Ransomware

A new ransomware infection known as DEcovid19 has come to the web and caused a lot of attacks on unprotected PCs. The virus was reported on 11th January by desperate victims with data encrypted. Based on current information, it is clear that DEcovid19 blocks access to data by changing file extensions to .covid19 or .locked. An example of the original 1.mp4 impacted by ransomware may appear in two ways: either as 1.mp4.locked or 1.mp4.covid19. Once the encryption process gets to a close, the malicious program creates a text note (!DECRYPT_FILES.txt or ATTENTION!!!.txt) meant to explain decryption instructions. Inside, users can see a quick skim through the virus information. The next part of the text is dedicated to restoring your data. Users are said to contact the telegram bot attaching personal ID in the subject line and writing how many PCs need to be decrypted. It is also necessary to send 1-2 encrypted files that do not contain important information (less than 2MB) so that cybercriminals could match up the right decoder for your data. The last, but not least said by swindlers is time boundaries - you have 72 hours to make a decision and pay for the decryption key.

Fair Ransomware is one of many dangerous pieces that encrypts personal type of data. It belongs to the malware family known as Makop, which has developed a number of similar infections. Once Fair Ransomware attacks your system, it installs certain scripts, which block access to multiple files by assigning unique extensions. These extensions consist of a personal ID number, [fairexchange@qq.com] suffix, and .fair at the end of each file. An example of the original sample that experienced these changes looks like this 1.mp4.[9B83AE23].[fairexchange@qq.com].fair. Whilst the access to data is no longer in users' hands, extortionists create a text file called readme-warning.txt in each folder containing encrypted files. Inside of this note, cybercriminals briefly explain to confused people what has happened to their PCs. Then, the creators of Fair Ransomware tell it is necessary to buy the decryption software (in BTC) to regain control over the data. They also offer to take part in the so-called "guarantee check", allowing users to decrypt 2 files of limited size for free. Unfortunately, even though such tricks should justify the integrity of swindlers, statistics are out to say the opposite.

Also known as WickrMe, Hello Ransomware is a dangerous virus that encrypts personal data (photos, videos, documents, etc.). Alike other infections of this sort, it also demands a fee to be paid after encryption. However, before that Hello Ransomware changes your files with the new .hello extension. No extra symbols are included, so your files will look like this 1.mp4.hello and similarly. Then, once such changes are over, the virus creates a text note (Readme!!!.txt) containing ransom instructions. Within this document, users are instructed to contact cyber criminals via attached e-mails or Wickr Me (a private messenger). Therefore, they will receive a list of steps to perform the payment and recover the compromised data. Unfortunately, although ransomware developers are usually the only figures able to decrypt your data, we do not recommend implementing the required payment. Otherwise, it may appear to be a waste of cash since there is no guarantee you will get the promised decryption. Statistically, extortionists ignore users even after completing all of the steps. Thus, it is necessary to delete Hello Ransomware from your computer to prevent further data decryption.

Dharma is a ransomware family considered to be the biggest developer of ransomware infections. Lots of versions have been found attacking users with data encryption and ransom-demand messages. However, one of the recent versions spotted being active around is known as yoAD Ransomware. Alike similar viruses of this type, it assigns the new .yoAD extension with random ID and cybercriminals' e-mail to each piece of data stored on a compromised PC. For example, the original file like 1.mp4 will get a look of 1.mp4.id-C279F237.[yourfiles1@cock.li].yoAD, or similarly. Such changes make your files are no longer accessible as any attempts to initiate them will be denied. Then, once this process gets to a close, the virus steps in with the creation of text instructions. They are presented in the FILES ENCRYPTED.txt document right on your desktop. As extortionists claim, the only way to restore your data is by contacting them via e-mail. Then, they will supposedly give you a crypto-wallet to send money in Bitcoin. After this, you will be given the necessary tools to restore your data. Unfortunately, this method does not fit everybody because amounts asked by cybercriminals can be astronomically high and not easy to pay.

Crypto-Locker Mijnal is a ransomware-type infection that encodes personal data with AES+RSA algorithms. The application of such means that the assigned cipher is hard to break using traditional methods. In other words, it makes sure manual decryption does not take place after data is locked. Unfortunately, in most cases, it appears to be impossible indeed, but you should give it a try after reading this text. Alike other infections, Mijnal encrypts your data by changing a file extension to .mijnal. For example, a sample like "1.mp4" will be altered to "1.mp4.mijnal" and reset its original icon. After the encryption process gets to a close, the virus creates a text note called "README_LOCK.txt" that contains redemption instructions. The information presented inside is written in Russian, which means that developers mainly focus on the CIS regions. However, there are some English users that may be affected by it as well. If you are willing to decrypt your data as soon as possible, cybercriminals ask victims to open the attached link via the Tor browser and follow the instructions right there. Then, extortionists will more likely ask you to pay a certain amount in Bitcoin to gain access back to your data. Despite paying the ransom is usually the only method to overcome data encryption, we recommend against meeting any requests as it can be dangerous for your pocket and privacy as well.

Leitkcad is a pure example of crypto-malware that runs encryption over personal data to garner a so-called ransom. The most vivid symptoms hinting at the Leitkcad's presence is the assignment of .leitkcad extension. In other words, it will be seen at the end of each file affected by malware. For example, a file like 1.mp4 will be changed to 1.mp4.leitkcad and reset its original icon. Then, once all of the files are changed, the virus moves to the next phase creating a note called help-leitkcad.txt. It contains information on the encryption as well as instructions to restore your data. Cybercriminals say that you should contact an operator and fill in your ID, personal key, and e-mail via the chat page. The link to it can be opened only by using the Tor browser, which has to be downloaded by victims. Then, after establishing contact with cybercriminals, you will receive further instructions on how to purchase the decryption software. Also, it is worth-noting that rebooting and altering encrypted files can lead to permanent loss. Extortionists set certain algorithms that help them detect your activity. This means that if you refuse to comply with any of the above warnings, your files will be deleted momentarily.

A new cryptovirus known as LuciferCrypt stepped into the game a couple of days ago to encrypt personal data. As long as the study goes, it is already evident that this ransomware restricts access to data by assigning a long-string extension (.id=[].email=[].LuciferCrypt). A quick illustration of an infected sample would look like this 1.id=0ED53ADA.email=cracker.irnencrypt@aol.com.LuciferCrypt.mp4. After the encryption process is done, the virus continues its presence creating a text file called HowToRecoverFiles.txt. Within this document, extortionists are notifying victims about successful encryption. To revert it, victims should contact cyber criminals via e-mail and pay a fee to recover the files. Once done, your data will be decrypted automatically, without involving any manipulations. It is also said that the price directly depends on how fast you reply to the swindlers. Before doing that, you are also allowed to take advantage of free decryption. Developers offer to send up to 3 files (less than 4MB and non-archived), which should not contain valuable information.

After Pump Ransomware attacks your system, all data become chained by strong algorithms restricting access to it. The malware appends .pump extension to the files it encodes. For example, a file like 1.mp4 will acquire a new look of 1.mp4.pump and reset its original icon. The extension applied in the end means that your files are under encryption. Such modifications are usually accompanied by the creation of ransom instructions. In our case, the virus drops a text file called README.txt that will help you recover the files. The content presented inside is short, cybercriminals only attached their e-mail address to call victims into contacting them. Then, they will supposedly give further instructions on how to purchase the decryption software. No matter how far the price goes, complying with the requests of swindlers is risky - they may become foolish in their promises and leave you no tools even after making a payment.