Ransomware

The epidemic of STOP Ransomware still goes on, with its another successor called Tyos Ransomware. This nasty virus hits thousands of computers all over the world, mostly targeting the USA, Canada, Europe, South Africa, Australia and New Zealand. The most recent version, emerged in the end of March 2023, uses .tyos extension, that it adds to the end of encrypted files. As DjVu Ransomware uses AES encryption algorithm, probability of decryption is low, but exists. Tyos Ransomware damages users' important data: photos, videos, documents, and other types of information, victims are ready to pay ransom for. At the same time, it doesn't touch system files to keep Windows operable. The latest generation of this virus creates a ransom note file called _readme.txt. This file provides general information about the infection, ransom amount, and contact details.

Typo Ransomware is a devastating crypto-virus (variation of STOP Ransomware), that uses the AES-256 asymmetrical encryption algorithm to restrict user access to their files without the key. Malware appends .typo extensions to files make them unreadable and extort ransom for decryption. "Typo" variant appeared in March of 2023 and infected tens of thousands of computers wordwide. Unfortunately, due to technical modifications in the newest version file recovery is impossible without backups. However, there are certain standard Windows features and tools, that may help you restore at least some files. File-recovery software may also be useful in this case. In the text box below, there is text message from _readme.txt file, called "ransom note". Below in the textbox you can get acquainted with the sample of such file. In this file, malefactors disclose contact information, the price of the decryption, and ways to pay the ransom.

Rans-A is a new file-encryptor variant that belongs to the Xorist family. After successfully infiltrating the system, the ransomware will proceed to encrypt potentially important data and add .Rans-A to the original filename. As a result, a previously accessible file like 1.pdf will change to 1.pdf.Rans-A and become access-restricted. The main goal of ransomware is to extort money from victims for the decryption of files. Thus, the virus displays an error message and creates a text file called HOW TO DECRYPT FILES.txt that both show decryption instructions (in Portuguese). Overall, victims are said the only way to retrieve data in its original condition is to contact cybercriminals within the set deadline. Should victims fail to do so by the end of the deadline, the decryption will supposedly be no longer available. In addition, the note also warns victims against deleting, renaming, or reporting the ransom message to any website/authority. Otherwise, cybercriminals' e-mail may end up blocked and no longer accept requests for data decryption. As a rule, upon reaching out to cybercriminals, they set a price that has to be paid for decryption.

The number of queries related to new ransomware activity is growing each day with new infections. This time around, users are dealing with Tycx Ransomware, which is a new and dangerous piece developed by the Djvu/STOP family. This particular version started infecting computers in the second half of March 2023. Its recent activity has encrypted a lot of personal data with strong algorithms. Despite Tycx Ransomware has not being totally inspected just yet, there are some things that are clear already. For example, the virus reconfigures various types of data (images, documents, databases, etc.) changing original extensions to .tycx. This means that all types of data will save its initial name, but change the main extension to something like this "1.pdf.tycx". Once the encryption process gets to a close, you will no longer be able to access your data. In order to regain it, extortionists have scripted the creation of identical notes dropped into encrypted folders or onto a desktop. The name of the note is usually _readme.txt, which contains detailed instructions on how to recover your data.

Tywd Ransomware (the latest version of STOP or Djvu Ransomware) is extremely harmful and one of the most active encryption viruses. More than half of ransomware submissions to ID-Ransomware (ransomware identification service) are made by victims of STOP Ransomware. Although it has been in circulation for a couple of years, the number of infections caused by Tywd Ransomware continues to increase. It may be somewhat ironic, but most of the victims (at the moment) are users of pirated software. The version of the virus, that is under consideration today, adds .tywd extension to files. The malicious program also creates a text file (called _readme.txt) in each infected folder, which explains to the user that his computer is infected, and he will not be able to access his data until he pays a ransom of $980. If the user pays within 72 hours after infection, the ransom is reduced to 490 US dollars. The example of this ransom note is presented below.

Darj Ransomware is a prevalent encryption virus and blackmailer, that targets valuable personal files. Belongs to STOP/Djvu malware group. After infection and data encoding hackers start extorting the ransom. There have been more than 600 versions of the ransomware, each version gets slightly modified to circumvent the protection, but main footprints remain the same. The malware uses AES-256 in CFB mode. Shortly after launch, the STOP family cryptographer executable connects to C&C, retrieves the encryption key and infection ID for the victim's PC. Data is transmitted over simple HTTP in the form of JSON. If C&C is not available (the PC is not connected to the Internet, the server itself is not working), the cryptographer uses the hard-coded key and ID in it and performs offline encryption. In this case, you can decrypt the files without paying a ransom. Variations of STOP Ransomware can be distinguished from each other by ransom notes and extensions it adds to encrypted files. For STOP Ransomware under research today, extension is: .darj. The ransom note file _readme.txt is presented below in the text box and picture. In the article below we explain how to remove Darj Ransomware completely and ways to decrypt or restore .darj files.