Ransomware

FileEngineering is an example of ransomware-infection configuring files of victims to restrict access to them. Most of the time, users do not spot malware coming into the systems. Once upon a time, they end up seeing their data changed and locked from regular access. FileEngineering does it this way - by assigning victims' ID, cybercriminal's e-mail address, and .encrypted extension at the of the files. There are two versions of FileEngineering being spread around the web. The only difference is in using different e-mail addresses to contact swindlers. For example, you may see your data appear as 1.mp4.id=[BE38B416] Email=[FileEngineering@mailfence.com].encrypted or id=[654995FE] Email=[FileEngineering@rape.lol].encrypted depending on which version affected your PC. Then, the next step of FileEngineering's activity is creating a note called Get your files back!.txt that contains information regarding decryption. Inside of it, the information is addressed by a so-called security engineer. He says that you should contact him via e-mail and pay some amount of Bitcoin. Then, he will return your files decrypted and give some tips on improving your safety. Before that, you are also allowed to send a small file to prove he can unlock your data. Trusting cybercriminals is always a huge risk, so it is up to you whether you want it or not. If files are not of big value to you, you can simply delete FileEngineering and continue using your PC.

Sun or SunCrypt is classified as cryptovirus attacking systems to encrypt personal data. It started its journey in October 2019 and continues its presence infecting users until these days. The moment SunCrypt can be spotted in your PC is when it changes your files by adding the .sun extension. It was also heard about another version of SunCrypt which applies a string of random symbols instead of extensions. A change to something like this 1.mp4.sun or 1.mp4.G4D3519X58293C283957013M35DC8A2V0748D9845E7A5DBD6590E3F834C4638 means you are no longer allowed to access your data. To recover it back, SunCrypt creates a text notes (DECRYPT_INFORMATION.html or YOUR_FILES_ARE_ENCRYPTED.HTML) that contain ransom instructions. Although SunCrypt is mainly oriented towards English-speaking users, you have a possibility to switch between German, French, and Spanish as well. This by far increases the traffic of victims allowing developers to extend their business. As stated in the note, victims have to install the Tor browser and click on the "Go to our website" to purchase the decryption software. The required fee may vary based on the individual case, however, no matter how low or high it is, we recommend against going for such a risk.

Dharma-259 is a ransomware-type infection belonging to the Dharma family. This group of developers has brought the biggest impact to the malware industry. Having a range of malicious programs, 259 compliments the list, and encrypts personal data with strong algorithms that prevent users from regular access. As a result, all data change its name with a string of digits including personal ID, cybercriminal's e-mail, and .259 extension at the end of each file. For instance, ordinary 1.mp4 will experience a change to something like this 1.mp4.id-C279F237.[259461356@qq.com].259 and reset its default icon. Then, once the encryption process gets to a close, the virus force-opens a pop-up window and creates a text note called FILES ENCRYPTED.txt, both of which contain information upon data recovery. As stated in both pop-up and note, victims have to contact swindlers via e-mail attaching personal ID. In addition to that, you are allowed to send up to 1 file (less than 1 MB) for free decryption. Then, once extortionists receive your message, you will be guided with steps on how to purchase decryption software. Sometimes, the required fee may skyrocket beyond the limits, becoming unaffordable for most of the users. Even if you are ready to enrich cybercriminals buying their software, we recommend you against it, because most users report a high-risk of being fooled and not obtain any tools to restore the data at all.

Developed by a group of Turkish extortionists, SifreCikis is a ransomware infection encrypting personal data and demanding a fee for recovery. It creates a strong cipher on sensitive data using AES and RSA algorithms. As a result, the decryption of files becomes hard to pull off, even with third-party tools. All data encrypted by SifreCikis obtains a new extension based on these patterns: .{random-alphanumerical-sequence}. For example, a file like 1.txt will change to something like this 1.txt.E02F4934FC5A. Then, after the encryption is done, users encounter a note called ***NA*** that contains ransom instructions. Unfortunately, the content of the note is hard to conceive for non-native speakers, however, a group of researchers translated it and outlined some key information. It claims that you should contact cyber criminals via e-mail and attach your personal ID in the message topic. Then, you will receive further instructions to purchase the decryption software (500$ in BTC). If there is no response from the extortionists, you should read the information through the link in the Tor browser. Malware researchers spotted the domain name starting with sifrecikx, which is consonant with sifre cikis (meaning "cipher/password + exit" in Turkish). Also, during the investigation researchers defined that SifreCikis could be a brother of SifreCozucu, as it looks very similar having minor differences.

Lisp Ransomware (a.k.a. STOP Ransomware or Djvu Ransomware) is extremely dangerous virus that encrypts files using AES-256 encryption algorithm and adds .lisp extensions to affected files. The infection mostly involves important and valuable files, like photos, documents, databases, e-mails, videos, etc. Lisp Ransomware does not touch system files to allow Windows to operate, so users will be able to pay the ransom. If the malware server is unavailable (the computer is not connected to the Internet, remote hackers's server does not work), then the encryption tool uses the key and identifier that is hard-coded in it and performs offline encryption. In this case, it will be possible to decrypt the files without paying the ransom. Lisp Ransomware creates _readme.txt file, that contains ransom message and contact details, on the desktop and in the folders with encrypted files. Developers can be contacted via e-mail: helpmanager@mail.ch and restoremanager@airmail.cc.

Tripoli classified as a ransomware infection meant to cause encryption of personal data. Usually, the main target is photos, videos, documents, and other files that can store sensitive data. After this virus attacks your system, all files will be affected by the .crypted extension. Some victims reported that extension like .tripoli also exists, meaning that there are two versions of Tripoli Ransomware. In fact, does to matter which one penetrated your PC, because the way they work is almost the same. As a result of encryption, all files will be restricted from regular access, users will no longer be able to open or change them. To fix it, extortionists are offering to run through the steps listed in a text note (HOW_FIX_FILES.htm). The steps oblige victims to install the Tor browser and purchase decryption software following the attached address. The decision on making the payment has to be done within 10 days. We insist against acting on fraudulent steps as there is no guarantee that they will send you the promised tools. A better way is to delete Tripoli Ransomware and restore the lost files from an external backup (USB storage). If you do not have one, try using the guideline below to access your data.