Ransomware

DEMON Ransomware is a pernicious form of malware discovered by GrujaRS that encrypts users' files using strong encryption algorithms, rendering them inaccessible without a decryption key. Often infiltrating computers through spam campaigns, fake software updaters, and untrusted download sources, it adds the .DEMON extension to each encrypted file. For example, document.docx becomes document.docx.DEMON, clearly marking the files as compromised. After encryption, the ransomware creates a README.txt file in all directories containing encrypted files and displays a ransom note in a pop-up window, demanding a hefty $10,000 in Bitcoins to decrypt the affected files. According to the ransom note, victims have a narrow window of 600 minutes (10 hours) to comply, or their data will be destroyed or sold to third parties.

LUCKY Ransomware, discovered as part of the Makop ransomware family, is a malicious program designed to encrypt files and demand ransom from the victims for their decryption. Once infiltrated, it appends each encrypted file's name with a unique ID, the attackers' email address, and a .LUCKY extension. For instance, a file named document.jpg would be renamed to something like document.jpg.[uniqueID].[givebackdata@mail.ru].LUCKY. After file encryption is completed, the ransomware generates a ransom note titled +README-WARNING+.txt, typically found in multiple directories on the infected device. This note informs the victim that their files have been encrypted and provides instructions for contacting the attackers and making the ransom payment, often in cryptocurrency like Bitcoin.

Devil Ransomware is a malicious program and part of the broader Phobos ransomware family. It renames encrypted files by appending the victim's ID, the developer's email address, and the .devil extension to filenames. For instance, a file named image.jpeg would be altered to image.jpeg.id[unique-ID].[email].devil. This ransomware employs strong encryption algorithms, typically AES-256, to lock users' files, making them inaccessible without the unique decryption key held by the attackers. Upon infection, Devil Ransomware generates a ransom note in the form of a text file named info.txt and a pop-up window using info.hta. These notes provide instructions on contacting the cybercriminals and making a ransom payment, usually in Bitcoin, in exchange for the decryption tool.

Saturn Ransomware is a sophisticated type of malware designed to encrypt files on infected systems and demand a ransom for their decryption. It was first identified by MalwareHunterTeam and operates as a Ransomware as a Service (RaaS), allowing cybercriminals to freely distribute the malware in exchange for a cut of the profits. Upon infecting a system, Saturn Ransomware appends the .saturn extension to the filenames of encrypted files, rendering them unusable (e.g., sample.jpg becomes sample.jpg.saturn). While it is currently unclear whether it uses symmetric or asymmetric cryptography, the encryption is robust, creating unique keys for each victim that are stored on a remote server controlled by the attackers. After successfully encrypting files, Saturn Ransomware creates several ransom notes, including #DECRYPT_MY_FILES#.txt, which are placed on the desktop of the infected machine.

Discovered by Jakub Kroustek, 1BTC Ransomware is a malicious variant that stems from the infamous Dharma ransomware family. It operates by encrypting a vast array of files stored on the victim's system using the RSA-1024 encryption algorithm, making them inaccessible without a unique decryption key. Upon successful encryption, 1BTC appends each file with a specific extension that includes the victim's unique ID, the developer's email address, and the .1BTC extension. For example, a file originally named "sample.jpg" might be renamed to sample.jpg.id-{random-ID}.[btcdecoding@foxmail.com].1BTC. Following this, the ransomware creates a ransom note in the form of a pop-up window and a text file named RETURN FILES.txt, which is typically placed on the desktop. These notes instruct the victim to contact the ransomware developers via email and provide details on how to pay the ransom in Bitcoin to receive the decryption key.

Discovered during a review of new file submissions to the VirusTotal website, RDanger Ransomware is a type of malware that encrypts files on an infected system and demands a ransom for decryption. Upon infection, it appends the filenames of encrypted files with a unique identifier, such as 1.jpg.277-9OL-741, making it evident that the file is compromised. The encryption process concludes with the creation of a ransom note named ATTENTION! ALL YOUR FILES ARE ENCRYPTED!.TXT, which usually appears on the desktop or in various folders containing the encrypted files. The message within the note informs victims that their files have been encrypted and instructs them to pay a ransom in cryptocurrency for a decryption tool that purportedly restores their files. However, this note does not include specific payment details or instructions, suggesting it might still be in development.

Hazard Ransomware is a harmful variant belonging to the MedusaLocker family of ransomware. This malware encrypts files on infected systems, adding unique file extensions to them. Specifically, it appends extensions such as .hazard18 to the filenames, indicating that the affected files have been encrypted. For instance, an original file named document.docx becomes document.docx.hazard18, signaling the encryption process has taken place. The ransomware employs RSA and AES encryption algorithms, which secure files by rendering them inaccessible without a specific decryption key known only to the attackers. Once the encryption occurs, the ransomware leaves a ransom note titled HOW_TO_BACK_FILES.html. This note typically appears in every folder containing encrypted files, informing the victim of the actions taken and providing instructions to contact the attackers for decryption details.

WhiteHorse Ransomware is a malicious software designed to encrypt files on an infected system and extort money from victims in exchange for decryption. Once this ransomware infiltrates a computer, it modifies the filenames by appending the .WhiteHorse extension. For instance, if you have a file named document.jpg, it will be renamed to document.jpg.WhiteHorse, rendering it inaccessible without the decryption key. The ransomware utilizes strong encryption algorithms, making it nearly impossible to decrypt the files without a unique decryption key, which is held by the cybercriminals behind the ransomware. After encrypting the files, WhiteHorse Ransomware creates a ransom note named #Decrypt#.txt within each folder containing the encrypted files.