Ransomware

PARKER is the name of a ransomware program designed to encrypt users' data and extort money from victims. It is likely to be a product of cybercriminals who developed two other devastating file-encryptors named ZORN and MATILAN. Just like them, PARKER creates the same RESTORE_FILES_INFO.txt text note on how to recover encrypted data. During encryption, the virus changes various types of potentially important files in the following pattern - from 1.pdf to 1.pdf.PARKER and so forth with other files stored on a system. As a result, this change will make files no longer usable without a special decryption tool, which has to be purchased from cybercriminals. Unless victims contact threat actors via written contact addresses and pay the required monetary ransom within 3 given days, the latter threatens to leak the collected data to public resources. This will carry a risk of debunking private company information, which can be abused by competitors or other fraudulent figures. Although it is always advised against collaborating with cybercriminals, they might be the only figures able to provide full data decryption and somewhat guarantee to not publish sensitive information. Unfortunately, there are no third-party tools that could at least decrypt your data for free. The best feasible option available is to recover encrypted files through backups stored on uninfected devices (e.g. USB flashcards, other PCs, Cloud, etc.).

Ransomware is a type of malicious software used to encrypt system-stored data and aid developers in extorting money from victims. ZORN Ransomware does the same trick and locks down all valuable data using the .ZORN extension. This extension is added to all files that ended up being affected by ransomware. For instance, a file named 1.pdf will change to 1.pdf.ZORN and lose its original icon. The virus also creates a text note (RESTORE_FILES_INFO.txt) and displays a black screen with text before logging into the Windows system. After spending some time on investigation, it turned out ZORN shares almost the same traits as MATILAN - another ransomware variant discussed on our website. Thus, it is reasonable to conclude that ZORN is its successor.

HOUSELOCKER is a recent ransomware infection that started its aggressive circulation around the web. Alike other malware of this type, it encrypts important system-stored data and then demands victims to pay the so-called ransom for its return. HOUSELOCKER also breaks the default operation of Master Boot Record (MBR) - this is done to prevent victims from booting up to their desktop. As a result, it is not even possible to view what files have been encrypted. To help users restore access to their data, HOUSELOCKER displays a pink-text message on a black screen. The ransom note says victims should purchase a decryption key. The cost is 130,000 Rosecoins to be sent using the attached crypto address. After this, cybercriminals promise to send the necessary key that activates file decryption. Developers behind HOUSELOCKER Ransomware do not provide any contact information to maintain communication with them. This is already suspicious and raises a lot of questions about how they are going to send you the key. Thus, we have reasonable grounds to assume that HOUSELOCKER is likely to scam its victims and not recover the data as promised. This is why we would advise you to deal with the infection and try to recover the files yourself.

blockZ has shown evident traits of ransomware infections. This type of malware is designed to encrypt system-stored data and demand victims to pay money for its decryption. This ransomware does the same using its own extension (.blockZ) to modify file appearance. To illustrate, a file named 1.pdf will change to 1.pdf.blockZ and lose its original icon. After this, users will no longer be able to access their data. Cybercriminals explain how victims can fix this through the How To Restore Your Files.txt text note. It says victims have one possible way to decrypt the data - contact ransomware developers and pay some amount of ransom in Bitcoin (not specified in the note) to get a unique decryption tool. In addition, victims are allowed to test the decryption abilities of cybercriminals' software by sending 1 encrypted file and getting it back fully accessible for free. It is also said that neglecting instructions may lead to permanent data loss and extra financial costs. As mentioned, the exact amount of ransom is kept secret until victims contact developers.

MATILAN belongs to the category of ransomware infections. It uses strong encryption algorithms to lock privately stored databases. The main target of MATILAN Ransomware is business networks that store important financial, customer, contact, and other types of data subject to getting abused by cybercriminals for reputational damage in the future. Once data encryption occurs, all affected files are changed with the .MATILAN extension. For instance, a file like 1.pdf will change to 1.pdf.MATILAN and lose its original icon as well. Then, ransomware creators urge victims to pay the so-called ransom using instructions presented in the RESTORE_FILES_INFO.txt note. It is said that the only way to decrypt files and avoid the public leakage of important data (which will happen within 3 days of inaction) is to collaborate with cybercriminals. Victims are guided to contact developers via the anonymous qTox messenger and follow guidelines on how and how much should be paid to revert the ransomware damage. Unfortunately, there is no way to avoid all the possible damage should victims refute working with cybercriminals. Although encrypted files may be recovered if there is a backup stored on another machine, it does not ensure the publication of data will not happen eventually.

WINKILLER is a disruptive ransomware infection recently reported by MalwareHunterTeam. Instead of encrypting specific types of data, WINKILLER blocks access to the entire computer making users unable to use it. After successful penetration, the virus starts displaying a console window with instructions on what should be done to restore access. Cybercriminals say performing manual shut down or restart will deliver permanent damage to the Master Boot Record (MBR), which is a sector responsible for loading the system. After this, users will no longer be able to load their system and will most likely lose their entire data stored on a PC. To avoid this and successfully recover the compromised system, developers demand victims to pay a monetary ransom of 100 Renminbi (about 15$). Payment instructions can be obtained by contacting the diskkiller@winkiller.cf e-mail address. Unfortunately, recovering access to the PC might be almost impossible without paying the ransom. The infection makes it difficult due to limited room for action as any misstep can lead to irreversible loss of data. Although paying the ransom is usually not recommended, it could be considered in this case to avoid the above-mentioned effects.

Bozon is one of many ransomware infections. This type of malware uses strong encryption algorithms to encipher system-stored data and make victims pay money for its return. To highlight the no longer accessible data, cybercriminals use the .bozon extension added at the end of the files while also making original icons change blank. After the encryption process is done, swindlers start extorting money from users. This is done through the FILE RECOVERY.txt text note.

RED TEAM is a ransomware infection tightly connected with the Babuk malware group. The virus operates like many other file-encryptors - by enciphering data with military-grade algorithms and modifying the names of encrypted files. For instance, a file named 1.pdf will most change to 1.pdf.REDTM and reset its original icon to blank. The .REDTM extension is only used to change the appearance of all encrypted data in the way shown above. Once the process with file encryption is finished, RED TEAM Ransomware creates a text file named HowToDecryptYourFiles.txt to guide victims through the recovery terms.