Ransomware

BlackClaw is a recent ransomware infection that uses AES and RSA algorithms to encrypt user's data. Some experts similized it with another file-encrypting virus called Billy's Apocalypse"because of similar ransom note details, however, as research continued, it turned out that there is no correlation with it. BlackClaw is an independent piece that assigns .apocalypse extension to encrypted files. For example, a file like 1.mp4 will suffer a change to 1.mp4.apocalypse. After these changes have been applied, users no longer have access to their data. The next step of BlackClaw after blocking data is dropping a text file (RECOVER YOUR FILES.hta or RECOVER YOUR FILES.txt) that notifies people about encryption. To decrypt files, users have to give 50$ over to bitcoin address mentioned in the note and contact extortionists via the Telegram channel. Thereafter, victims will supposedly get a decryption tool to restore locked files. Although 50$ is not that big amount for ransomware developers, there is still a risk of being fooled and ignored by cyber criminals after making a payment.

Determined by Jakub Kroustek, GNS Ransomware belongs to the Dharma family that encrypts users' data and demands a certain fee to get it back. Likewise other Dharma versions, GNS applies a string of symbols including victim's ID, cybercriminal's email (geniusid@protonmail.ch), and .GNS extension at the end. If an original file like 1.mp4 gets configured by GNS, it will be renamed to 1.mp4.id-9CFA2D20.[geniusid@protonmail.ch].GNS or similarly. The next stage after encryption is presenting victims with detailed instructions on the decryption process. These are incorporated in the FILES ENCRYPTED.txt file or a pop-up window that comes after encryption. Choosing to pay a ransom is also a huge risk since most people get scammed and do not receive promised tools as a result. Our guide below will teach you how to deal with such infections like GNS and create better soil for being protected in the future.

Ragnar Locker is a malicious piece classified as ransomware that encrypts personal data and disables the work of installed programs like ConnectWise and Kaseya, which provide solutions for many Windows services, including data recovery, ransomware protection, and other ways to secure privacy. This is made to slacken the ability of the system to counter ransomware infection. In fact, you will not spot these changes and your data will be locked instantly. The way Ragnar Locker encrypts user's files is by assigning the .ragnar (or .ragn@r) extension with random characters. For instance, the original file named 1.mp4 will be retitled to 1.mp4.ragnar_0FE49CCB and reset its icon as well. After the encryption process gets to a close, Ragnar Locker creates a text file named according to the combination used for encrypted files (RGNR_0FE49CCB.txt). Unfortunately, attempting to use third-parties utilities for decryption, may injure data and lead to its permanent loss. Therefore, the best way to retrieve files for free is to delete Ragnar Locker Ransomware and restore blocked files from backup (USB-storage), if possible.

New wave of STOP Ransomware infection continues with Nile Ransomware, that appends .nile extensions. Those extensions are added to encrypted files in the middle of August of 2019. This tricky virus uses the AES encryption algorithm to encode the user's important information. As a rule, Nile Ransomware attacks photos, videos, and documents - data, that people value. The malware developers extort ransom and promise to provide a decryption key in return. In the ransom note, we can see, that malefactors demand $980 (amount can be reduced if paid within the first 72 hours). Hackers offer victims to contact them via e-mails: gorentos@bitmessage.ch and gorentos2@firemail.cc. In most cases algorithms of Nile Ransomware are unbreakable. But virus code has its flaws. Particularly, if attacked PC lost internet connection during ransomware activity or hackers servers experienced some sort of malfunction, there are high chances to recover your files. In this case, Nile Ransomware generates an offline key, that can be retrieved by special decryption tool - STOPDecrypter.

CONTI is a ransomware-type virus that encrypts user's data and keeps it locked until the ransom is paid. Some security experts indicate, that it can be a successor or Ryuk Ransomware. Whilst the encryption is being made, all files including photos, videos, documents, and other regular data will be altered with the new .CONTI extension. This means that the affected files will look like 1.mp4.CONTI or similarly depending on the original name. After this, successful encryption is followed up with a text file (CONTI_README.txt) that is dropped on the desktop of victims. For the moment, it is almost unreal to decrypt your files for free with the help of additional tools. If possible, you can restore your data from backup storage that was created before the infection. Either way, we recommend you to get rid of CONTI Ransomware to prevent further encryptions.

WastedLocker is a file-encrypting malware categorized as ransomware. Programs within this category block access to stored data and require paying a fee to get decryption tools. When ransomware gets settled on your system, all files (videos, images, documents, text files, etc.) will be updated with new extensions. There is a range of extensions used by WastedLocker to highlight encrypted files. Most basic variants include 3 random letters alongside .***wasted extension at the end. For example, files affected by WastedLocker might get a new look of 1.mp4.bbawasted, 1.mp4.rlhwasted or similar. After this, unlike other ransomware that use one common note to explain ransom details, WastedLocker creates separate notes for each infected file. The best thing you can do safe and definite is to get rid of WastedLocker and try to recover data from external backups, if possible. Follow our guide below to find out how.