Ransomware

Midnight Ransomware is a dangerous file-encrypting malware strain identified as part of the Babuk ransomware family, discovered during active research on malicious file submissions to VirusTotal. It is designed to illegally extort victims by encrypting all accessible files on an infected system, rendering user data unusable and then demanding a hefty ransom for restoration. Once activated, Midnight Ransomware systematically renames every targeted file by appending the .Midnight extension, so, for example, a file named invoice.pdf would become invoice.pdf.Midnight. This aggressive malware utilizes robust cryptographic algorithms, typically leveraging a combination of symmetric and asymmetric encryption, which makes decryption nearly impossible without a private key stored on the attackers’ remote servers. When the encryption process concludes, the victim will find a ransom note named How To Restore Your Files.txt dropped into affected folders. This note informs users that their files are locked and threatens permanent data loss or public data leaks unless instructions are followed and payment is made within a few days, with late payment resulting in a higher ransom.

Datarip Ransomware is a recent and highly disruptive strain of file-encrypting malware that targets Windows systems, originating from the notorious MedusaLocker family. Once executed on a victim’s device, it systematically scans for documents, images, videos, databases, and many other file types, encrypting them using robust RSA and AES cryptographic algorithms. Following successful encryption, the ransomware appends a unique .datarip extension to every affected file, making them instantly unrecognizable and inaccessible without the decryption key. For instance, a file previously named holiday.jpg becomes holiday.jpg.datarip, clearly signaling to users that their data is under hostage. To further its intimidation, the malware alters the desktop wallpaper and drops a ransom note - RETURN_DATA.html - directly onto the desktop and within folders containing encrypted content, ensuring the victim’s awareness is immediate and persistent. This HTML ransom note sternly warns against using third-party recovery tools, renaming encrypted files, or modifying them, as these actions may result in irreversible data corruption. Compounding the pressure, the criminals claim to have exfiltrated sensitive data and threaten to leak or sell this information unless contact is made and payment arranged within a strict time frame. Contact details, typically anonymous email accounts, are provided for negotiations, where victims are encouraged to send samples for "free decryption" as proof of capability. Datarip’s communication tactics underscore the dual risk of permanent data loss and potential privacy breaches.

APEX Ransomware is a highly disruptive strain of malicious software that targets Windows systems, designed to extort victims by rendering their files completely inaccessible through strong cryptographic algorithms. Detected in the wild by malware researchers and submitted to public repositories like VirusTotal, this ransomware encrypts a wide array of personal and business files, systematically appending a new custom extension, .Apex, to every file it processes, such as transforming report.pdf into report.pdf.Apex. On top of the file modification, it generates a ransom note named APEXNOTE.txt in every folder where encrypted files reside. The encryption employed by APEX employs robust methods—likely using AES or RSA encryption, as with many modern ransomware variants—making unauthorized file recovery virtually impossible without a unique decryption key held by the attackers. The ransom note typically demands a payment of $10,000 in Bitcoin through a specified darknet portal, threatening to destroy the decryption tool if the ransom is not paid within 24 hours.

PANDA Ransomware represents a severe form of crypto-malware designed to encrypt victims’ files and demand exorbitant ransoms in exchange for decryption. Upon executing its malicious payload, this ransomware begins by targeting a wide array of file types and methodically encrypts them using robust cryptographic algorithms, often believed to be advanced AES or similar military-grade encryption. An unambiguous marker of this attack is the addition of the .panda file extension to every compromised file; an image like photo.jpg becomes photo.jpg.panda, signaling to the victim that their data is now inaccessible. Following full encryption, README.txt - a ransom note - appears throughout directories containing locked files and typically is also placed on the desktop. This note contains explicit instructions: pay $50,000 USD in Bitcoin within three days through a TOR-hosted payment portal or risk permanent data loss as the decryption key is allegedly destroyed after the deadline. Simultaneously, the desktop wallpaper is replaced with a visually alarming message urging the victim to consult the ransom note for details.

