of visible symptoms makes it particularly dangerous, as it operates silently, stealing sensitive data and consuming system resources without alerting the user. To mitigate the risk, users should ensure they download software only from trusted sources and maintain up-to-date security tools capable of detecting sophisticated threats.

Arachna Ransomware is a malicious software variant that specifically targets users by encrypting their files and demanding a ransom for their decryption. Upon infiltrating a system, it appends the file extension .Arachna to the victim's files, significantly modifying their names to include the victim's ID and an email address, along with the new extension. For instance, a file named photo.jpg might be transformed into photo.jpg[id-0458FGO9].[Arachna_Recovery@firemail.de].Arachna. The encryption used by Arachna is typically robust, leaving minimal opportunities for decryption without the attackers' tools. After encryption, the ransomware generates ransom notes in the form of Restore-Files-Guide.txt files and pop-up windows, explicitly instructing victims to contact the attackers via email. The notes ominously warn that failure to comply and pay the demanded Bitcoin ransom could result in permanent data loss, thus pressuring victims into cooperation.