Ransomware

DeathHiddenTear Ransomware is a file-encryption virus discovered by Michael Gillespie. Being classified as ransomware, it ciphers the entire data (e.g. images, videos, text files, etc.) that is stored on PC or other external devices like flashcards connected to your computer. Ransomware is designed to demand a ransom that needs to be paid to retrieve your files. Alike other ransomware, DeathHiddenTear assigns .encryptedS (for small files) and .encryptedL (to big files) extensions. Most recent variations utilize .enc suffix. To illustrate, after encryption, 1.mp4 will be transformed into 1.mp4.encryptedS and restricts you from opening these files. After that, the program will drop a text file (Decrypt Instructions.txt) onto your desktop which contains the information about the locked data.

Scarab-Danger is a ransomware-type virus that encrypts data and extorts money from its victims. After penetration, it assigns a new .danger extension to each file that was encrypted. As an example, the original 1.mp4 will be changed to 1.mp4.danger. Besides that, Scarab-Danger always updates adding new extensions like .inchin, .btchelp@xmpp.jp, .fastrecovery@xmppp, .fastrecovery@xmpp.jp, .online24files@airmail.cc and many others. Basically, it does not matter which one replaced your file since all of them are for the same purpose. After the virus successfully locks your data, it drops a text file with ransom information. In most cases it is called HOW TO RECOVER ENCRYPTED FILES.TXT.

Besides targetting regular users, Kazkavkovkiz a.k.a. NetWalker a.k.a Mailto also draws its strands towards business figures. Like other ransomware, it encrypts data by assigning a unique extension and dropping a text file as a result. However, instead of using one common extension, it generates various versions according to these patterns - .mailto[kkeessnnkkaa@cock.li].{random-alphanumerical-sequence}, .mailto[sevenoneone@cock.li].{random-alphanumerical-sequence} or .mailto[kazkavkovkiz@cock.li].{random-alphanumerical-sequence}. For example, the non-affected 1.mp4 will migrate to .mailto[kazkavkovkiz@cock.li].14b1 or similarly. In the note, victims are told that their files got heavily encrypted and require a fast decision, otherwise, they will disappear forever. Malefactores have used following naming pattern for ransom note from the beginning {random id}-Readme.txt.

LockBit is a ransomware-type threat that attacks user's data with encryption algorithms and holds it locked until those pay a ransom. To do so, it retitles files with the .lockbit, .lock2bits or .abcd extensions. When finished, the malicious program will generate a text file named Restore-My-Files.txt. This file is saturated with the necessary steps that victims have to do in order to decrypt their data. Firstly, you have to contact cyber criminals via their e-mail, then they will instruct you on how to pay for the decryption software. Besides that, you are allowed to send them any blocked file (not more than 1 MB) so that they could show that they can be trusted. Despite this, it is not recommended to purchase something from extortionists since there have been multiple times when those did not keep their promises and fooled gullible users.

CryLock Ransomware literally forces users to cry about their data that has been encrypted after sudden penetration. Being a variation of Cryakl Ransomware, this is one of the viruses of such type use cryptographic algorithms to ensure strong encryption and demand paying a ransom. Unlike other ransomware, that use one mutual extension for each file, this specific program assigns a new name to affected files that consist of cybercriminal's e-mail, victim's personal ID, and random three-digits extension. For instance, non-infected 1.mp4 will be retitled to 1.mp4[grand@horsef***er.org][512064768-1578909375].ycs, 2.mp4[grand@horsef***er.org][512064768-1578909375].wkm, and similarly. Some victims experienced a change like this 1.mp4[reddragon3335799@protonmail.ch][sel1].[7478ECA4-42759A9D]. Once the process has finished, CryLock will display a window in front of victims that contains ransom details.

If you did not have the appropriate software to fend off ColdLock Ransomware in time, then your files might be already encrypted with the .locked extension. For example, the original 1.mp4 has been changed to 1.mp4.locked once ransomware stroke its configuration with RSA algorithms. Most of the time, decrypting files with third-parties tools is impossible and may be dangerous for them. This is why extortionists force you to buy their software by following the instructions mentioned in a file called How To Unlock Files.txt that is created after encryption. Unfortunately, buying the decryption key may put your finances under risk because cybercriminal activity cannot be trusted. Instead, delete ColdLock Ransomware to prevent further encryption and try to decrypt the affected data through the instructions below.

Translated as Cipher in French, LeChiffre is a relatively old ransomware-type virus discovered in 2015. Unlike other programs, it encrypts users' data by using Blowfish algorithms (instead of AES). After penetration, LeChiffre does a pure classic, it scans your disk for available files (like images, documents, etc.) stored on the system and encrypts them by changing extensions to .lechiffre. For example, the original 1.mp4 will be transformed into 1.mp4.lechiffre. Newer variations also add a random alphanumerical sequence to this suffix. Thereafter, the program creates an HTML file (_How to decrypt LeChiffre files.html) that is automatically opened in a browser or text file (_LeChiffre_BACKUPVO.txt). The note contains information on how to restore your data. To decrypt your files right now, you should contact frauds via the attached e-mail to get further instructions about the payment. Amazingly, but LeChiffre developers break all standards of typical ransomware and claim that they do not need your files and, if you want, you can retrieve them for free within 6 months. Luckily, LeChiffre has been known for a very long time meaning that the blocked data can be unlocked by up-to-date tools.

Being produced by Everbe family, Paymen45 locks down multiple files that are stored on your system and force people to pay a ransom for data retrieval. It was discovered and described by individual Russian security researcher Amigo-A in his blog. Alike other malware of this type, there is no single extension that is applied to affected files. Instead, it uses a random combination of different symbols. The most reset variation looks like this: 1.mp4.g8R4rqWIp9. In this note, extortionists ask you to buy a decryption key (in BTC) through the attached link in the Tor browser. There is also a backup e-mail if you have any questions. If you refuse to buy their software, they intimidate that your data will be spread online. Cybercriminals are usually right when claiming that third-parties software cannot decrypt your files.