Ransomware

BackLock Ransomware is a sophisticated malware strain identified by security researchers during investigations on VirusTotal, categorically falling into the file-encrypting ransomware family. Once it infiltrates a system, it proceeds to lock access to valuable data by encrypting files and appending a unique file extension—original filenames are altered with an identifier string followed by .backlock, for example, photo.jpg becomes photo.jpg.{victim's_ID}.backlock. The ransomware employs advanced encryption algorithms, typically based on asymmetric (public/private key) cryptography, which renders files inaccessible without a unique decryption key created during the attack and stored on remote cybercriminal servers. Users quickly notice the compromise, as they are unable to open their files, and every folder containing encrypted files includes a newly dropped README.TXT ransom note, instructing victims on how to establish contact with the attackers and pay for the promised decryption key. This message commonly warns users against using third-party recovery tools, threatening permanent data loss if external help is sought or encrypted files are altered.

ITSA Ransomware is a recently discovered file-encrypting malware that targets Windows users by stealthily locking personal and business files. Upon successful execution, this threat systematically encrypts documents, images, archives, and a wide variety of other file types, then appends the .itsa extension to every compromised item—so files such as holiday.jpg become holiday.jpg.itsa. Creation of its ransom note is an automatic process: after the encryption routine, the ransomware generates a text file called Decryption Instructions.txt and drops it into every affected folder. The note informs victims that their files are irreversibly locked and promises restoration only in exchange for a cryptocurrency payment. Victims are instructed not to alter or rename their encrypted files, threatening that such actions could make decryption impossible. Contact is demanded via the email address ventutusa@gmail.com, with all further extortion details sent by the attacker. ITSA employs strong crypto algorithms—generally a mix of AES and RSA or other modern ciphers—making manual decryption infeasible without the private key, which remains exclusively in the attacker’s possession. Backups and shadow copies are often deleted or rendered useless during the infection process, compounding data loss. This calculated approach makes ITSA particularly dangerous for users and organizations that lack robust backup strategies and multi-layered security measures.

RALEIGHRAD Ransomware is a recently discovered strain of file-encrypting malware, targeting both individuals and organizations by locking access to critical data and demanding payment for its release. Upon execution, it swiftly infiltrates the victim’s device and proceeds to encrypt a wide range of file types, renaming them by appending the distinctive .RALEIGHRAD extension to each one—transforming, for example, document.pdf into document.pdf.RALEIGHRAD. Encryption is typically powered by robust cryptographic algorithms, commonly utilizing a mix of symmetric (AES) and asymmetric (RSA) ciphers, which means only those holding the attackers' private decryption keys can reverse the damage. As part of its intimidation strategy, RALEIGHRAD generates a ransom note named RESTORE_FILES_INFO.txt, leaving copies in affected directories or the desktop to ensure the victim notices the demands immediately. These notes declare that not only are files encrypted, but confidential data has supposedly been exfiltrated, and threaten public exposure if contact isn’t made within three days. Victims are directed to contact the criminals through the qTOX secure messenger for negotiation, leveraging fear of reputational and financial harm to coerce payment. As with most modern ransomware, RALEIGHRAD's authors often combine file encryption with data theft, doubling the extortion leverage. Attackers promise full network decryption and deletion of stolen data upon successful payment, but few guarantees exist that they will honor this, and most experts advise against paying ransoms. Ransom notes often contain intimidating language and specific instructions, preying on victims’ urgency and panic to extract maximum profits.

Bbq Ransomware is a destructive malware strain categorized under the Makop ransomware family, widely recognized for its aggressive data encryption and extortion tactics. Once it infiltrates a victim’s system, it identifies valuable files and encrypts them using robust cryptographic algorithms designed to be virtually unbreakable without the attackers’ cooperation; Makop variants like Bbq typically use a mix of symmetric and asymmetric encryption, making brute-forcing or key guessing ineffective. During this process, .bbq46 is appended to each encrypted file, following a unique pattern: the original filename is suffixed with the victim’s unique ID, the attacker’s email for "customer support", and the new file extension. Files that once ended in common extensions like .docx or .jpg will instead appear as filename.jpg.[victimID].[dashboard487@onionmail.org].bbq46. To further signal the infection, +README-WARNING+.txt ransom note is dropped into most affected directories and displayed on the desktop. The note warns victims not to use third-party decryption tools or antivirus software, threatens permanent data loss, and promises file recovery upon payment. Bbq Ransomware also changes the desktop wallpaper with an extortion message detailing the infection and pointing to the ransomware operator’s contact addresses.

LegionRoot Ransomware stands out as a recently discovered crypto-malware that specifically targets user files to extort payment from its victims. After stealthily infiltrating a system—often via phishing emails, malicious attachments, or compromised downloads—it initiates an encryption process using the RSA encryption algorithm. Notably, each targeted file's name is appended with a string of random characters, such as 1.jpg.ZQJWWm&X&W, rather than a static extension, making it harder for users and automated tools to instantly recognize the infection. Once LegionRoot_ReadMe.txt is generated, typically placed in every affected folder, victims realize their files are inaccessible; documents, photos, databases, and other crucial data become unreadable, and attempts to open them are futile. The ransom note within this text file demands $500 worth of Bitcoin sent to a specified wallet, promising a private decryption key in return. Cyber criminals behind LegionRoot claim that file recovery is impossible without their unique private key, offering to demonstrate their ability by decrypting a single file if contacted.

Bert Ransomware is a strain of malicious software designed to encrypt files on a victim's computer, rendering them inaccessible without a decryption key. This type of ransomware appends the file extension .encryptedbybert to each of the affected files, altering their original filenames into a unique encrypted format. The encryption process employed by Bert is typically quite robust, often using advanced algorithms that make decryption without the proper key virtually impossible. Upon encrypting the files, Bert leaves a ransom note, titled .note.txt, in each directory containing encrypted files. This note serves as a communication tool from the attackers, detailing the compromised nature of the victim's files and providing instructions for contacting the cybercriminals with the intent of obtaining the decryption key. The attackers often exhort victims to reach out via specified communication methods, emphasizing that payment is necessary to recover access to their data.

Mammon Ransomware is a type of malicious software categorized under the ransomware family, which works by encrypting the victim's files and subsequently demanding a ransom for file decryption. This ransomware is notorious for appending its encrypted files with extensions, specifically ending in .aaabbbccc. Victims will notice their files transformed as original names are suffixed with the attackers' email, a unique ID, and the said extension. For instance, a file named 1.jpg could appear as 1.jpg.email-[example@gmail.com]id-[XXXXX].aaabbbccc post-infection. Utilizing powerful encryption algorithms, typically either symmetric or asymmetric cryptography, this ransomware makes decryption challenging without access to the unique key generated during encryption. Upon infiltration, howtoDecrypt.txt - a ransom note - materializes in the system, informing the victims of their locked files. The note usually appears in the directories containing encrypted files, providing instructions on how to pay the ransom and contact the cybercriminals via email or Telegram for decryption.

CRFILE Ransomware is a malicious software belonging to the MedusaLocker family designed to encrypt files on a victim’s computer and demand a ransom for their decryption. Once the ransomware infects a system, it appends a distinctive .CRFILE2 extension to the encrypted files, effectively locking them from access. The encryption process employs a combination of RSA and AES algorithms, which are well-known for their complexity and efficiency in securing data against unauthorized decryption. Upon successful encryption, CRFILE Ransomware generates a ransom note, typically titled READ_NOTE.html, which is placed in accessible directories on the compromised system. This note warns victims against attempting third-party recovery solutions and insists that only the attackers possess the decryption keys necessary to unlock the files.