Ransomware

Forgive Ransomware is a type of malware that encrypts files on an infected system, effectively rendering them inaccessible until a ransom is paid. Once executed, it targets a variety of file types and appends the .forgive extension to each, making it easily identifiable while also disturbing the user's file structure by altering filenames such as picture.jpg to picture.jpg.forgive. Using advanced encryption algorithms, the ransomware ensures that the files cannot be opened or used without the decryption key that only the attackers possess. An important component of this ransomware is its ransom note, which it leaves in the form of a pop-up window titled ransom_note.txt. This note appears on the user's desktop, demanding a payment of $500 in Ethereum to a specified wallet address with the promise of providing a decryption key in return. Typically, paying the ransom does not guarantee recovery of the files, as victims often find that cybercriminals do not send the necessary decryption keys even after payment.

Discovered by our team of researchers, Hudson Ransomware is a malicious software that encrypts files on infected systems and demands a ransom for their decryption. This ransomware appends filenames with the extension .{victim's_ID}.hudson, rendering files inaccessible without the decryption key provided only upon payment. Victims will typically notice their files, once named something like example.docx, appearing as example.docx.{victim's_ID}.hudson. The encryption methods employed by Hudson Ransomware are highly sophisticated, likely utilizing a combination of asymmetric and symmetric algorithms to ensure that decryption is impossible without the unique private key. Following encryption, Hudson Ransomware leaves a ransom note named README.TXT on the infected device. This file contains instructions on how to recover the encrypted data, typically warning users not to rename files or attempt third-party decryption, as these actions could result in permanent data loss.

Hero Ransomware is a malicious program that belongs to the Proton ransomware family, designed to encrypt user files and demand ransom for decryption. During an attack, it appends infected files with the extension .hero77, which also includes the attacker’s email address. For example, a file named document.docx would be renamed to document.docx.[hero77@cock.li].hero77. This encryption process is sophisticated, as it employs strong cryptographic algorithms that are difficult to break without the decryption key, which is uniquely generated for each victim. Once the encryption is complete, the ransomware displays a ransom note in a text file named #Read-for-recovery.txt, along with altering the desktop wallpaper with instructions to contact the attacker. The note lacks specific details about the encryption or ransom demands, only providing email addresses for contact.

PayForRepair Ransomware is a malicious program part of the notorious Dharma ransomware family. Designed to encrypt user data and demand a ransom for decryption, it appends a distinct file extension, .P4R, to encrypted files. Additionally, it includes a unique victim ID and the attacker's email address in the filename of each compromised file. For example, an original file named document.docx would be renamed to document.docx.id-[uniqueID].[attacker's email].P4R. By utilizing robust encryption algorithms typical of higher-end ransomware, it ensures that files remain inaccessible without decryption. This malware generates ransom notes in two formats: a pop-up window and a text file named info.txt. The latter is deposited into every affected directory. The instructions inform victims about the encryption and guide them to contact the attackers via email to negotiate file recovery terms. Despite offering to decrypt a few files as proof before payment, the ransom note warns users against altering encrypted files or using third-party decryption tools, citing potential data loss risks.

DarkMystic (BlackBit) Ransomware is a malicious software within the BlackBit ransomware family, known for encrypting users' data and demanding payment for decryption. Upon infecting a system, it transforms file names by prepending the attackers' email address and a victim-specific ID, then appends them with a .darkmystic extension. For example, a file named image.jpg might be altered to look like [darkmystic@onionmail.com][123456]image.jpg.darkmystic. Employing strong cryptographic algorithms, typically either symmetric or asymmetric encryption, this ransomware renders files inaccessible without a decryption key—often withheld by the attackers until a ransom is paid, usually in Bitcoin. Victims are directly informed via a ransom note generated in multiple formats—a pop-up window entitled info.hta and a text file named Restore-My-Files.txt, strategically placed on the desktop and within encrypted folders.

Jackalock Ransomware exemplifies a sophisticated type of malware that belongs to the MedusaLocker family, designed to encrypt a user’s files with the intent of demanding a ransom for their release. Once it infiltrates a system, it encrypts the files with strong RSA and AES cryptographic algorithms, rendering them inaccessible to victims who lack the decryption key. An observable characteristic of this ransomware is its tendency to append the .jackalock extension to encrypted files, transforming a file such as image.jpg to image.jpg.jackalock. This alteration of the file extension serves as a marker of encryption and prevents users from opening their files ordinarily. Coupled with encryption, Jackalock leaves a digital ransom note, titled READ_NOTE.html, on affected devices. This message serves as a grim notification to victims, informing them that personal or confidential data has been encrypted and exfiltrated, threatening to leak the data unless a ransom is paid. Victims are encouraged to act within 72 hours to avoid an increased ransom fee, with cyber criminals giving a semblance of assurance by offering to decrypt a few non-important files for free.

Jeffery Ransomware is a form of malicious software that infiltrates a victim's system, encrypts files, and then demands a ransom for their decryption. This particular strain appends a .Jeffery extension to the encrypted files, transforming them significantly—what once was a file named document.txt would become document.txt.Jeffery, thereby rendering the file inaccessible to its owner. The encryption mechanism employed by this ransomware, like many in its class, involves strong cryptographic algorithms that all but prevent file recovery without a decryption key. As part of its modus operandi, the ransomware alters the victim's desktop wallpaper and deposits a ransom note titled JEFFERY_README.txt on the infected system. This note typically instructs victims to contact the attackers via a provided email address to negotiate the return of their files.

VerdaCrypt Ransomware is a sophisticated form of malware designed to encrypt a victim's files, rendering them inaccessible unless a ransom is paid. It employs the .verdant file extension, which is appended to compromised files, indicating that they have been encrypted and are inaccessible to the user. This type of ransomware typically uses advanced cryptographic algorithms to lock data, making decryption without the cybercriminals' unique key virtually impossible. The ransomware delivers its demand and instructions through a text file titled !!!_READ_ME_!!!.txt, which is generally placed in prominent locations such as the desktop or within folders containing encrypted data. This note informs victims of the encryption, threatening data exposure or destruction if payment is not made in Bitcoin. The ransom note often includes contact information, urging the victim to communicate via protected channels like Protonmail for further instructions.