Ransomware

FindNoteFile is the name of a ransomware infection that started its hunt for business users in June 2021. Just like other malware of this type, developers use AES+RSA algorithms to encrypt victims' data. FindNoteFile has been found distributed in 3 different versions. The only big difference between them is the name of the extension assigned to files after encryption (.findnotefile, .findthenotefile, or .reddot). For example, a file initially called 1.pdf will change its appearance to 1.pdf.findnotefile, 1.pdf.findthenotefile, or 1.pdf.reddot depending on which version attacked your system. Then, as soon as encryption is over, the virus creates a text note called HOW_TO_RECOVER_MY_FILES.txt, which contains ransom instructions. The text written inside is full of mistakes, however, it is still easy to understand what cybercriminals want from their victims.

SLAM is a ransomware-type virus that encrypts personal data to earn money on desperate users. In other words, it restricts access to data and keeps it under lock until victims pay a certain ransom fee. To make users spot the encryption, developers rename the compromised data using the .slam extension. To illustrate, a file like 1.pdf will be retitled to 1.pdf.slam and reset its original icon (in some cases). Then, after this part of encryption is done, SLAM opens a window stating information about the virus. Red text on the black background says that all files have been encrypted. In order to get them back, victims are asked to contact cybercriminals using one of the e-mails attached to the note. Thereafter, you will be given the necessary instructions to perform a transfer of ransom in money. In addition to that, users are warned that shutting down the PC, or using Windows applications (e.g. regedit, task manager, command prompt, etc.) is forbidden. Otherwise, your PC will be locked and denied from getting boot up until the virus is present. The same will happen unless you contact extortionists within 12 hours. At this point of the investigation, cyber experts have not been yet able to find a tool that could provide data decryption for free, without involving the cybercriminals. Paying the ransom is also a risk as there is no guarantee that you will receive your files back. The only best way in this situation is deleting SLAM Ransomware and recovering your data via backup copies. If you do not have them created and stored in a separate location prior to the infection, then it is almost unreal to decrypt your files.

Qscx Ransomware, being a part of STOP Ransomware is a critical virus, endangering user's personal files. It belongs to the family of file-encrypting malware, that uses the AES (Salsa20) algorithm and unbreakable key. This virus is, sometimes, called DJVU Ransomware, after the word used as an extension in the first versions (.djvu). The variant of the threat, that we describe today, modifies files with .qscx extension. Files are encrypted with a secure key and there are quite small chances to decrypt them completely. However, certain manual methods and automatic tools, described in this article can assist you to successfully decrypt some data. The price of decryption of files encoded by STOP Ransomware is $490 (or $980, if not paid within 72 hours). But as statistic shows, it is pointless to pay any money, as malefactors almost every time ignore the victims. STOP Ransomware purposefully encrypts important personal information: videos, photos, documents, local e-mails, archives. It detects and attacks a type of data, that can be so critical to users to pay such an amount of money for. If there are any realistic chances to recover files with the .qscx extension, you can do it with a special utility called Emsisoft Decryptor for STOP Djvu, which can be downloaded below.

EpsilonRed is another ransomware-type virus that targets personal data on infected systems. Once it finds the range of data it needs (normally it is databases, statistics, documents, etc.), the virus starts running data encryption with AES+RSA algorithms. The entire encryption process is hard to spot out immediately as victims become aware of the infection only after all files have changed their names. To illustrate that, let's take a look at the file named 1.pdf, which therefore changed its appearance to 1.pdf.epsilonred. Such a change means it is no longer permitted to access the file. Besides pursuing sensitive data, it is also known that EpsilonRed alters the extension of executable and DLL files, which may disable them from running correctly. The virus also installs a couple of files that block off protectionary layers, clean Event logs, and affect other Windows features once the infection has snuck into the system. At the end of encryption, EpsilonRed provides ransom instructions presented inside of a note. The name of the file may vary individually, but most users reported about HOW_TO_RECOVER.EpsilonRed.txt and ransom_note.txt text notes getting created after encryption.

This article contains information about Mppq Ransomware version of STOP Ransomware that adds .mppq extensions to encrypted files, and creates ransom note files on the desktop and in the folders with affected files. Mppq Ransomware is actively distributed in the following countries: USA, Canada, Spain, Mexico, Turkey, Egypt, Brazil, Chile, Ecuador, Venezuela, Germany, Poland, Hungary, Indonesia, Thailand. This variation first appeared in June 2021 and almost identical to the previous dozens of variations. Ransomware virus still uses AES encryption algorithm and still demands a ransom in BitCoins for decryption. Mppq variation of STOP Ransomware displays a fake Windows Update pop-up during the process of file encryption. All three varieties belong to one author, because they are using the same e-mail addresses for communication: helpteam@mail.ch and helpmanager@airmail.cc. From the file above we can learn, that hackers offer a 50% discount for decryption if the ransom amount is paid within 72 hours. However, from our experience, this is just a trick to encourage the person to pay the ransom. Often malefactors don't send decryptors after this.

Gpay is known as a malicious program that runs secure data encryption over stored data using AES-256, RSA-2048, and CHACHA algorithms. Cybercriminals monetize their software by asking victims to pay money for data decryption. Before doing so, victims are firstly confused about sudden changes in file appearance. This is because Gpay renames all encrypted files with the .gpay extension. To illustrate, a file like 1.pdf will be altered to 1.pdf.gpay after encryption is finished. After spotting this change, victims will also find a file called !!!HOW_TO_DECRYPT!!!.mht within all infected folders. The file leads to a web page displaying ransom instructions. It is said that you can send up to 3 files to test their decryption abilities for free. This can be done by sending your files with personal ID to gsupp@jitjat.org and gdata@msgden.com email addresses. The same should be done to claim payment address and purchase the decryption tools. Unless you do it within 72 hours, cybercriminals will more likely publish the hijacked data on darknet-related platforms. This is why getting trapped by Gpay is extremely dangerous as there is a huge privacy threat. Depending on what will be the price of data decryption, victims can decide whether they need it or not.