Viruses

Originating in the summer of 2024, Cicada 3301 Ransomware is a formidable cyber threat designed to encrypt data and extort victims for payment. Written in the Rust programming language, it is a Ransomware-as-a-Service (RaaS), meaning it is available for use by other cybercriminals through a subscription model. Once activated on a victim’s system, this ransomware employs the ChaCha20 cryptographic algorithm, known for its swift and robust symmetric encryption, making decryption without the correct key an insurmountable challenge. The ransomware appends affected files with a seven-character random extension, drastically altering their original names and rendering them inaccessible. For example, a file named 1.jpg may appear as 1.jpg.f11a46a1 post-encryption. Upon completion of the encryption process, the malware drops a ransom note named RESTORE-[file_extension]-DATA.txt on the victim's system, detailing the attack and outlining the ransom demand.

Trojan:Win32/Fauppod!ml is a machine learning-based detection name assigned by Microsoft Defender to a type of malware primarily identified by its behavior rather than traditional signature methods. This malware is designed to steal sensitive information, particularly targeting online banking credentials. It typically spreads through malicious email attachments or dubious downloads from untrustworthy sources. Once executed, the malware checks for other instances of itself and utilizes process hijacking techniques to evade detection. It disables system defenses by manipulating registry keys and injects itself into legitimate processes like svchost.exe and wmiadap.exe, making its activities difficult to trace. Communication with its command and control (C2) servers often involves both standard and non-standard ports, and it sometimes uses compromised websites to mask its network traffic. Although primarily a serious threat, heuristic detections like Fauppod!ml can occasionally result in false positives, making third-party anti-malware solutions valuable for confirmation and removal.

Trojan:Win32/Leonem is a sophisticated spyware variant that primarily targets sensitive login data on compromised systems. This malware is typically spread through malicious documents or disguised as legitimate software, making it a deceptive threat. Once installed, it can perform keylogging, collect browser passwords, cookies, and cache, and even seek out stored credentials in email clients. Leonem also attempts to disable security software, modify system settings, and ensure persistence by running at each system boot. Beyond its primary data-stealing function, it can also act as a malware dropper, often deploying ransomware or backdoors. The malware uses legitimate processes to detect sandbox environments and virtual machines, which helps it evade detection. Ultimately, Leonem exfiltrates collected data to its command server, often using Discord webhooks for this purpose.

Trojan:Win32/HeavensGate.RPY!MTB is a heuristic detection designed to generically identify a type of Trojan Horse malware. This malicious software can perform a variety of harmful activities once it infiltrates a system. Common behaviors include downloading and installing additional malware, recording keystrokes, and sending sensitive information such as usernames and browsing history to remote attackers. It may also grant unauthorized access to the infected PC, enabling hackers to control it remotely. Some variants inject advertising banners into web pages, engage in click fraud, or even use the system's resources to mine cryptocurrencies. Identifying and removing this Trojan is crucial as it poses significant risks to data security and system integrity. Users should regularly update their antivirus software and remain vigilant when downloading programs or clicking on suspicious links to mitigate such threats.

Discovered during an investigation of new submissions to VirusTotal, BlackZluk Ransomware is a potent ransomware variant that encrypts victims' files and demands a ransom for their decryption. The malware appends an additional extension, .blackZluk, to the filenames of the encrypted files, renaming files such as document.docx to document.docx.blackZluk. The ransomware employs sophisticated encryption algorithms, typically a mix of symmetric and asymmetric encryption to complicate the decryption process without the necessary decryption key. Once the files are encrypted, the ransomware generates a ransom note, titled #RECOVERY#.txt, usually placed in directories containing encrypted files and often displayed on the victim's desktop. This note informs victims of their predicament, detailing how their data has been encrypted and extorted for privacy or financial leverage.

ScRansom Ransomware, designed to encrypt files on its victim's systems, primarily targets small and medium-sized businesses. It operates using sophisticated algorithms to lock data, ultimately extorting victims for money in exchange for decryption keys. This malicious software appends the .Encrypted extension to the filenames of affected documents, pictures, and other essential files, making them inaccessible to their owners. During the encryption process, files like 1.jpg are renamed to 1.jpg.Encrypted, obfuscating the contents and causing significant operational disruption. In addition to encrypting files, ScRansom leaves a ransom note named HOW TO RECOVERY FILES.TXT in the infected directories.

Colony Ransomware is a type of malware designed to encrypt data on the victim's computer and demand a ransom for its decryption. It first surfaced on VirusTotal, where researchers discovered its modus operandi. Once infiltrated, the malware encrypts files and appends a unique file extension, such as including the attackers' email address and a variable string, most commonly seen as .colony96. For instance, a file initially named photo.jpg may be renamed to photo.jpg.[support2022@cock.li].colony96. These extensions can vary based on the specific variant of the ransomware. Upon completing the encryption process, Colony Ransomware creates and displays ransom notes through various visible means: a full-screen message preceding the user login screen, desktop wallpaper, and a text file labeled #Read-for-recovery.txt. These notes urge the victim to contact the attackers for decryption instructions, laying out specific communication steps to avoid their message getting lost.

Ior Ransomware is a malicious cryptovirus that belongs to the Dharma family, discovered during malware sample inspections on VirusTotal. It encrypts a victim's data, appending the victim's ID, a specific email address, and the .ior extension to filenames. Encrypted files are renamed systematically; for example, 1.jpg becomes 1.jpg.id-12345.[email].ior. The attack is identified through a pop-up window and a text file named manual.txt, informing the victim that their files have been locked and demanding ransom for decryption. The ransom note emphasizes the urgency, instructing victims to contact either jasalivan@420blaze.it or ja.salivan@keemail.me within 12 hours, and it promises free decryption of up to three small files to build trust.