Ransomware

Being part of the STOP/Djvu family, Neon is a ransomware-type virus that puts up a lock on personal data. This version was released in the first days of June 2023. The encryption is done using military-grade algorithms that generate online keys on special servers. This ensures no third-party tools can access the keys to decipher the files. Just like other infections of this type, Neon changes the names of each infected file. It does so by appending a new extension (.neon) to every encrypted piece. For example, a file like 1.pdf will be modified and change its name to 1.pdf.neon after encryption. After this stage of the virus is over - Neon Ransomware creates a text note called _readme.txt containing decryption instructions. A number of other ransomware variants developed by Djvu used the same content for the ransom instructions.

CrossLock is a dangerous malware categorized as ransomware. The activity of this crypto-ransomware started in mid-April 2023. According to the ransom not it is aimed at English-speaking users, but it can spread around the world. This ransomware encrypts user data using a combination of the Curve25519 and ChaCha20 algorithms and then demands ransom in Bitcoins to get the files back. The original name is indicated in the note: CrossLock. The executable file spotted is notepad.exe (can be other random name). Malware was written in the Go language. The extension is added to encrypted files: .crlk. CrossLock Ransomware creates ransom note, that is called ---CrossLock_readme_To_Decrypt---.txt in a folders with encrypted files and on the desktop. Below is the content of this note.

Neqp is a ransomware infection belonging to the Djvu/STOP Ransomware family, that appeared in June 2023. This family has released a number of file encryptors that target various users worldwide. Once the system is penetrated by ransomware, the virus begins scouting for potentially valuable file formats and running data encryption. After the cryptographic encryption occurs, users will no longer be able to access and use their data as before. You may immediately spot the change by looking at the altered names of the files. This specific ransomware assigns the .neqp extension, making a file like 1.pdf change to 1.pdf.neqp and reset its original icon. Usually, Neqp Ransomware and other modern Djvu/STOP versions generate "online" keys, which means full decryption of data is likely impossible without the help of cybercriminals. There are, however, sometimes exceptions to this – which can be found about further below.

Just like many previous versions of this virus, Nerz Ransomware is a malicious program recently developed by the STOP (Djvu) ransomware family, which runs data encryption. Once it gets on your computer, the virus covers all personal data with strong encryption algorithms, so that you could no longer be able to get access to them. Unfortunately, preventing ransomware from blocking your data is impossible unless you have special anti-malware software installed on your PC. In case of its absence, the files stored on your disks will be restricted and no longer accessible. After the encryption process is done, you will see all the files change to 1.pdf.nerz and similarly with other file names. This version of STOP ransomware uses .nerz extension to highlight the encrypted data. Then, as soon as ransomware has stormed through your system and put all the sensitive data under a lock, it goes further creating a ransom note (_readme.txt).

Hidden Ransomware, a variant of the Voidcrypt ransomware family, is a malicious program that carries out its nefarious activities by encrypting data and then demanding ransoms in exchange for decryption tools. As part of the encryption process, all the affected files undergo a renaming process, adopting a specific pattern. The new filenames include the original file name, the email address of the cyber criminals, a unique ID assigned to the victims, and the .hidden extension. For example, a file named 1.pdf would be transformed into something like 1.pdf.[Wannadecryption@gmail.com][random-sequence].Hidden after encryption. In addition to the file renaming, the ransomware drops ransom messages in !INFO.HTA files within compromised folders.

Werz Ransomware (also known as STOP Ransomware) is ruinous virus, whose operating principle is based on strong file encryption and money extortion. There have been more, than 700 versions of this malware, with several major modifications and numerous minor changes. Recent ones use random 4-letter extensions added to affected files, to indicate that they are encrypted. Werz appeared in the very end of May 2023. Since the very beginning, Werz Ransomware has used the AES-256 (CFB mode) encryption algorithm. Depending on the exact extension there are slightly different, but similar removal and decryption methods. Variation under research today uses .werz extensions. Like its predecessors, it creates a ransom note called _readme.txt, below is an example of such a text file.

DarkRace Ransomware, discovered by security researcher S!Ri, poses a significant threat to computer systems and the security of sensitive data. This article delves into the workings of DarkRace, its impact on files, and the implications for victims. By understanding the nature of this ransomware strain, users can better protect themselves against such malicious attacks. DarkRace is a type of ransomware that encrypts files on infected systems, rendering them inaccessible to users. This malware appends a distinct extension, .1352FF327 to filenames and leaves a ransom note in the form of a text file named Readme.1352FF327.txt. Once infected, victims are informed that their data has been stolen and encrypted, and they are threatened with the publication of their sensitive information on a TOR website if the ransom demands are not met.

Weqp is a recent ransomware infection developed by the STOP/Djvu malware group and appeared in the end of May, 2023. Developers behind it have released a number of very similar infections to encrypt users' data and blackmail them into paying money for the recovery. Malware primarily uses a combination of symmetric and asymmetric encryption algorithms to encrypt victims' files. The specific encryption algorithms employed by STOP/Djvu have evolved over time as the malware has undergone several variants and updates. However, the most commonly observed encryption algorithm used by STOP/Djvu is the RSA algorithm for asymmetric encryption. Weqp Ransomware barely differs from other previously developed versions. It encrypts all kinds of important files and alters their appearance with the .weqp extension. To illustrate, a file like 1.pdf will change to 1.pdf.weqp and reset its icon under the virus affection. After this, a text file called _readme.txt ends up created to explain how files can be decrypted.