Ransomware

Qarj is a new ransomware variant developed and published by a template of notorious STOP/Djvu family. This particular variant was released in March 2023. Being a file-encrypting virus, it blocks access to personal data by using secure encryption algorithms. This means that files stored on a PC will no longer be opened by users until they are decrypted. Currently, there are smal chances for decryption of files encrypted by Qarj. Only 1-2% of cases are decryptable, when certain conditions are met. Use all instructions on this page until you get some data restored. In order to show that all files have been put under a lock, developers append the new .qarj extension to each of the files. For instance, a file sample like 1.pdf will change to 1.pdf.qarj and reset its icon eventually. After this part of encryption is finished, the virus creates a text note (_readme.txt) with ransom instructions.

Qapo Ransomware is a new file-encrypting program developed and published by the authors of STOP/Djvu family. Almost all versions entitled to this group of extortionists employ similar steps to extort money from victims. This particular variant was released in the middle of March 2023. Once Qapo gets on your PC, it runs a quick scan of your system to find sensitive data. Then, once this process is done, the malicious program gets to encrypt your data. During this, all files are changed with the .qapo extension, which appears at the end of each file name. For example, a file like 1.pdf will change to 1.pdf.qapo, and similarly. Once you spot such an immediate change, you will no longer be able to access the data. In order to decrypt it, cybercriminals instruct victims through the steps listed inside a text note (_readme.txt), which opens at the end of encryption. All recent versions of this ransomware family have used identical text in the notes.

Qazx Ransomware is called so, because of .qazx extension, added to affected files, modifying original extensions of various types of sensitive data. This version appeared in the middle of March, 2023. In fact, technically it is STOP Ransomware, that uses AES encryption algorithms to encrypt user's files. This suffix is one of the hundreds of different extensions used by this malware. Does it mean you lost your valuable data? Not necessarily. There are certain methods, that allow you to recover your files fully or partially. Also, there is free decryption utility called STOP Djvu Decryptor from EmsiSoft, that is constantly updated and is able to decrypt hundreds of types of this virus. After finishing its disastrous activity Qazx Ransomware creates _readme.txt file (ransom note), where it informs users about the fact of encryption, amount of ransom, and payment conditions.

If you cannot open your files, and they've got .craa extension added at the end of the filenames, it means your PC is infected with Craa Ransomware, the part of STOP/Djvu Ransomware family. This malware is tormenting its victims since 2017 and has already become the most widespread ransomware-type virus in history. It infects thousands of computers per day using various methods of distribution. It is using a complex combination of symmetric or asymmetric encryption algorithms, removes Windows restore points, Windows previous versions of files, shadow copies and basically leaves only 3 possibilities for recovery. The first is to pay the ransom, however, there is absolutely no guarantee, that malefactors will send the decryption key back. The second possibility is very unlikely, but worth trying – using a special decryption tool from Emsisoft, called STOP Djvu Decryptor. It works only under a number of conditions, that we describe in the next paragraph. The third one is using file-recovery programs, which often act as a workaround for ransomware infection problems. Let's observe the ransom note file (_readme.txt), that the virus places on the desktop and in the folders with encrypted files.

Esxi (ESXiArgs) Ransomware is a malicious infection that targets organizations by exploiting vulnerabilities in VMware ESXi - a virtual machine tool used for managing and optimizing various processes within organizations. Security reports indicate that cybercriminals exploit known vulnerabilities in VMware ESXi to gain access to servers and deploy ESXiArgs ransomware onto the targetted system. Once done, the virus will start looking to encrypt files located on the virtual machine with the following extensions: .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, .vmem. For each encrypted file, the ransomware will also create a separate file with .ESXiArgs or .args extension with metadata inside (likely necessary for future decryption).

Being a successor of Djvu Ransomware, Coba is a ransomware-type virus that targets personal data. Just like other malware of this type, Coba runs data encryption to demand monetary ransom from victims. All files attacked by Coba (including pictures, databases, documents, etc.) will be restricted from access and altered visually as well. For example, a file like 1.pdf will change its look to 1.pdf.coba at the end of encryption. Developers of this ransomware variant apply the .coba extension to each of the target files stored on a system. The next thing it does after manipulating data extensions creates a ransom note (_readme.txt) that contains decryption instructions. Once users open it up, they will be presented with text written by cybercriminals. This text provides information on how to return the encrypted data.

SkullLocker is a new ransomware variant. The research indicates it was developed on the basis of Chaos Ransomware – another devastating and well-known infection. Upon successful infiltration, SkullLocker encrypts access to files, adds its own .skull extension, and creates a ransom note (read_it.txt) with decryption instructions written in the Polish language. Here is a full text presented in the note along with its translation to English. Overall, cybercriminals demand users make a payment within 72 hours, otherwise, the data will be permanently lost. Users are asked to familiarize themselves with payment and recovery details via the attached TOR link. In addition, the note advises against trying to recover files manually as doing so may cause permanent damage to files.

Coaq Ransomware is the subtype of STOP Ransomware (or DJVU Ransomware) and has all the characteristics of this family of viruses. Malware blocks access to the data on the victim's computers by encrypting it with the AES encryption algorithm. STOP Ransomware is one of the longest living ransomware. First infections were registered in December 2017. Coaq Ransomware with such suffix is yet another generation of it and appends .coaq extensions to encrypted files. Following the encryption, the malware creates a ransom note file: _readme.txt on the desktop and in the folders with encoded files. In this file, hackers provide information about decryption and contact details, such as e-mails: support@freshmail.top and datarestorehelp@airmail.cc.