Ransomware

Geno Ransomware (a.k.a Djvu Ransomware or STOP Ransomware) encrypts victim's files with Salsa20 (stream encryption system) and appends one of the hundreds of possible extensions including latest discovered .geno. STOP is one of the most active ransomware today, but they hardly talk about it. The prevalence of STOP is also confirmed by the extremely active forum thread on Bleeping Computer, where victims seek help. The fact is that this malware attacks mainly fans of pirated content, visitors to suspicious sites, and is distributed as part of advertising bundles. There is a possibility for successful decryption, however, to date, there are more than two hundred STOP Ransomware variants that are known to researchers, and such a variety significantly complicates the situation.

GoodMorning is a malicious program classified as ransomware. Its main goal lies in earning money on victims whose data has been encrypted with strong ciphers. Usually, victims end up aware of the infection after GoodMorning assigns a new complex extension to compromised files (ending with .GoodMorning). For example, 1.pdf and other files stored on a system will be changed to this pattern 1.pdf.Id(045AEBC75) Send Email(Goood.Morning@mailfence.com).GoodMorning. The ID inside of extensions will differ individually as it is unique to each of the victims. Then, once all files end up encrypted and visually changed, the virus creates a text note called GoodMorning.txt. It is meant to explain broader instructions on how to recover your data. In order to do this, cybercriminals say you should pay an amount in BTC for redeeming the files. There is no specific amount listed in the note as it is yet to be negotiated after contacting swindlers via e-mail (Goood.Morning@mailfence.com). In case no response arrives, victims are asked to use backup e-mails (GooodMorning@tutanota.com or GoodMorning9@cock.li). It is also mentioned by the developers that renaming or decrypting data yourself might lead to permanent loss. Very often it is true - most ransomware programs apply military-grade ciphers that are vulnerable to interference of third-party programs. If there is no proven method on how to approach these ciphers correctly, then third-party attempts to run the decryption can damage such files forever.

Developed by the Djvu family, Miis is a ransomware program that runs extensive encryption of personal data. It uses popular, yet strong algorithms to put the stored files under severe lock. This, therefore, prevents users from succeeding in manual decryption. Knowing that users will not be able to recover files on their own, cybercriminals offer to decrypt data using their tools for a certain amount of money. The details on that are presented inside of a text note called _readme.txt, which is created after Miis assigns new extensions to data. Specifically, it adds the .miis extension so that encrypted files would look something like this 1.pdf.miis. As soon as such changes are done, users will be no longer eligible to access their data.

Discovered by a malware researcher named Glacius_, Babuk Locker (a.k.a. Vasa Locker, Babyk Locker, Babuk Locker) is a ransomware-type virus that targets commercial organizations including business ventures with turnovers equal to 4.000.000$. All because it demands a ransom of 60000-85000$ in BTC to be paid in exchange for the encrypted data. To make sure their victims are unable to decrypt them independently, cybercriminals use a combination of SHA252, ChaCha8, and ECDH algorithms to run secure encryption. Babuk Locker developers run extensive distribution campaigns to cover as many victims as possible. This is why users are also likely to witness other versions derived from Babuk Locker (e.g. Babyk, Vasa, etc). Depending on which version attacked the compromised network, victims will see different extensions applied to encrypted files. Normally, it is .__NIST_K571__; .babyk, or .babuk assigned to each data piece. For instance, a file like 1.pdf stored on a malware-affected device, will change its look to 1.pdf.__NIST_K571__, 1.pdf.babyk, or 1.pdf.babuk at the end of encryption. Then, as soon as this stage of infection is done, the virus creates a text note called "How To Restore Your Files.txt" to each folder with encrypted data.

Neflim is a ransomware infection that encrypts data stored on the compromised devices. By doing so, cybercriminals have a good occasion to blackmail users into paying the so-called ransom. There are two forms of the Neflim virus known at the moment. First appends the .neflim extension, whilst another uses .f1 to rename the encrypted data. Some experts tend to classify these versions as separate ransomware infections, yet they are both parts of the common family. To illustrate how encrypted files are changed, let's take a look at the original 1.pdf data piece. At the end of encryption, it will change either to 1.pdf.neflim or 1.pdf.f1 depending on which versions captured your data. The same encryption pattern will be applied to the rest of the files stored on your device. As soon as all of the data appears under the lock of swindlers, victims have to read instructions on recovering data inside of the NEFLIM-DECRYPT.txt or f1-HELP.txt notes.

Hive is a malicious program classified as ransomware. Its main purpose lies in running file encryption to blackmail users into paying the ransom. This ransom is a certain amount required in exchange for the blocked data. Users can spot that their files have been encrypted by the change of their names. Specifically, victims are seeing a random string of characters along with the .hive extension assigned to each data piece. Such a change makes files encrypted, which declines access to them. To recover the lost access to data, users are instructed to follow the details stated inside of a text note called HOW_TO_DECRYPT.txt. Cybercriminals inform the affected victims that their network has been hijacked, which led to immediate data encryption. To decrypt the compromised files, victims have to contact extortionists via the link attached to the note and purchase the decryption software. The last thing written by cybercriminals is how to avoid irreversible data damage. They say it is forbidden to run any manipulations with your data, e.g. do not shut your PC intentionally, modify or change file names, use third-party software, and many other attempts to erase the encryption.