Ransomware

OBZ is a ransomware-type virus that encrypts access to data and blackmails victims into paying money for decryption. At the time of encryption, the virus alters targeted files with the .OBZ extension. For instance, a file originally named 1.pdf will turn into 1.pdf.OBZ or 1.pdf.obz depending on which ransomware version penetrated the system. In addition, victims also reported seeing a malicious process named Traffic Light in Windows Task Manager. Once the encryption process gets to a close, OBZ Ransomware creates a text document (ReadMe.txt) that features decryption instructions. It is worth noting that the content of this ransom note is identical to other previously discovered U2K and MME ransomware, which may indicate that OBZ was developed by the same group of developers.

CryWiper is a devastating virus that damages the configuration of data to make it inaccessible and then demands money from victims for fake decryption. CryWiper developers disguise their software as ransomware that encrypts data, however, it is in fact a data wiper that simply corrupts the files. While running "encryption", the virus deletes all shadow copies from the root drive and appends the new .CRY extension to highlight the files. For instance, a file originally named 1.pdf will turn into 1.pdf.CRY and become permanently damaged. After this, CryWiper creates a file called README.txt with misleading decryption instructions. It is known that CryWiper avoids damaging .exe, .dll, .lnk, .msi, and .sys files and others stored in Boot, System, and Windows directories. In addition, this virus has also been observed getting distributed via the browserupdate.exe malicious file, programmed in C++ language, and targetting organizations that are localized in Russia.

Beijing is a ransomware-classified infection that encrypts access to data and demands that victims pay money for its decryption. This file encryptor is also likely released by the same cybercriminals who previously developed another ransomware named LeakTheMall. During encryption, victims will see their files change visually - it is the new .beijing that will be eventually added to them. For instance, an originally named 1.pdf will change to 1.pdf.beijing and become no longer accessible. After this, the virus creates text instructions in !RECOVER.txt explaining what should be done to recover the data.

Trigona is the name of a ransomware virus that encrypts data of corporate users (e.g., companies) and demands money for file decryption. During encryption, it appends the new ._locked extension (for instance, 1.pdf._locked) and creates a file named how_to_decrypt.hta after successful completion. This file contains instructions with steps on what victims should do to decrypt their data. It is said all critical information, such as documents, databases, local backups, and so forth has been encrypted and leaked. Cybercriminals also mention that file decryption is impossible without their direct involvement. Also, it is mentioned that data of those who refuse to collaborate with cybercriminals will be sold to figures potentially interested in its abuse. To prevent all of this, threat actors guide victims to open a decryption page via the TOR Browser and contact the ransomware developers.

Bazek is a virus infection that features all the traits inherent to ransomware. Put simply, it encrypts access to data (using AES-256 algorithms) and asks victims to contact cybercriminals in order to get a special decryption key. During encryption, the virus also assigns the new .bazek extension to each targeted file. To illustrate, a file named 1.pdf will change to 1.pdf.bazek and lose its original icon as well. Depending on what version of Bazek Ransomware attacked the computer, it will either create a text note called README.txt or display a pop-up window with similar decryption instructions.

Also known as Sullivan, RansomBoggs is a ransomware infection designed to encrypt data and demand payment for decryption afterwards. Recent research showed that this virus has had numerous attacks on various organizations placed in Ukraine. During encryption, RansomBoggs renames all targeted files with the .chsch extension. For example, a file originally titled as 1.pdf will change to 1.pdf.chsch and become no longer accessible. Following this, the ransomware also creates its own note (SullivanDecryptsYourFiles.txt) with decryption instructions.

SEX3 is a computer virus classified as ransomware. Also, it was discovered to be a new version of another file encryptor called SATANA Ransomware. Software of this type is developed to encrypt potentially valuable data and demand file owners to pay money for their decryption. While running encryption, SEX3 Ransomware is programmed to alter targeted files with the .SEX3 extension. This is simply a visual change to highlight blocked data on top of successful encryption. After this, the virus changes the desktop wallpapers and also creates a text note called !satana!.txt that contains short instructions about how to unlock access to files.

Onelock is a ransomware infection developed by the Medusa ransomware family. Its purpose is to encrypt access to potentially important data (using RSA and AES encryption algorithms) and extort money from victims for full decryption. While rendering files inaccessible, the virus adds the new .onelock extension, which would make a file like 1.pdf change to 1.pdf.onelock and reset its original icon. The same pattern applies to other files that get targeted by the infection. After successful completion, Onelock creates the how_to_back_files.html file to feature decryption instructions. Overall, it is said that ransomware developers are the only figures able to decrypt victims' data. For this, victims are therefore instructed to contact cybercriminals using a chat link in Tor Browser (or e-mail) and pay some specified amount of ransom.