Ransomware

Ransomcrow is a ransomware infection designed to encrypt valuable data and blackmail victims into paying money for its retrieval. During encryption, it assigns the .encrypted extension, which is generic to many file-encryptors. To illustrate, a file initially named 1.pdf will change to 1.pdf.encrypted and also drop its icon. After this, the virus creates a text note called readme.txt and also replaces desktop wallpapers. Information within the generated note is meant to guide victims through the recovery process. It is said a payment equivalent to €50 in Bitcoins is necessary for transfer to get special decryption tools and return the data. Victims can also contact swindlers for in-person communication via the given email address (ransomcrow@proton.me). As a rule, decryption without the help of cybercriminals is very complex and even impossible - it may be the opposite if there are some bugs or flaws alleviating third-party interference.

Payt is the name of a ransomware infection that encrypts system-stored data and blackmails victims into paying money for its return. It does so by adding new filenames (consisting of unique victim's ID, cybercriminals' e-mail, and .Payt or .payt extension). For instance, this is how an image file infected by Payt Ransomware will likely appear - 1.png.[MJ-YK7364058912](wesleypeyt@tutanota.com).Payt. After this, a money-demanding note called ReadthisforDecode.txt gets generated onto the desktop. As stated within this message, victims should write an e-mail to wesleypeyt@tutanota.com or wesleypeyt@gmail.com addresses and express their interest in decrypting data. It is also possible to send a test file and get it decrypted for free - this way cybercriminals seek to illustrate that their decryption actually works and can be relied on.

World2022decoding is a recent ransomware infection that was spotted encrypting device-stored data and blackmailing victims to pay money for it. During encryption, all affected files get appended with the victim's personal ID, and the .world2022decoding extension as well. As a result, it acquires a new look similar to this - from previously uninfected 1.png to now restricted 1.png.[9222911A].world2022decoding. This is only an example and it can happen to any piece of data, especially documents and databases. Cybercriminals also create a text note called WE CAN RECOVER YOUR DATA.MHT that entails instructions on how to return the files.

Arai is a malicious program that targets corporate users to encrypt business data and demand victims pay money for its return. While restricting access to data, the virus alters files with the .araicrypt extension, leading to blank icons as well. For instance, a file like 1.pdf would change to 1.pdf.araicrypt and lose its original icon. After this, data becomes inaccessible and no longer usable. The next step Arai does is creating a text note called READ_TO_RESTORE_YOUR_FILES.txt. This note gives clarification on what happened and how victims can recover from it. In short, cybercriminals inform that all important data (databases, customer data, etc.) has been copied and local backups have been deleted. It is also said that in case of non-compliance with the provided instructions, victims will lose a chance to recover the data and also become subject to suffering both financial and reputational - due to potential data publication that may ensue afterward. Otherwise, victims should contact the swindlers using one of the given email addresses and pay for decryption (supposedly expensive and in cryptocurrency). In such a case, the extortionists promise to wipe out the collected data and not publish it, therefore.

Kriptor is the name of malicious software categorized as ransomware. Its main purpose lies in the encryption of personal files and extraction of money from victims. The virus starts by restricting access to valuable data (photos, videos, documents, databases etc.). It also changes all the affected filenames with the .Kriptor extension to highlight encryption. For instance, a file previously titled as 1.pdf will change to 1.pdf.Kriptor and reset its icon as well. After this part is done, Kriptor creates a text note (read_it.txt) designed to explain decryption instructions. The desktop wallpapers get replaced as well. It is said victims have an opportunity to contact cybercriminals using one of the following e-mail addresses - leljicok@gmail.com or kkizuko@yandex.com and pay for decryption in Bitcoins. The exact price remains in secret and is to be revealed upon successful reach-out to swindlers. Ransomware developers also offer to test free decryption prior to paying the decryption fee - users are allowed to send up to 3 encrypted files and get them fully accessible in return. This way, cybercriminals try to create an additional bubble of trust, making victims more likely to pay for decryption.

U2K is a ransomware virus designed to render files inaccessible and extort a recovery payment from victims. During encryption, it assigns the .U2K extension and resets icons of all affected files. To illustrate, a file initially titled 1.pdf will change to 1.pdf.U2K and lose its original icon as well. After getting things done with encryption, the virus triggers the creation of the ReadMe.txt text note. This note features instructions on what victims should do in order to return the blocked data. As stated inside the file, the only doable way of decrypting all data is to purchase a unique decryptor. To retrieve it, victims are guided to download Tor Browser, navigate to the attached website link, and open a support ticket with cybercriminals. After starting negotiations, extortionists will likely announce the price and instruct victims on further details for payment. Unfortunately, as experience shows, much damage (primarily encrypted files) is hard to recover without the help of cybercriminals.

Lilith is a ransomware infection that encrypts system-stored data and demands payment for file decryption. While rendering files inaccessible, the virus also appends the new .lilith extension to each infected sample. For instance, a file named 1.pdf will change to 1.pdf.lilith and reset its original icon as well. After this, cybercriminals lay out instructions on how to acquire decryption in a text note called Restore_Your_Files.txt. It is said that victims have three full days to contact developers. This should be done using the Tox messenger in Tor Browser. Should victims get late with meeting these demands, cybercriminals threaten to start leaking the collected data, supposedly to dark web resources. Although the price for decryption is calculated on an individual basis depending on how much valuable data has been encrypted, it still might be quite high considering ransomware's tendency to target business organizations.

JENNY is the name of a new file-locker discovered by MalwareHunterTeam. Malware of such is normally designed to restrict access to data and demand victims to pay a ransom in crypto. After successfully infiltrating the system, the virus encrypts important pieces of data and also assigns the .JENNY extension. This means a file like 1.pdf will change to 1.pdf.JENNY and reset its original icon to blank. After this part is done, the ransomware replaces desktop wallpapers and features a pop-up window right on the screen. Unlike other ransomware infections, JENNY developers do not provide any decryption instructions. Victims are left confused with absolutely no contact information to use for reaching the cybercriminals. The reason for that could be because this ransomware is still under development and is likely being tested. This means decryption with the help of developers is impossible and that a complete version of JENNY may be released some day in the future.