Tutorials

BlackLegion Ransomware is a type of malicious software designed to encrypt files on a victim's computer, rendering them inaccessible, and then demanding a ransom for the decryption key. Once installed on a computer, BlackLegion encrypts files and appends a unique extension to the filenames. Any files encrypted with BlackLegion Ransomware will have a random 8 characters followed by the victim's email and the .BlackLegion extension. For example, a file named photo.jpg might be renamed to photo.jpg.[random-numbers].[Blackdream01@zohomail.eu].BlackLegion after encryption. BlackLegion creates a ransom demand in the form of a text file, typically named DecryptNote.txt or a variant thereof. This note includes instructions on how to pay the ransom, usually in cryptocurrency, and may offer to decrypt a single file for free as proof that the attackers can restore the victim's files.

WantToCry Ransomware is a type of encryption virus, which is a subset of malware that encrypts files on a victim's computer and demands a ransom for the decryption key. This particular cryptor targets NAS devices. The WantToCry ransomware appends the .want_to_cry extension to the files it encrypts. This clearly marks which files have been compromised and are inaccessible without the decryption key. While the specific encryption method used by WantToCry is not detailed in the provided source, ransomware generally uses strong encryption algorithms like AES (Advanced Encryption Standard) or RSA (Rivest–Shamir–Adleman) to lock files, making them inaccessible without a unique decryption key. It is a crypto virus that locks files and coerces victims into paying to regain access to their data WantToCry creates a ransom note named !want_to_cry.txt that is left on the victim's computer. This note informs the victim that their data has been encrypted and provides instructions on how to pay the ransom, which is set at $300. Victims are instructed to download and install qTOX, create a profile, and contact the cybercriminals via qTOX chat to arrange payment.

Mallox Ransomware, also known as "TargetCompany" or "Fargo," is a malicious software that encrypts files on a victim's computer and demands a ransom for the decryption key. It has been active since mid-2021 and operates under a Ransomware-as-a-Service (RaaS) model, leveraging underground forums and markets to recruit affiliates and advertise its services. Mallox encrypts files using the ChaCha20 encryption algorithm and adds various file extensions to the encrypted files, such as .mallox, .mallab, .ma1x0, .malox, .malloxx, .maloxx, and others. It also uses victims’ names as the extension in some cases. The ransomware drops a ransom note (HOW TO RESTORE FILES.txt) in every directory on the victim's drive, explaining the infection and providing contact information for the attackers. The note instructs victims to send their personal ID to the attackers' email address to receive payment instructions for the decryption tool.

Press Ransomware is a type of malware that falls under the category of crypto-ransomware, which is designed to encrypt data on infected computers, rendering the files inaccessible to the users. The attackers then demand a ransom payment in exchange for the decryption key that would allow the victims to regain access to their encrypted files. After encrypting the files, Press Ransomware appends .press, .dwarf or .spfre extensions to the filenames, making them easily identifiable. For example, a file originally named 1.jpg would be renamed to 1.jpg.press after encryption. The specific encryption algorithm used by Press Ransomware is not detailed in the provided search results, but it is common for such malware to use robust encryption methods like AES or RSA to prevent unauthorized decryption. Upon completion of the encryption process, Press Ransomware drops a ransom note named RECOVERY NFO.txt on the victim's computer. This note informs the victim that their files have been encrypted and that sensitive data has been exfiltrated. The attackers threaten to sell or leak the stolen content online if the ransom is not paid. The note also offers the victim the opportunity to send a couple of encrypted files to the attackers for free decryption as proof that they can decrypt the files.

DiskStation Security Ransomware is a type of malware specifically targeting Synology NAS (Network Attached Storage) devices, which are often used for storing large amounts of data, including backups and personal files. The main purpose of this ransomware, like others, is to encrypt files on the infected system and demand a ransom from the victim in exchange for the decryption key. The file extensions targeted by DiskStation Security Ransomware are not detailed in the provided search results. However, ransomware generally targets a wide range of file types, especially those associated with important documents, images, videos, and databases. The encryption method used is also not specified, but AES (Advanced Encryption Standard) is commonly employed by ransomware for its robustness. After encryption ransomware adds random extension to files. Upon successful encryption of files, ransomware typically leaves a ransom note (!!Read Me!!.txt) on the desktop or within affected directories. This note contains instructions for the victim on how to pay the ransom and often includes threats of data destruction or exposure if the demands are not met.

RCRU64 Ransomware is a type of malware that encrypts files on a victim's computer and demands a ransom for the decryption key. It is primarily spread through email attachments in phishing attacks, malicious software downloads, and exploitation of vulnerabilities, particularly through weak Remote Desktop Protocol (RDP) passwords. RCRU64 changes the names of encrypted files by appending the victim's ID, email address, and a specific extension. The known extensions associated with RCRU64 include .HM8 and other variants like ".TGH", ".03rK", ".q6BH", and ".IalG. The ransomware uses strong encryption algorithms to lock files on the infected computer. While specific details about the encryption method are not provided in the search results, ransomware typically uses a combination of symmetric (e.g., AES) and asymmetric (e.g., RSA) encryption to secure files, making decryption without the key nearly impossible. RCRU64 creates ransom notes named Restore_Your_Files.txt and ReadMe.hta, which inform victims that their files have been encrypted and provide instructions for payment. The notes warn against attempting to decrypt files independently and offer to decrypt a few files as proof before payment is made.

Proton is a ransomware infection. The purpose of this virus is to run encryption of potentially critical pieces of data and then demand money for its complete decryption. While doing so, Proton also changes the files visually - an affected file with acquire kigatsu@tutanota.com email address, victim's ID, and .Proton or .kigatsu extension to encrypted files. For instance, a file like 1.pdf will turn to look something like 1.jpg.[kigatsu@tutanota.com][719149DF].kigatsu. Following this change, victims will no longer be able to access their files, no matter what modifications are made. After this, the virus drops the README.txt text note, which contains decryption instructions. It is said victim's data has been encrypted (using AES and ECC algorithms) and stolen by cybercriminals. The word "stolen" likely suggests that the encrypted data has been copied to cybercriminals' servers and can be abused anytime unless the ransom is paid. Threat actors encourage their victims to reach out to them via Telegram or e-mail and purchase the decryption service. In addition, victims are also allowed to send one file (less than 1MB) and get it decrypted for free. This way, cybercriminals demonstrate their trustworthiness as well as their capability of returning access to the blocked data. At the end of the ransom message, extortionists state a couple of warnings regarding risks of attempting to decrypt files without the help of ransomware developers.

Reload Ransomware is a form of malware that targets individuals and organizations by encrypting their files and demanding a ransom for decryption keys. It is part of Makop Ransomware family. The ransom note typically begins with a declaration that all files have been encrypted and now have the .reload extension appended to them. The ransomware uses robust encryption algorithms to lock the files, making them inaccessible without the corresponding decryption key. The specific type of encryption used by Reload Ransomware is not explicitly mentioned in the provided sources, but ransomware typically employs AES (Advanced Encryption Standard) or RSA encryption, which are both highly secure and difficult to crack without the unique decryption key. The ransom note created by Reload Ransomware is typically a text file (+README-WARNING+.txt) that is dropped into folders containing encrypted files. This note clearly states that the files have been encrypted and provides instructions on how to pay the ransom to recover the files. The note may include details such as the amount of ransom demanded, usually in cryptocurrency like Bitcoin, to ensure anonymity of the transaction.