Ransomware

If you landed on this article, you most likely got hit by Niwm Ransomware, that encrypted your files and modified their extensions to .niwm. The name Niwm is only given to this malware to help users find the removal and decryption solution, and according to the suffix it appends. In fact, this is just the 681-th version of STOP Ransomware (sometimes called Djvu Ransomware), that has been active for more than 5 years and became one of the most widespread ransomware families. Niwm was released in the first days of April 2023. Unfortunately, there are low chances for 100% decryption now as it uses strong encryption algorithms, however, with instructions below you will be able to recover some files. uses the combination of RSA and AES encryption algorithms to encrypt the victim's files. The RSA algorithm is used to encrypt the AES key, and the AES algorithm is used to encrypt the victim's files. The AES key is generated randomly for each victim and is stored on the attacker's server. But first you need to remove ransomware files and kill its processes. Below is an example of Niwm Ransomware ransom note, that it leaves on the desktop (_readme.txt). It's quite typical and remains almost the same with minor changes for several years.

Cylance is the name of a ransomware infection that targets Windows and Linux users. Users infected with this type of malware will no longer be able to access their data due to encryption. In addition, victims will also see the affected files modified with the .Cylance extension. After this, they will be no longer accessible and victims will have to follow decryption instructions in the generated ransom note (named CYLANCE_README.txt). Please note that Cylance Ransomware has nothing to do with Cylance by BlackBerry – legitimate enterprise cybersecurity solutions. In general, the ransom note says the victim's data has been encrypted and cybercriminals are the only holders of private keys that are able to decrypt it. To obtain this key and presumably software for running decryption, victims are instructed to contact the swindlers via e-mail and transfer money to them. The price is undisclosed and most likely calculated for each victim separately. Additionally, cybercriminals also offer to test decryption for free by sending one encrypted file. No matter how trustworthy cybercriminals seem, it is always advised against collaborating with them and paying the ransom. Many victims end up fooled and do not receive promised decryption tools. While this has not been reported to be the case with Cylance Ransomware, the risk exists nonetheless.

Nifr Ransomware, being a part of STOP Ransomware (DjVu Ransomware) family, is an elaborate encryptor virus, that encrypts user's files and makes them inaccessible. Malware uses an unbreakable AES (Salsa20) encryption algorithm, and decryption is only possible in 2-3% of cases. It first generates a unique AES-256 encryption key for each file it encrypts, which is used to encrypt the file's contents. This process is known as symmetric encryption, as the same key is used to encrypt and decrypt the file. After encrypting the file with the AES-256 key, Nifr Ransomware then encrypts the AES-256 key with an RSA-1024 public key, which is included in the ransomware's code. This process is known as asymmetric encryption, as it uses different keys for encryption and decryption.Recent version of STOP Ransomware adds following suffix or extension: .nifr. Corresponding virus variation received names: Nifr Ransomware. After encrypting, the ransomware creates _readme.txt file, that specialists call "ransom note", and below you can get acquainted with the contents of this file. The note contains instructions on how to contact the ransomware operators and pay the ransom in order to receive the decryption key. The ransomware is typically distributed through spam emails, fake software updates, and software cracks/keygens. It is important to note that paying the ransom is not recommended, as it encourages the criminals and there is no guarantee that the decryption key will be provided.

D7k is the name of a recently-discovered ransomware infection. Alike other infections within this category it is designed to encrypt system-stored data and extort money for its decryption from victims. During encryption, all targeted files will get .D7k extension and reset their icons to blank. As a result, users will no longer be able to access their files, even after manually removing the newly assigned extension. Once successful encryption gets to its finish, the virus creates a text file called note.txt, which contains decryption guidelines. The note contains a short text demanding 500$ dollars for file decryption. This amount is to be sent to the bitcoin wallet attached by cybercriminals. The message does not include any communication channels, which makes the decryption process ambiguous. Paying the ransom is not recommended because many cybercriminals fool their victims and do not send promised decryption means in return. However, in this case, it appears to be even riskier due to the lack of any communication channels to contact the extortionists. Despite this, cybercriminals are usually the only figures able to unlock access to data completely and safely. The moment this article was written, no public third-party tools are known to bypass the ciphers assigned by D7k Ransomware. Decryption using third-party tools or windows shadow copies using is possible only in rare cases when the ransomware is flawed or accidentally faulted during its operation for whatever reason. Otherwise, the only ways to recover your data are either by collaborating with ransomware developers or retrieving data from existing backup copies. Backups are copies of data stored on external devices such as USB drives, external hard drives, or SSDs.

