Ransomware

Recov is a new ransomware variant of the VoidCrypt family. After infiltrating a system, it runs data encryption (to prevent victims from accessing files) and tells victims to pay for a kit of decryption software + RSA key for unlocking the files. Instructions on how to do it are presented inside the Dectryption-guide.txt ransom note. One more thing that this ransomware does is assigning visual changes to encrypted files - a string of characters consisting of the victim's ID, cybercriminals' e-mail address, and the .Recov extension will be added to filenames. For instance, a file originally named 1.pdf will be changed to 1.pdf.[MJ-TN2069418375](Recoverifiles@gmail.com).Recov or similarly. Cybercriminals demand that victims establish contact with them via e-mail (Recoverifiles@gmail.com or Recoverifiles@protonmail.com in case of no answer). While it isn't made clear what extortionists need, it is likely that they will require their victims to pay a certain fee for a decryption tool and RSA key that are available only to the developers.

Kadavro Vector is a ransomware program oriented toward English, Russian, and Norwegian-speaking users. The purpose of this virus is to encrypt potentially important data and extort money from victims for its decryption. While rendering files inaccessible, the malware also appends the .vector_ extension to targeted files. For instance, a file originally named 1.pdf will experience a change to 1.pdf.vector_ and reset its original icon. Very soon after successful encryption, Kadavro Vector force-opens its pop-up window containing decryption guidelines. Additionally, desktop wallpapers get changed as well. The ransom note instructs victims to not turn off the Internet and their computer as it may otherwise lead to damage to encrypted data. To return the data, victims have to purchase Monero (XMR) cryptocurrency worth $250 and send it to the cybercriminals' crypto address. In addition, there is also a timer indicating how much time users have to pay for decryption. Should victims not manage to do so within the allocated time frame, it is said that all files will be deleted using high-edge algorithms, making them permanently unrecoverable in the future. By doing so, threat actors try to put extra pressure on victims and thereby force them to meet the decryption demands.

Coty Ransomware is a part of a large STOP/Djvu Ransomware family. It got its name because the original versions of the malware added the .stop (later .djvu) file extension and encrypted them with a combination of AES and RSA cryptography to make files inaccessible on the infected Windows computer. Coty Ransomware according to its name adds .coty extension. This version appeared in the end of April 2023. Once the Coty/STOP ransomware completes the encryption procedure, the virus creates a ransom note to _readme.txt file. The message of the scammers says that the victims must pay the ransom within 72 hours. The authors of the STOP virus are demanding $490 during the first three days and $980 after this time period. To provide confirmation, hackers allow 1-3 "not very large" files to be sent for free decryption to support@freshmail.top or datarestorehelp@airmail.cc for a test.

Cooper is a ransomware virus that infects systems to encrypt potentially important files and demands money for their decryption. Along with running secure encryption, it also assigns the .cooper extension to affected files. For instance, a file originally named 1.pdf will change to 1.pdf.cooper and lose its original icon. After this change, files will no longer be usable, even if you remove the added extension. To reverse these changes, decryption instructions are presented within the Cooper_Recover.txt file. Cybercriminals urge victims to contact them via e-mail and pay for unique decryption software. Threat actors are the only figures who have access to it, and it is said no other tool is able to provide decryption for enciphered .cooper files. While contacting, victims are also asked to include the ID in the subject line of an e-mail message. Unfortunately, unless you have an available backup that can be used to retrieve copies of encrypted files, paying the ransom to cyber-crooks might be the only way to return back your files. Multiple ransomware infections use strong encryption algorithms and generate online keys, ensuring decryption is barely possible without the help of initial developers.