TXTME Ransomware is a recent and highly disruptive file-locking malware strain belonging to the notorious Dharma family, known for targeting Windows systems through malicious email attachments, pirated software, exploit kits, and especially weakly protected RDP services. Upon successful infiltration, this threat commences a systematic file-encryption routine that renders personal documents, photos, and other files completely inaccessible without the cryptographic key held by the attackers. As part of the encryption process, it alters filenames by appending a unique victim identifier, the attacker’s contact email, and the extension .TXTME; for example, an image file such as 1.jpg becomes 1.jpg.id-XXXXX.[ownercall@tuta.io].TXTME. The ransomware disables the system firewall, deletes Volume Shadow Copies to prevent easy recovery, and gains persistence by creating entries under Windows' Run registry keys while copying itself into the user's local application data folders. Capable of avoiding targets in specific geographic regions by extracting location data, TXTME demonstrates both technical sophistication and a keen awareness of its targets. It employs robust encryption algorithms—typically combining asymmetric and symmetric ciphers used by the Dharma/Crysis lineage—leaving files locked without any straightforward method of retrieval. Victims are then instructed, via two different ransom notes (including a popup and a dropped TXTME.txt file), to contact the cybercriminals and negotiate payment in Bitcoin for data recovery. Both the desktop pop-up and the TXTME.txt ransom note clearly warn users against renaming encrypted files or seeking third-party decryption, threatening permanent data loss for non-compliance.

ARROW Ransomware is a dangerous type of cryptovirus that targets Windows systems to encrypt user data for financial extortion. Upon infection, it systematically scours the device's drives, searching for documents, images, archives, and other commonly used file types, which it then encrypts using strong cryptographic algorithms. During our analysis, it was found that this ransomware appends the .ARROW extension to each encrypted file, rendering previously accessible content completely unreadable—for example, a photo named holiday.jpg would become holiday.jpg.ARROW. After finishing the encryption process, the malware creates a ransom note within every affected folder; this warning is consistently titled GOTYA.txt and instructs victims on how to pay the attackers via a dark web link. Typically, the note claims that file restoration is only possible with a private decryption key stored on the operators’ remote server, and encourages the user to contact the perpetrators and fulfill their ransom demand, most often payable in cryptocurrency. This scare tactic is aimed at pressuring the victim into fast compliance and discourages them from seeking free recovery solutions or reporting the incident to law enforcement, but payment is strongly discouraged by experts since cybercriminals are under no obligation to provide a working decryptor after funds are transferred.

ARCH WIPER Ransomware is a destructive strain of malware that specifically targets Windows systems by encrypting user files and rendering them inaccessible. During infection, it appends the .Arch extension to each file it encrypts, turning a file such as document.jpg into document.jpg.Arch. This behavior helps victims and security professionals identify the presence of the ransomware, even if the actual ransom note is missed. ARCH WIPER Ransomware uses advanced cryptography for file encryption, typically leveraging robust algorithms like AES or RSA, making decryption nearly impossible without the decryption key that the attackers control. Unlike most ransomware, its developers do not demand a ransom for file recovery. Instead, it leaves a unique ransom note labeled WIPED.txt on the infected system, often dropping this note in the victim’s desktop or every affected folder. The note bluntly informs victims that their data is "permanently corrupted and unusable" and insists there is no recovery possible, urging users to reset their device and start over.

Zen Ransomware is a sophisticated file-encrypting malware belonging to the notorious Dharma ransomware family, infamous for targeting both individual users and organizations. Once infiltrated into a Windows system, Zen Ransomware swiftly encrypts valuable files throughout local drives and network shares, using strong cryptographic algorithms that may combine symmetric and asymmetric encryption techniques—typically rendering targeted files irrecoverable without the specific decryption key held by the attackers. As part of its operation, this ransomware appends a distinct extension to locked files: each filename gains a unique string comprised of a victim-specific ID, an attacker’s email address, and the extension .zen, resulting in names like photo.jpg.id-9ECFA84E.[zen_crypt@tuta.io].zen. Critical system files are spared to keep the device operational, but user documents, images, and databases are rendered inaccessible. Following the encryption process, Zen Ransomware generates a ransom note, typically called info.txt, and also triggers a prominent pop-up window, both of which detail the ransom demand and provide instructions for contacting the threat actors. Attackers commonly direct victims to send an email for decryption instructions and offer to decrypt up to three small files as proof of recovery—but warn against renaming files or using third-party tools, threatening permanent data loss if those instructions are ignored.