Ransomware

Being a dangerous ransomware virus, Rook targets data encryption and tries to blackmail users into paying the ransom. The virus is easy to distinguish from other versions as it assigns the .rook extension to all blocked data. This means a file like 1.pdf will change to 1.pdf.rook and reset its original icon upon successful encryption. Right after this, Rook Ransomware creates a text note named HowToRestoreYourFiles.txt showing users how they can recover the data. The text note content says you can restore access to the entire data only by contacting swindlers and paying the money ransom. Communication should be established by e-mail (rook@onionmail.org; securityRook@onionmail.org) or TOR browser link attached to the note. While writing a message to cyber criminals, victims are offered to send up to 3 files (no more than 1Mb) and have them decrypted for free. This way cybercriminals prove decryption abilities along with their trustworthiness to some extent. Also, if you contact extortionists within the given 3 days, cybercriminals will provide a 50% discount for the price of decryption. Unless you fit in this deadline, Rook developers will start leaking your files to their network to abuse them on darknet pages afterward. They also say no third-party instruments will help you recover the files.

If you cannot open your files and they've got .rigj extension added at the end of the filenames, it means your PC is infected with Rigj Ransomware, the part of STOP/Djvu Ransomware family. This malware is tormenting its victims since 2017 and has already become the most widespread ransomware-type virus in history. It infects thousands of computers per day using various methods of distribution. It is using a complex combination of symmetric or asymmetric encryption algorithms, removes Windows restore points, Windows previous versions of files, shadow copies and basically leaves only 3 possibilities for recovery. The first is to pay the ransom, however, there is absolutely no guarantee, that malefactors will send the decryption key back. The second possibility is very unlikely, but worth trying - using a special decryption tool from Emsisoft, called STOP Djvu Decryptor. It works only under a number of conditions, that we describe in the next paragraph. The third one is using file-recovery programs, which often act as a workaround for ransomware infection problems. Let's observe the ransom note file (_readme.txt), that the virus places on the desktop and in the folders with encrypted files.

HarpoonLocker is the name of a recent ransomware infection reported by users on malware forums. The virus runs encryption of data with AES-256 and RSA-1024 algorithms making all restricted data cryptographically secure. As a result of this configuration change, users will be no longer able to access their own data stored on infected devices. HarpoonLocker assigns the .locked extension, which is commonly used by many other ransomware infections. This makes it more generic and sometimes hard to differ from other infections like this. It also creates a text note (restore-files.txt) containing ransom instructions. Developers say all data has been encrypted and leaked to their servers. The only way to revert this and get files back safely is to agree on paying the ransom. Victims are instructed to download the qTOX messenger and contact extortionists there. There is also an option to try decryption of 3 blocked files for free. This is a guarantee given by cybercriminals to prove they can be trusted. Unfortunately, there are no other contacts apart from qTOX that victims could use to get into a discussion with cybercriminals. Many cyber researchers joked that HarpoonLocker should also be called Unnamed qTOX Ransomware since there is nobody victims can talk to. For this and many other reasons, it is highly advised against meeting the listed requirements and paying the ransom. Quite often cybercriminals fool their victims and do not send any decryption tools even after receiving the money.

Being part of the DJVU/STOP family, Robm is a new ransomware infection targeting data encryption. Just like other malware of this type, STOP Ransomware of this version appends its own .robm extension to encrypted files. To illustrate, an innocent file like 1.mp4 will change to 1.pdf.robm, and similarly with other files. Developers of ransomware infections pursue monetary benefits - this is why there are providing paid instructions to decrypt your data. This information can be found in a text note (_readme.txt) created in each folder with the encrypted files. Inside of it, developers give a condensed summary of what happened to your PC. It is said that all of your pictures, databases, documents and other valuable data were encrypted with strong algorithms, but can be returned. To do this, victims should purchase the decryption tool along with a unique key held by cybercriminals. The original price equals 980$, however, it can be decreased by 50% if you contact swindlers during the first 72 hours. Before doing so, you can also get a video overview of the decryption tool and send 1 random file (that does not contain valuable intel) to test whether developers can decrypt your files for free. Unfortunately, there is no guaranteed way to decrypt files without the involvement of cybercriminals themselves. No other software provided by anti-malware companies can match the necessary ciphers to unlock data affected by Robm.

First found and researched by an independent expert named S!R!, NoCry is a ransomware program designed to run data encryption. It is a very popular scheme employed by ransomware developers to extort money from victims upon successful restriction of data. For now, there are two known versions of NoCry differing by extensions assigned to blocked data. It is either .Cry or .IHA extension that will be appended to encrypted files. For instance, 1.pdf will change its look to 1.pdf.Cry or 1.pdf.IHA and reset its shortcut icon to blank after getting affected by malware. Extortionists behind NoCry Ransomware demand payment for returning the data via an HTML file called How To Decrypt My Files.html. It also force-opens a pop-up window that victims can interact with to send the ransom and decrypt their data. The contents of both are identical and inform victims about the same. NoCry gives about 72 hours to send 100$ in BTC to the attached crypto address. If no money will be delivered within the allocated timeline, NoCry will delete your files forever. This is an intimidation strat meant to hurry up victims and pay the demanded ransom quicker.

One of the main computer threats today is ransomware. Those are devastating computer viruses, that encrypt users' files using various cryptographic algorithms and extort ransom money for the decryption key. It is especially sensitive for users, as it attacks either personal files such as videos, photos, music, or business data such as MS Office file formats, e-mails, databases. Such files can be crucial for business operation or extremely important personally as part of family memory. Malefactors can demand from several hundred to several thousand dollars as a ransom. STOP Ransomware is officially the most widespread and therefore most dangerous ransomware threat. There've been more, than 350 versions of this virus in 3 years. Each variation infects thousands of computers, and there are millions of victims of this nasty malware. In this article, we will explain typical methods to fight Pqgs Ransomware and decrypt affected files. In today's focus, versions of STOP (DJVU), that add .pqgs extensions. Recent samples use a very similar pattern to infiltrate PCs and encrypt files. After encryption ransomware creates file (ransom note), called _readme.txt. By this file users are informed, that they've been infected by Pqgs Ransomware and need to pay from $490 to $980 to return their files. Fortunately, there is a workaround, that may help you recover your data without paying the ransom.