Ransomware

Pandora is a ransomware infection previously known under the name of Rook Ransomware. The virus uses RSA-2048 algorithms to encrypt system-stored data and demand money for its decryption. In order to show that access to files has been restricted, cybercriminals assign the .pandora extension to each affected sample. For instance, a file named 1.pdf will change to 1.pdf.pandora and reset its original icon. Following this, the ransomware creates a text file (Restore_My_Files.txt) with instructions on how to recover the data. It says victims should contact developers (via contact@pandoraxyz.xyz) and pay for special decryption software. The price depends on how fast you write, as cybercriminals say. In case of refusal to buy the decryption, frauds behind Pandora Ransomware warn they will publish collected data on dark web markets. Victims can view what data has been collected in TOR Browser via a link provided in the note. While contacting cybercriminals, victims are also allowed to attach 3 encrypted files before paying the ransom. Pandora developers promise they will decrypt them for free to prove capabilities of their decoder. The ransom note is concluded with warnings against trying third-party means of decryption as it may cause permanent damage to data. In general, decrypting files without initial developers is almost impossible indeed.

TargetCompany is a new ransomware virus that made its presence known in January 2022. During system infection, the virus terminates a lot of essential Windows processes to prepare the soil for easier encryption of data. The research team made an analysis and concluded that TargetCompany Ransomware uses a combination of Chacha20 and AES-128 algorithms to write strong ciphers over the stored data. It also appends one of 3 different file extensions to each encrypted sample - .devicZz, .consultransom, or .avast. This means a file named 1.pdf can change to 1.pdf.devicZz, 1.pdf.consultransom, or 1.pdf.avast depending on individual cases. TargetCompany also populates each encrypted folder with a text note called RECOVERY INFORMATION.txt (How to decrypt files.txt for previous versions). A copy of the ransom note is also placed into this path C:\HOW TO RECOVER !!.TXT. As said in the note, users should buy a special decryption tool to return their data. To do this, victims are asked to send their personal ID to one of the e-mail addresses (recohelper@cock.li or mallox@tutanota.com). It is also allowed to send a couple of files for free test decryption of them. After this, cybercriminals promise to announce the price for the entire decryption and provide instructions on how to buy the decoder. As a rule, files affected by ransomware infections are almost impossible to be decrypted for free without the help of cybercriminals.

Anime is the name of a cryptovirus. It is designed to render system-stored data inaccessible and no longer operatable. Users infected with ransomware can see the encryption process by looking at the restricted files - all of them end up changed with the .anime extension. For instance, a file like 1.pdf will be altered to 1.pdf.anime and reset its original icon as well. After getting things done with encryption, the virus pitches ransom instructions on how to recover the data. They can be found inside of a text file called I_LOVE_ANIME.txt. As stated in the note, victims have 2 days to contact cybercriminals at zdarovachel@gmx.at and pay for the decryption of files. Should victims fail to meet the allocated deadline, all the encrypted data will be published on dark web resources for future abuse. In addition, ransomware developers also advise against modifying the files or trying to decrypt them without cybercriminals. At the moment of writing this article, there is no guaranteed way to decrypt data for free without the help of initial developers.

Kashima (KashimaWare) is a ransomware program - the type of malicious software designed to encrypt data and demand money for its return. Unlike other infections of this kind, the virus targets specific and quite unusual file formats - .config, .cfg, .js, .NOOB, .lua, .lw, and .tryme as well. It therefore modifies them with the .KASHIMA extension. For instance, a file like 1.js will change to 1.js.KASHIMA, 1.cfg to 1.cfg.KASHIMA and so forth with other affected data. As soon as this process gets done, Kashima displays a pop-up message (KashimaWare WARNING!) accross the whole screen.

Sorryitsjustbusiness is the name of a ransomware virus. Alike other infections of this type, it encrypts personal data and blackmails victims into paying a ransom. The encryption process may be easily spotted by looking at affected files. Sorryitsjustbusiness changes their original extensions to random characters and resets icons to blank. To illustrate, a file like 1.pdf may change to 1.pdf.ws9y, 1.png to 1.png.kqfb, and so forth with other random extensions and files. Following successful encryption, the virus creates a text note called read_it.txt and installs new desktop wallpapers. Both text note and wallpapers display information on how to recover the data. Victims are said it is necessary to buy an exclusive key to decrypt their files. The cost of this key is whopping 150,000$ to be paid in Bitcoin to the attached crypto address. After the transfer is made, victims should inform the swindlers by sending a message to their e-mail address (sorryitsjustbusiness@protonmail.com). If victims fail to do this within 24 hours after getting infected, the price for decryption will double. It is also mentioned that encrypted files will be deleted after 48 hours of victims' inaction. Based on the demanded amount of ransom, we can then assume that Sorryitsjustbusiness's aim is set on companies with a good level of earnings. As a rule, it is not advised to trust cybercriminals and pay the ransom they want.

Being part of the Babuk family, ANUBIZ LOCKER is a ransomware infection designed to encrypt data. It does so by using secure encryption algorithms and modifying the names of affected data with the .lomer extension. To illustrate, a file called 1.pdf will change to 1.pdf.lomer and reset its original icon to blank. After successfully restricting access to data, the virus then blackmails victims into paying a ransom. This is made through the How To Restore Your Files.txt text file which is created on compromised devices. The file says all valuable files have been encrypted and copied to servers of cybercriminals, all backups were deleted as well. Victims can potentially restore their data by purchasing special decryption software offered by the attackers. It is guided to establish contact with cybercriminals using their e-mail address to get further details on the decryption. Infected users are also allowed to attach one file in their message and get it decrypted for free. Should victims ignore these requests and linger with paying the ransom, cybercriminals threaten to start leaking collected files to dark web resources.

Qmam4 is a high-risk infection categorized as a cryptovirus. The reason why it is named that way lies in its after-attack behavior - the virus demands victims to pay a sum of money in cryptocurrency upon blocking access to data. Such infections are also known as ransomware. They encrypt personal data and blackmail victims into paying the ransom. During encryption, Qmam4 attaches a string of random characters and the new .qmam4 extension to each affected file. For instance, 1.pdf will change to 1.pdf.{random sequence}.qmam4 becoming no longer accessible. Following this, Qmam4 creates a text file called C3QW_HOW_TO_DECRYPT.txt that illustrates how victims can unlock their data. It is said victims can decrypt and prevent important data from being sold on dark web resources. To do this, victims are instructed to contact cyber criminals using the Tor link. After getting in touch with the developers, they will supposedly tell you to send money in cryptocurrency and retrieve a special decryption tool afterward. Should victims refuse to follow instructions, the collected data will be leaked to the hands of third-party figures. Unfortunately, collaboration with cybercriminals might be the only way to decrypt your data and avoid publicly exfiltrated data. It is less likely that some third-party tool will be able to decrypt your data for free without the help of attackers.

ALBASA is a ransomware-type virus designed to encrypt system-stored data and blackmail victims into paying money for its return. During encryption, all files acquire the new .ALBASA extension and reset their original icons to blank. This is also accompanied by the creation of RESTORE_FILES_INFO.txt - a text note containing instructions on how to recover blocked data.