Coza is a new ransomware sample developed by the notorious STOP/Djvu group of extortionists. Alike many other variants published by these cybercriminals, this one employs an almost identical encryption and extortion pattern. Upon settling down on an infected machine, the virus starts scanning and therefore encrypting potentially important pieces of data. By doing so, the virus aims to create more incentives for victims to pay for decryption proposed by the attackers. In addition to encryption, the malware also makes sure victims can differentiate locked from non-locked files – by simply assigning the .coza extension. For instance, a file previously named 1.xlsx will change to 1.xlsx.coza, 1.pdf to 1.pdf.coza and so forth with other targeted file types. To undo the encryption, victims are said to follow instructions within the _readme.txt text note.

Pwpdvl is a ransomware virus designed to extort money from victims by running encryption of data. In other words, people affected by this malware will no longer be able to access and view their files. When Pwpdvl enciphers potentially important files, it also assigns the victim's ID, along with the .pwpdvl extension at the end. For instance, a file like 1.pdf will alter to something like 1.pdf.[ID-9ECFA84E].pwpdvl and rest its original icon. To make victims pay money for the recovery, the file encryptor creates a ransom text note (RESTORE_FILES_INFO.txt), which contains decryption instructions. It is demanded of victims to contact the swindlers (via Bitmessage or qTOX) and pay for decryption in Monero (XMR) cryptocurrency. Before sending the payment, cybercriminals also offer to test free decryption – victims can send 2 encrypted files (non-important and 1 MB max) and get it unlocked for free. This is a kind of guarantee that extortionists offer to prove their decryption abilities and give extra confidence for paying the ransom. Though, please note that trusting cybercriminals is always a risk. Some users get fooled and do not receive the promised decryption tools/keys regardless of meeting the demands. Despite this, it is unfortunately only ransomware developers who hold the necessary decryption keys for safely restoring access to data. Independent decryption using third-party tools or Windows shadow copies can be possible but in very rare cases when ransomware contains flaws or did not manage to encrypt the data as intended.

VapeV7 is a ransomware virus designed to encrypt data across successfully infected systems. By doing so, the virus makes sure users are no longer able to access/view their own data, which enables threat actors to demand money for its decryption. The encrypted files will appear with the new .VapeV7 extension and reset their original icons to blank. After this, victims will be presented with decryption instructions in a dedicated pop-up window. In order to restore access to data, victims are demanded to send $200 to the cybercriminals' BTC wallet (via an address inside the pop-up window) and notify the extortionists with the transaction ID by e-mail. Note that BTC wallets and contact e-mails are changing each second creating a lot of uncertainty as to what wallet address and e-mail to use. Also, displayed BTC wallets are actually incorrect and thus non-existent at all. Such a strange phenomenon could be a sign that VapeV7 Ransomware is bugged or still under development. However, not excluded that cybercriminals behind this ransomware will remove the bugs and strike future victims with more reliable decryption guidelines. Unfortunately, despite this fact, files enciphered by VapeV7 Ransomware are less likely to be decryptable manually.

Charmant is a malicious program that falls under the category of ransomware. Malware of such is designed to encrypt access to data and make victims pay money for its decryption. While enciphering access to system-stored files, this ransomware variant also assigns the .charmant extension to highlight the blocked data. For instance, a file like 1.pdf will change to 1.pdf and lose its original icon. Immediately after the encryption is finished, a text note named #RECOVERY#.txt gets created to feature decryption guidelines. To establish contact with cybercriminals and request the decryption of locked files, victims are instructed to write via e-mail or Jabber client (a secure messaging service). Following successful communication with cybercriminals, victims will most likely be demanded to pay a certain ransom fee to obtain special software and a decryption key. In addition, the message also warns against running any modifications to files or trying to decrypt them using third-party tools because such actions may lead to permanent damage. While this information may be initially designed to scare inexperienced users and eventually pay for decryption, it is actually true. Without the right decryption keys that are stored by cybercriminals, it is rarely possible to decrypt files fully and without damage risks. At the moment of writing this article, no third-party tool is known to be able to decrypt the locked data. In rare cases, generic decryption tools may work only if ransomware contained flaws or did not manage to encrypt the files in the intended way.