Ransomware

Itrz Ransomware is a malicious software that belongs to the STOP/DJVU family of ransomware. It is designed to encrypt files on a victim's computer, making them inaccessible until a ransom is paid to the cybercriminals. The ransomware appends the .itrz extension to the filenames of encrypted files, rendering them unusable without the decryption key. Itrz ransomware is associated with the Djvu ransomware family and may be distributed alongside information-stealing malware like RedLine or Vidar. Itrz ransomware encrypts a wide range of common file types, including documents, images, videos, and more. After encrypting the files, Itrz ransomware generates a ransom note, usually located within a file named _readme.txt. The note informs the victim that their files have been encrypted and demands a ransom payment, typically ranging from $490 to $980 in Bitcoin, in exchange for the decryption key.

Ptrz Ransomware is a file-encrypting ransomware infection that restricts access to data such as documents, images, and videos by encrypting files with the .ptrz extension. The ransomware operates by using the Salsa20 encryption algorithms to scramble the contents of the targeted files. Once the files are encrypted, they cannot be opened by any programs. Once the PTRZ Ransomware infects a computer, it targets various types of files and encrypts them. Due to the strong encryption method used, it becomes incredibly hard, if even possible, to pick the decryption key without cooperating with the attackers. After the encryption process, PTRZ Ransomware displays a ransom note in a _readme.txt file. This note contains instructions on how to contact the authors of the ransomware and the ransom amount, which ranges from $490 to $980 (in Bitcoins). The victims are asked to contact the malware developers via the support@freshmail.top and datarestorehelp@airmail.cc email addresses.

Xollam is a high-risk file-encrypting malware, a variant of the Mallox Ransomware, which is part of the TargetCompany Ransomware family. It is designed to lock all the files on an infected PC, rendering them inaccessible. The ransomware encrypts the victim's files using the ChaCha20 encryption algorithm and generates the encryption keys using a combination of Curve25519, an example of elliptic curve cryptography. Xollam Ransomware appends the .xollam extension to the end of the encrypted data filename. Other file extensions observed were: .FARGO3, .exploit, .avast, .bitenc, in addition to the use of victims' names as the extension. Xollam creates a ransom note named FILE RECOVERY.txt. The ransom note states that files encrypted by Xollam ransomware cannot be used until they are decrypted with a tool purchased from threat actors behind the attack. Attempts to modify files or restore them using third-party tools will damage them.

Pthh Ransomware is a file-encrypting malware that restricts access to data such as documents, images, and videos by encrypting files with the .pthh extension. It belongs to the STOP/DJVU ransomware family. The primary goal of this ransomware is to extort money from victims by demanding a ransom in exchange for the decryption key. The ransomware uses the Salsa20 encryption algorithm. If Pthh cannot establish a connection to the server before starting the encryption process, it uses an offline key, which is the same for all victims, making it possible to decrypt .pthh files in the future. After the encryption process, Pthh ransomware displays a ransom note in a _readme.txt file. The note contains instructions on how to contact the authors of this ransomware and the ransom amount, which ranges from $490 to $980 (in Bitcoins). The victims are asked to contact the malware developers via the support@freshmail.top and datarestorehelp@airmail.cc email addresses.

Grounding Conductor is a type of malware known as ransomware. Its primary purpose is to prevent victims from accessing their files by encrypting them. This ransomware variant is also known as a Crypto Virus or Files locker due to its encryption capabilities. Grounding Conductor ransomware adds a specific extension to the files it encrypts. The file renaming pattern is [original_filename].{victim's_ID}.Grounding Conductor.zip. For example, a file originally named photo.jpg might be renamed to photo.{12345678-1234-1234-1234-123456789012}.Grounding Conductor.zip. Grounding Conductor ransomware uses a specific encryption method to lock the files of its victims. The encrypted files include a file marker at the end of each encrypted file: &XChaCha20 or XChaCha20. After encrypting the files, Grounding Conductor ransomware leaves a ransom note named readme.txt. This note typically contains instructions for the victims on how to pay the ransom to get their files decrypted.

Ptqw Ransomware is a harmful file encryption virus that belongs to the STOP/DJVU family, which is notorious for malicious file ciphering. It is distributed via spam email containing infected attachments, fake software cracks, or by exploiting vulnerabilities in the operating system and installed programs. It can also spread through third-party websites offering paid programs for free, including cheat engines, keygens, and other tools used to modify the gaming process. Once the Ptqw Ransomware infects a computer, it encrypts the files using a strong AES-256 encryption key algorithm or the Salsa20 encryption algorithm. The encrypted files are then appended with the .ptqw extension, rendering them inaccessible and unusable. After encrypting the files, Ptqw Ransomware displays a ransom note in a _readme.txt file. This note contains instructions on how to contact the authors of the ransomware, usually via the support@freshmail.top and datarestorehelp@airmail.cc email addresses.

Poopy Butt-face Ransomware is a type of malicious software, or malware, that encrypts data on a victim's computer and demands payment for its decryption. It is a variant of the Chaos Ransomware. The ransomware is designed by cybercriminals to earn money, typically through Bitcoin payments. Once Poopy Butt-face Ransomware infects a system, it encrypts files and appends their filenames with a unique ID assigned to the victim, the cybercriminals' email address, and a .Poop extension. For example, a file initially titled 1.jpg might appear as 1.jpg.Poop. The process of adding new extensions to original filenames is only a visual formality and does not change the fact of file encryption. After encrypting the files, Poopy Butt-face leaves a ransom note, a text file named Pooop-ransom.txt.

GhostLocker is a type of ransomware developed by the GhostSec cybercriminal group. Ransomware is a type of malware designed to encrypt data and demand payment for its decryption. GhostLocker targets a wide range of data types, including documents, spreadsheets, drawings, images, movies, and videos. It is a derivative of the BURAN Ransomware and is distributed in a worldwide campaign. GhostLocker encrypts files and appends their names with a .ghost extension. For example, an original filename such as 1.jpg would appear as 1.jpg.ghost. The encryption process is simple – every file that gets encrypted becomes unusable. GhostLocker uses AES encryption, a symmetric encryption algorithm known for its speed and security. GhostLocker leaves a ransom note in a text file (lmao.html), warning against renaming the encrypted files or using third-party recovery tools, as this may lead to permanent data loss. The victim is also warned that seeking aid from third-parties or authorities will result in data loss and the stolen content getting leaked.