Ransomware

New wave of STOP Ransomware infection continues with Xcvf Ransomware, that appends .xcvf extensions. Those extensions are added to encrypted files in the middle of May 2022. This tricky virus uses the AES encryption algorithm to encode users' important information. As a rule, Xcvf Ransomware attacks photos, videos, and documents - data, that people value. The malware developers extort ransom and promise to provide a decryption key in return. In the ransom note, we can see, that malefactors demand $980 (the amount can be reduced if paid within the first 72 hours). Hackers offer victims to contact them via new e-mails: manager@mailtemp.ch and helprestoremanager@airmail.cc. In most cases algorithms of Xcvf Ransomware are unbreakable. But virus code has its flaws. Particularly, if attacked PC lost internet connection during ransomware activity or hackers' servers experienced some sort of malfunction, there are high chances to recover your files. In this case, Xcvf Ransomware generates an offline key, that can be retrieved by a special decryption tool - STOP Djvu Decryptor. Below we provide you with download links and instructions to use this utility. There are standard Windows system functions, such as restore points, shadow copies, and previous versions of files, that can be useful, although, malicious algorithms often prevent such opportunities.

Titancrypt is a ransomware-type infection. It encrypts system-stored data and demands victims to pay a small ransom of 20 Polish Zlotys (about 4,5 Dollars). During encryption, it adds the new .titancrypt to each encrypted file making it no longer accessible. For instance, a file previously titled as 1.png will change to 1.png.titancrypt and lose its original icon. Insturctions on how to pay the requested money can be found inside of ___RECOVER__FILES__.titancrypt.txt - a text file injected to each folder with encrypted data including your desktop. Along with this, it displays a pop-up window saying how many files have been encrypted. Unlike other infections of this type, the supposedly polish threat actor behind his Titancrypt Ransomware has written short and clear instructions on what victims should do. It is said to contact him via his discord (titanware#1405) and send 20 Polish Zlotys through PaySafeCard. Although the ransomware developer does not elaborate on this, paying the ransom should logically lead to full decryption of data. Many ransomware infections (unlike this) ask for ransoms ranging from hundreds to thousands of dollars. Thus, users victimized by Titancrypt Ransomware got somewhat lucky since 4,5 Dollars is not a lot of money for many. You can pay this amount and get your data decrypted unless there are backup copies available. If you have your encrypted files backed up on external storage, then you can ignore paying the ransom and recover from backups after deleting the virus.

Mine is a recent virus developed by the STOP/Djvu ransomware family. This group of developers has developed hundreds of ransomware infections designed to render personal data inaccessible and blackmail victims into paying the ransom. Mine is not an exception as well. During encryption, it renames files with the .mine so that a sample like 1.pdf will be changed to 1.pdf.mine and reset its original icon. Immediately after this, the virus creates a text note called _readme.txt, which contains file-decryption instructions.

GUCCI is the name of a ransomware infection originating from the so-called Phobos family. What it does is encryption of system-stored data as well as demands to pay money for file decryption. Victims will be able to understand their files are locked through a new file appearance. For instance, a file like 1.xlsx to 1.xlsx.id[9ECFA84E-3208].[tox].GUCCI. The characters inside of the new file names can vary depending on the ID assigned to each victim. GUCCI Ransomware also creates two text files - info.txt and info.hta both of which describe ways of returning access to data. Cybercriminals say victims can decrypt their data by having negotiations with them. In other words, to buy a special decryption tool that will unlock access to restricted data. While the price is kept secret, victims are guided to contact swindlers via the TOX messenger. After this, victims will get further instructions on what to do and how to purchase the tool (in Bitcoins). In addition to this, developers provide an offer of 1 free file decryption. Victims can send a non-valuable encrypted file and receive it back fully operatable for free. Unfortunately, despite meeting the payment demands, some victims of other ransomware variants reported they ended up fooled and left with absolutely no promised decryption.

If your files became unavailable, got weird icons, and got .egfg extension, that means your computer got hit by Egfg Ransomware (also known as STOP Ransomware or Djvu Ransomware). This is an extremely dangerous and harmful encryption virus, that encodes data on victims' computers and extorts ransom equivalent of $490/$960 in cryptocurrency to be paid on an anonymous electronic wallet. If you didn't have backups before the infection, there are only a few ways to return your files with a low probability of success. However, they are worth trying and we describe them all in the following article. In the text box below, you can get acquainted with the contents of _readme.txt file, which is called "ransom note" among security specialists and serves as one of the symptoms of the infection. From this file, users get information about the technology behind the decryption, the price of the decryption, and the contact details of the authors of this piece of malware. Although the ransom amount may seem not that big for someone, you should mention, that there is absolutely NO guarantee, that developers will respond to you or send any decryption tool. There is a tool called STOP Djvu Decryptor from Emsisoft, that was able to brute-force the key or find an offline master key for some versions of STOP Ransomware. But according to reports from the BleepingComputer forum and the authors of the decryption tool, it is currently useless against .egfg files. However, things may change and we still place links and instructions for it, in case STOP Djvu Decryptor will be updated.

Black Basta is the name of a ransomware infection aimed more at corporate rather than ordinary users (financial firms, private companies, etc.). It, therefore, uses high-tier encryption standards to encipher data stored on a network making it no longer accessible. Victims infected with this virus will see their data change in the following way - 1.pdf to 1.pdf.basta, 1.xlsx to 1.xlsx.basta, and so forth with other encrypted data. After this, Black Basta creates a text note called readme.txt, which provides instructions on how to recover the data. Default desktop wallpapers will be replaced by the virus as well. As said in the note, victims can start the decryption process by visiting the attached Tor link and logging into the chat with their company ID. Going further, cybercriminals will give the necessary information and instructions on how to develop the process. Some victims reporting their case infection with Black Basta Ransomware showed that cybercriminals require 2 million dollars to pay for decryption. Note that this sum is likely to be variable depending on how big the infected company is and how much value the collected information comprises. In addition to everything mentioned, the extortionists threaten that if victims do not negotiate towards a successful deal or decline the offer intentionally, all gathered data will be subject to ending up published online. Sometimes the bigger danger of being infected is not losing data but rather risking to lose your business reputation.