Jycx Ransomware (in other classification STOP Ransomware or Djvu Ransomware) is harmful malware, that blocks access to user's files by encrypting them and requires a buyout. It was released in the last days of March 2023 and hit tens of thousands computers. The virus uses an unbreakable encryption algorithm (AES-256 with RSA-1024 key) and demands a ransom to be paid in Bitcoins. However, due to some programming mistakes, there are cases when your files can be decrypted. A version of STOP Ransomware, that we are considering today, adds .jycx extensions to encrypted files, and therefore got the name Jycx Ransomware. After the encryption, it presents file _readme.txt to the victim. This text file contains information about the infection, contact details, and false statements about decryption guarantees. The following e-mails are used by malefactors for communication: support@freshmail.top and datarestorehelp@airmail.cc.

Hairysquid is a newly-discovered variant of the Mimic ransomware. After penetration, it modifies the Windows GroupPolicy, deactivates protection by Windows Defender, and disables other Windows features to exclude any deterrence of its malicious activity. The goal of this infection is to encrypt access to system-stored data and demand money for its decryption. During the encryption processes, the virus attaches the .Hairysquid extension to all affected files. Once done, a file like 1.pdf will turn to 1.pdf.Hairysquid and change its icon eventually. Instructions on how to decrypt the blocked data are presented within the READ_ME_DECRYPTION_HAIRYSQUID.txt note, which gets created alongside successful encryption. Overall, it is said victims have been attacked by ransomware, which encrypted their data. In order to reverse the damage and get back the files, victims have to contact the swindlers via one of the provided communication channels (TOX messenger, ICQ messenger, Skype, and email) and pay for decryption in Bitcoins. The price for decryption is said to be calculated based on the number and potential value of encrypted data. In addition, it is also allowed to test decryption for free by sending 3 locked files to cybercriminals. Alas, it is usually impossible to decrypt blocked data without the involvement of cybercriminals themselves.

Jyos Ransomware (a.k.a Djvu Ransomware or STOP Ransomware) encrypts victim's files with Salsa20 (stream encryption system) and appends one of the hundreds of possible extensions, including the latest discovered .jyos. This one appeared in the very end of March 2023 and infected thousand computers worldwide. STOP is one of the most active ransomware today, but they hardly talk about it. The prevalence of STOP is also confirmed by the extremely active forum thread on Bleeping Computer, where victims seek help. The fact is that this malware attacks mainly fans of pirated content, visitors to suspicious sites, and is distributed as part of advertising bundles. There is a possibility for successful decryption, however, to date, there are more than two hundred STOP Ransomware variants that are known to researchers, and such a variety significantly complicates the situation.

Jypo Ransomware is the next generation of STOP Ransomware family from the same authors. The ransomware family is known for its widespread distribution and frequent updates with new variants. Like other members of the Djvu family, Jypo Ransomware is designed to encrypt the victim's files and demand a ransom payment in exchange for the decryption key. The ransom note left by Jypo Ransomware instructs the victim to contact the attackers via email to negotiate the ransom payment.This virus aims important user's files, such as documents, photos, databases, music, mail. Ransomware encodes them with AES encryption and adds .jypo extensions to affected files. All these variations use similar algorithms, that are unbreakable, however, in certain conditions .jypo files, encrypted by the ransomware, can be decrypted using STOP Djvu Decryptor (provided below). This version of STOP Ransomware uses the following e-mail addresses: support@freshmail.top and datarestorehelp@airmail.cc. Jypo Ransomware creates _readme.txt ransom note file.