Ransomware

Discovered in 2020, CoronaLock restricts access to users' data by encrypting it with ChaCha, AES and RSA algorithms. Files compromised by this ransomware, experience a change in extension to either .corona-lock or .biglock. For example, if 1.mp4 gets modified by the virus, it will migrate to 1.mp4.corona-lock or 1.mp4.biglock. After this, extortionists display ransom information in the note (!!!READ_ME!!!.TXT or README_LOCK.TXT) that is dropped on the desktop. Interestingly enough, people who get attacked with ".biglock" extension, do not have any contact information in the ransom note to connect with cybercriminals. It seems like its developers forgot to include it before the release. In the meantime, ".corona-lock" versions do not have that drawback and contain e-mail in the text file. If you want to take a test-decryption, you are free to send them one file.

Also known as Mimicry, ShivaGood Ransomware has by far no good intentions at all because it is designed to encrypt users' data and demand ransom payment in bitcoin. This malicious piece uses special cryptographic algorithms and assigns ".good" extension to multiple files (PDFs, documents, images, videos, etc.). For instance, 1.mp4 will be renamed to 1.mp4.good, and similarly. Once ShivaGood completes the encryption procedure, it will create a text file called HOW_TO_RECOVER_FILES.txt. This note contains information about data encryption. To decrypt it, extortionists ask you to contact them via e-mail and attach your personal ID that is mentioned in the note as well. Once done, frauds will reach back to you with payment instructions to obtain the decryption key. Additionally, cybercriminals propose to unlock 3 files (less than 10 MB) for free. This is a trick to prove their integrity since reality can differentiate significantly. They can simply extort money and forget about their promises.

Soldier Ransomware is a malicious piece that encrypts user's data and gouges their money to decrypt files. It was first discovered by security researcher Amigo-A. During the encryption process, all files get changed with the .xsmb extension that is attached at the end of a file. For instance, something like 1.mp4 will change its name to 1.mp4.xsmb and reset its icon. After all, the ransomware generates a text file (contact.txt) or image (contact.png) on the victim's desktop. As stated in these files, users have to send 0.1 BTC or 4 ETH through the linked address. Additionally, you can send up to 3 files to their e-mail for free decryption. It is also worth mentioning that Soldier Ransomware seems to be created and operated by a single person as the note suggests. Unfortunately, Soldier Ransomware is impossible to decrypt without the involvement of cybercriminals.

Roger is another form of Dharma family that encrypts data with unbreakable ciphers and demands victims to pay a ransom. When it infiltrates your system, all stored data will be retitled with the victim's ID, cybercriminal's e-mail, and .roger extension. To illustrate, a file like 1.mp4 will upgrade to 1.mp4.id-1E857D00.[helpdecoder@firemail.cc].ROGER". Note that IDs and e-mails may vary individually. After the virus finishes the file encryption, it will create a text file called FILES ENCRYPTED.txt on your desktop. In this note, people can familiarize themselves with the steps to unlock their data. For this, you should click on the attached link in the Tor browser and they will get back to you in 12 hours to instruct you on purchasing their decryption software. If not, then you should write to them by using a backup e-mail. Unfortunately, paying for the software might be a trap that will putt your finances under a risk.

PwndLocker Ransomware is a file-encrypting virus created for targeting business networks and local governments. However, regular users can also become a victim of cybercriminals. After penetration, PwndLocker damages settings of multiple Windows Services and encrypts both internal and network data by changing extensions and creating a ransom note. The number of assigned extensions may vary depending on file formats. The virus uses .ProLock, .pwnd or .key extensions, however, it does not make any sense which one altered your files because they implement the same function. For example, in some cases, the original 1.mp4 will be transformed into 1.mp4.ProLock. In other scenarios, the affected data can experience ".pwnd" or ".key" extensions. The ransom note (H0w_T0_Rec0very_Files.txt), that is therefore dropped on the desktop, suggests that your network has been penetrated and encrypted with strong algorithms.

Phobos is a fraudulent organization, that has made a strong statement in the ransomware world. Since 2017, it has piled its collection up to numerous different variations, recent ones include Eight Ransomware, Eject Ransomware, Eking Ransomware, and Iso Ransomware. Like in other ransomware, its developers decided to use a more traditional process of encryption. It scans your system for various file formats like MS Office documents, OpenOffice, PDF, text files, databases, images, videos, and others. Once done, it gets set up for the encryption according to this formula 1.mp4.[ID-random-user-id-number].[cybercriminals-e-mail].{extension}. Depending on which version attacked your computer, extensions may vary between .eight, .eject, .eking, or .iso. Here are some samples of infected files: 1.mp4.id[XXXXXXXX-2776].[use_harrd@protonmail.com].eight; 1.jpg.id[XXXXXXXX-2833].[cynthia-it@protonmail.com].eject; 1.doc.id[XXXXXXXX-2275].[decphob@tuta.io].eking;1.jpg.id[XXXXXXXX-2589].[backup.iso@aol.com].iso. After the encryption completes, users are presented with a text file (info.txt or info.hta) that explains how to decrypt your data.