Ransomware

Developed by the Makop Ransomware family, Mammon is a dangerous virus that runs data encryption for monetary goals. This is because it encrypts personal data with military-grade algorithms and demands money ransom to be paid by victims. To show that your data has been restricted, extortionists append a string of symbols to each file name (including random characters, cybercriminals' e-mail address, and .mammon extension). To illustrate, the original file like 1.pdf will change its look to something like this 1.pdf.[9B83AE23].[mammon0503@tutanota.com].mammon. As a result of this change, users will no longer be able to access the file. In order to get instructions on recovering data, cybercriminals create a text note called readme-warning.txt to each folder with encrypted data.

Being part of the Phobos Ransomware family, Calvo is another malicious program, which encrypts personal data. The way it does it is by using military-grade algorithms to cipher the files. Along with that, the virus also assigns a string of symbols to each of the files. This includes a personal ID of victims, cybercriminals' e-mail, and .calvo extension to finish the string. For example, a file like 1.pdf will be infected and changed to 1.pdf.id[C279F237-3143].[seamoon@criptext.com].calvo. The same change will happen to the rest of the data stored on a PC. As soon as this part of the infection gets to a close, Calvo creates two ransom notes (info.hta and info.txt) to guide you through the decryption process.

Developed by Phobos family, XHAMSTER is a ransomware-type infection, which runs data encryption. Such does not perform one-way encryption, instead, it offers to unblock the infected data in exchange for the money ransom. When it comes to data encryption, cybercriminals are usually the only figures being able to unlock your data. This is why they offer to buy their software that will help you regain access to data. Before getting deep into details, it is important that we mention how XHAMSTER encrypts your data. Apart from blocking the access, it also appends a string of symbols consisting of victims' ID, ICQ Messenger username, and .XHAMSTER extension at the end of each file. To illustrate, a piece of data like 1.pdf will be changed to something like this 1.pdf.id[C279F237-2797].[ICQ@xhamster2020].XHAMSTER at the end of encryption. Finally, once this process is done, the virus gets to creating two files containing ransom instructions. Whilst one of them called info.hta is displayed as a window right in front of the users, the other named info.txt resides on victim's desktop.

Qlocker is a ransomware infection spotted in attacking and encrypting data on QNAP NAS (Network Attached Storage). The virus squeaks through security problems, encrypts the stored data, and clears the log traces during the process. This, therefore, helps intruders to cover their activity and prevent people from detecting the source of infection. Qlocker uses the short .7z extension to highlight the blocked data. Quite interesting is that Qlocker does not touch media files like videos or music in most cases. Its main target seems to be documents and similar types of data that could be valued by victims. During the encryption, all data will lose its access and change the name to something like 1.pdf.7z. Then, after this process is done, the virus creates a text note called !!!READ_ME.txt and containing ransom instructions. The note says that all files have been encrypted. The only feasible way to recover the files is to purchase the private key (in BTC) stored on cybercriminals' servers. To do this, users are asked to follow the Tor page and enter your so-called "client-key". Once you visit the page, you will be able to process the payment and receive the recovery tools. Different victims reported different costs of the keys, but, on average, this amount can range up to 1000$. Unfortunately, trusting cyber criminals means a huge risk to be taken. They can scam you and do not send any promised tools after committing the transfer. Also, it is not recommended to trust some data recovery services claiming they have a way to decrypt your data. Note that there is no official tool that could unlock access to files encrypted by Qlocker at this moment.

Encrpt3d (a.k.a WhiteBlackCrypt)is classified as a malicious program that targets monetary benefit by decrypting personal data. Ransomware might be the most dangerous malware that can get on your system. Its main purpose is to block access to important files and extort money from desperate users (or companies) that want to decrypt their data. Encrpt3d does exactly the same, it encrypts various kinds of data appending the .encrpt3d extension to each file. For example, a file like 1.pdf will be infected and change to 1.pdf.encrpt3d. Thereafter, Encrpt3d Ransomware displays a full-screen image stating ransom instructions (highlighted with red). It is impossible to remove it unless users delete the malvertising program eventually. In the ransom note, cyber criminals say that your files are encrypted, but still can be accessed again. To do this, developers attach a BTC address pending to receive 10 BTC from victims. You are given a specific deadline to complete the transfer. Then, after successfully making the payment, users have to inform extortionists via whiteblackgroup002@gmail.com or wbgroup022@gmail.com email address.

Btcware is a popular ransomware family counting a number of versions since 2017. The ransomware developed by this group of cybercriminals has evolved into using stronger and more secure algorithms. Since there are many versions of Btcware, the world has seen many types of encryption throughout its span of existence. For example, older versions used to apply old RC4 algorithms, until the rise of AES-192 and AES-256 in later samples. The same story goes with extensions. Each version of Btcware involves a brand new extension different from others. Traditionally, once the encryption is done, ransomware programs create a text note file containing instructions to recover your data. The name of a note also depends on which version pounced your system, but usually, it is #_HOW_TO_FIX_!.hta or READ ME.txt. Inside of this note, cybercriminals use clumsy introductions ostensibly meant to explain what happened. Then, they ask to contact them via attached e-mails to get in further touch. Once done, users will receive a set of instructions to buy the decryption software. Some versions of Btcware require 0.5 BTC for data encryption. If you do not have this money to pay, there is a chance that extortionists will threaten you with permanent loss or inappropriate data abuse. In most cases, files encrypted with AES algorithms are hard to decrypt unless you purchase the private key held by cybercriminals themselves.

Ziggy is a new ransomware-infection recorded in December 2020. The virus sneaks into your system disabling all protectionary layers on your PC. Then, it gets the job done by running data encryption with AES256-GCM and RSA-4096 algorithms. These ensure strong encryption, which is hard to decipher. Before going deeper into details, it is important to say that there are two versions of Ziggy Ransomware. The first uses the .ziggy extension along with victims' ID and cybercriminals' e-mail to configure the data. The later version of Ziggy Ransomware detected recently started involving the same string of information but changed the extension at the end to .optimus. For example, a file like 1.docx would change to 1.docx.id=[88F54427].email=[khomeyni@yahooweb.co].ziggy or 1.docx.id[B68A285D].[sikbeker@tuta.io].optimus depending on which version affected your PC. Following successful encryption, the malicious program creates a text file containing decryption instructions. The name of the files can vary from version to version, so there is no commonly-used, but initially, it was called ## HOW TO DECRYPT ##.exe.

Matroska Ransomware is a malicious piece aimed at data encryption. Matroska used to show its activity a couple of years ago until it went dormant. Within some time, it started a series of new infections on users' PCs. Whilst older examples of Matroska applied the .HUSTONWEHAVEAPROBLEM@KEEMAIL.ME, .happyness, .encrypted[Payfordecrypt@protonmail.com], .nefartanulo@protonmail.com extensions to encrypted files, recent attacks of this ransomware showed the new .siliconegun@tutanota.com extension being involved. Depending on which version impacted your system, a file like 1.mp4 will change to 1.mp4.happyness or 1.mp4.siliconegun@tutanota.com at the end of encryption. Once this process is finished, the virus goes further and creates a text file (HOW_TO_RECOVER_ENCRYPTED_FILES) with decryption instructions. Alike other ransomware infections, Matroska asks victims to pay a fee. The amount may vary from person to person, however, we do not recommend buying their software. Luckily, experts found that Dr.Web (leading antimalware software) is able to decrypt your data legitimately and risk-free. Before doing so, you've got to make sure you deleted Matroska Ransomware from your computer. Only then you can use third-party tools to recover the data. For more information on both removal and data decryption, follow the article down below.