Ransomware

Hydra is a ransomware infection that makes users' data inaccessible by running thorough encryption. Besides being unable to access the data, users may spot some visual changes as well. Hydra assigns a new string of symbols containing cyber criminals' email addresses, randomly generated ID assigned to each victim, and the .HYDRA extension at the end. To illustrate, a file like 1.pdf will change its look to [HydaHelp1@tutanota.com][ID=C279F237]1.pdf.HYDRA and reset the original icon to blank. As soon as all files end up encrypted, the virus promotes ransom instructions to guide victims through the recovery process. This can be found inside of #FILESENCRYPTED.txt text note, which is created after encryption. Hydra developers say victims can restore their files by writing to the attached e-mail address (HydaHelp1@tutanota.com or HydraHelp1@protonmail.com). After this, cybercriminals should give further instructions to purchase the decryption of files.

Rigd Ransomware (belongs to the family of STOP Ransomware or Djvu Ransomware) is high-risk file-encrypting virus, that affects Windows systems. In September 2021, the new generation of this malware started encoding files using .rigd extensions. Virus targets important and valuable file types such as photos, documents, videos, archives, encrypted files become unusable. Ransomware puts _readme.txt file, that is called "ransom note" or "ransom-demanding note" on the desktop and in the folders with encrypted files. Developers use following e-mails for contact: manager@mailtemp.ch and managerhelper@airmail.cc. Hackers demand $980 for the decryption of your files (the message states, that victims will get a 50% discount if they'll contact cybercriminals within 72 hours after the encryption). According to many reports, malefactors often don't reply to victims, when they receive ransom payment. We strongly do not recommend paying any money. Files encrypted by some versions of Rigd Ransomware can be decrypted with help of STOP Djvu Decryptor.

Delta Plus is a ransomware-type virus that uses cryptographic algorithms to encrypt personal data. It assigns strong ciphers that are hard to decode without special decryption tools held by cybercriminals themselves. To buy these tools, victims are requested to send the equivalent of 6,000 USD in BTC to a crypto address. The price for decryption may be also reduced to 3,000 USD if you manage to complete the payment within the first 72 hours after being infected. All of this information is disclosed inside of the text note called Help Restore Your Files.txt, which is created as soon as the encryption of files is done. Delta Plus appends the .delta extension to all affected files. For instance, a file like 1.pdf will change to 1.pdf.delta and lose its original icon. After these changes, users will no longer be able to access their files until they pay the required ransom.

Discovered by Tomas Meskauskas, Koxic is determined to be a ransomware infection that operates by encrypting PC-stored data. In other words, the majority of files like photos, videos, music, and documents will be blocked by the virus to prevent users from accessing them. All files encrypted also get new .KOXIC or .KOXIC_PLCAW extensions. This means encrypted files like 1.pdf will change to 1.pdf.KOXIC or 1.pdf.KOXIC_PLCAW. The same pattern will be applied to residual data encrypted by ransomware. After getting things done with encryption, the virus creates a text note that explains ransom instructions. These instructions state victims should contact developers via koxic@cock.li or koxic@protonmail.com e-mails with their personal ID. This ID can be found attached to the ransom note. If there is no such being visible, there is a chance some version of Koxic Ransomware that infiltrated your system is still under development and being tested.

Porn is classified as a ransomware infection that targets encryption of personal data. Files like photos, documents, music, and videos are most likely to be under the scope of encryption by Porn Ransomware. To differ encrypted files from regular ones, developers assign the .porn extension to each compromised sample. For instance, a file like 1.pdf will change to 1.pdf.porn and reset its original icon. After this, the virus starts demanding the so-called ransom to recover your data. This information can be seen in a featured pop-up window or text note called RECUPERAR__.porn.txt. Inside of this note and pop-up window, cybercriminals display the number of files they have decrypted. To erase the assigned ciphers, Porn developers ask victims to send 1 BTC to the attached crypto address and e-mail them with the transaction ID afterwards. Unfortunately, not many victims can afford to pay the price of 1 BTC (42,000 USD).

Koom Ransomware (subtype of STOP Ransomware) continues its malicious activity in December, 2020, and now adding .koom extensions to encrypted files. The malware aims most important and valuable files: photos, documents, databases, videos, archives and encrypts them using AES-256 algorithms. Encrypted files become unusable and cybercriminals start extorting ransom. If the hacker server is unavailable (the PC is not connected to the Internet, the server itself does not work), then the encrypter uses the key and identifier that is hard-coded in it and performs offline encryption. In this case, it will be possible to decrypt the files without paying the ransom. Koom Ransomware creates _readme.txt file, that is called "ransom note", on the desktop and in the folders with encrypted files. Developers use following e-mails for contact: manager@mailtemp.ch and managerhelper@airmail.cc. Hackers demand $980 for the decryption of your files (the message states, that victims will get a 50% discount if they'll contact cybercriminals within 72 hours after the encryption). According to many reports, malefactors often don't reply to victims, when they receive ransom payment. We strongly do not recommend paying any money. Files encrypted by some versions of Koom Ransomware can be decrypted with help of STOP Djvu Decryptor. Dr.Web specialists decrypted files encrypted with some variants of Koom Ransomware in private. Dr.Web does not have a public decoder. Before trying to decode the files, you need to stop the active process and remove Koom Ransomware.