GandCrab Ransomware is file encrypting virus, that uses AES-256 (CBC-mode) encryption algorithm to encode user files. It affects documents, media files, databases – the most important data for users. During encryption process ransomware appends .GDCB extension to encrypted files. After it finishes GDCB-DECRYPT.txt is created. GandCrab Ransomware targets 64-bit systems in Western Europe and South Korea. Its developers demand 1.5 – 2 Dash (cryptocurrency) which estimates in more than $1100. GandCrab checks the system for the presence of .exe files of antiviruses from the popular vendors, and won’t run on the computers with such security software or will attempt to disable it.
Arena Ransomware belongs to CrySis family, previous wide-spread ransomware of this type was Dharma Ransomware, that we described on this blog. Arena Ransomware was detected by security researches first time in August 2017. Since then, it had numerous updates. Different versions of Arena Ransomware demand different ransom amounts. It varies from 0,20 to 0,73 BitCoins, which is near $5000. Security experts do not recommend to pay developers of ransomware, as this encourages them to create new variations and does not guarantee decryption of your files. Actually, most times malefactors don’t send decryption keys. Latest versions of Arena Ransomware are not decryptable, however there is a chance to restore files affected by older versions.
Ykcol Ransomware is newest version of previously described Locky ransomware. New variant uses RSA-2048 and AES-128 cryptographic algorithms and appends .ykcol to he end of all encrypted files. Virus also modifies filenames using the following template: [8_random_hexadecimal_characters]-[4_random_hexadecimal_characters]-[4_random_hexadecimal_characters]-[4_hexadecimal_chars]-[12_random_hexadecimal_characters].ykcol. In order to decrypt your files malware demands 0.25 BTC, which is on the date of writing this article is equivalent to $950. Ykcol Ransomware creates two files named ykcol.htm and ykcol.bmp, both contain instructions to pay the ransom and ID.
Matrix Ransomware is ransomware virus that encrypts user files with either symmetric or asymmetric cryptography. It adds .matrix extension to encrypted files. After finishing encryption process, Matrix creates a text file matrix-readme.rtf or Readme-Matrix.rtf. Virus places this files in every folder with affected files. This text file contains instruction to pay the ransom, where malefactors encourage users to contact them via e-mails: firstname.lastname@example.org, email@example.com or firstname.lastname@example.org.
Dharma virus, unlike similar types of ransomware, does not change desktop background, but creates README.txt or Document.txt.[email@example.com].zzzzz files and places them in each folder with compromised files. Text files contain message stating that users have to pay the ransom using Bitcoins and amount is approximately $300-$500 depending on ransomware version. The private decryption key is stored on a remote server, and there currently impossible to break the encryption of the latest version.