Ransomware

Killnet is a ransomware infection designed to encrypt personal data. During encryption, it assigns the .killnet extension, forcing a vivid change in files' appearance. For instance, a file that was originally named 1.pdf will change to 1.pdf.killnet and become no longer accessible after encryption. To follow this stage of attack, the virus creates a text note called Ru.txt with text written in the Russian language. In addition, the ransomware replaces the desktop wallpapers as well. The information given inside this note is vague and does not give any clear guidelines on what victims should do. There are only a number of Telegram handles for different purposes named "donates", "support", and so forth. Normally, the goal of ransomware attackers is to extort money from victims by offering full decryption of data in return.

DAGON LOCKER is a new variant of Mount Locker ransomware. While encrypting access to data, the virus changes all files with the .dagoned extension. For instance, a file originally named 1.pdf will appear as 1.pdf.dagoned and become no longer accessible after encryption. Following this, cybercriminals create the README_TO_DECRYPT.html file to feature decryption instructions. Once opened, the file greets victims with information that all valuable files have been encrypted and exfiltrated to remote servers of cybercriminals. Unless victims contact extortionists using Tor Browser within 72 hours, the collected data may become leaked to the public. Unfortunately, it is usually impossible to decrypt files without the direct help of cybercriminals.

AROS is an infectious program categorized as ransomware. Software of such is designed to run encryption of system-stored data and blackmail victims into paying the so-called ransom fee for decryption. After infiltrating the system, AROS has been observed to assign the new .ARS extension, accompanied by cybercriminals' e-mail and unique victim's ID. To illustrate, a file originally named 1.pdf will experience a change to something like 1.pdf.[5d3e178db8].[luckyguys@tutanota.com].ARS and become no longer accessible. The final step of AROS Ransomware is the creation of How_to_decrypt_files.txt, which is a text note containing decryption guidelines.

Prestige is a ransomware infection that encrypts potentially valuable files and demands victims to pay a fee for recovering them. While making data no longer accessible, the virus appends the .enc extension and changes the original icons of files. For instance, a file like 1.pdf will change to 1.pdf.enc. After this, a text file named README gets created. Within the file cybercriminals let victims know what should be done to recover the files. It is said victims have to write an email message to prestige.ranusomeware@proton.me and include their personally generated ID. Following this, extortionists will give more explicit instructions on how to purchase the decryption tool.

Rs-jon is a ransomware infection that encrypts system-stored data and demands victims to pay 50$ for its decryption. While restricting access to files, it assigns the .rsjon extension. For instance, a file previously named 1.pdf will change to 1.pdf.rsjon and reset its original icon. Following successful file encryption, the virus changes desktop wallpapers and instructs victims to follow instructions inside of the READ_ME_PLZ.txt note.

Lumino_Ransom is a ransomware infection designed to encrypt access to data. During encryption, it appends the .lumino_locked extension to all blocked data. For instance, a file previously named 1.pdf will change to 1.pdf.lumino_locked and become no longer accessible. In addition, the researched variant of Lumino_Ransom Ransomware also created four hundred completely empty files on the desktop (named from Lumine1 to Lumine400 in sequential order). Immediately after successful encryption, the ransomware displayed an untitled note with gradually appearing instructions (both in English and French).

Based on another ransomware called Jigsaw, Roblox Ransomware is a malicious program that functions as a file encryptor. In other words, it runs encryption of system-stored data and encourages victims to perform some actions. Note that this virus has nothing to do with the official Roblox online video game, despite having references to it. While encryption is underway, the file encryptor assigns the .Encrypted_Roblox@mail.com extension, which makes files no longer accessible. Another ransomware variant was also spotted appending the .fun_VB extension instead. For instance, a file previously named 1.pdf will change to 1.pdf.Encrypted_Roblox@mail.com or 1.pdf.fun_VB and reset its original icon. After successfully restricting access to data, Roblox Ransomware displays an executable pop-up window (Jigsaw.exe) with decryption instructions.

CMLOCKER is a ransomware infection that encrypts system-stored data with RSA cryptographic algorithms and appends the new .CMLOCKER extension. For instance, a file previously named 1.pdf will change to 1.pdf.CMLOCKER and reset its original icon. After all files end up access-restricted, the virus creates a text note called HELP_DECRYPT_YOUR_FILES.txt to blackmail victims into paying money for data decryption.