Ransomware

FastWind Ransomware is a notorious malware variant that belongs to the GlobeImposter family. This type of ransomware is designed specifically to encrypt users' files, rendering them inaccessible, and subsequently demand a ransom for decryption. Upon infection, it appends the .FastWind extension to compromised files. For instance, a file named photo.jpg would be renamed to photo.jpg.FastWind. The ransomware then generates a ransom note in the form of an executable file named HOW TO BACK YOUR FILES.exe. When executed, this file presents victims with instructions on how to contact the attackers via specific email addresses to negotiate the decryption of their files. The ransom note stresses that victims must send a sample encrypted file along with their personal ID and await further instructions after payment.

Jinwooks Ransomware is a malicious software program discovered recently by cybersecurity researchers while analyzing new threats submitted to VirusTotal. This ransomware is designed to encrypt files on an infected system, making them inaccessible to the user. Upon encrypting a file, it appends the extension .jinwooksjinwooks to the filename, altering its structure; for instance, a file named image.png would be renamed to image.png.jinwooksjinwooks. This type of malware typically utilizes strong cryptographic algorithms to lock the files, making them virtually impossible to decrypt without a specific key held by the attackers. To communicate their demands, Jinwooks ransomware creates a ransom note named read_it.txt on the user's desktop, written in Korean, which instructs victims to pay a ransom of $300 to get the decryption key. The note also warns against any attempts to remove the ransomware or running antivirus software, claiming that these actions could result in permanent data loss.

Hhjk Ransomware, a member of the Djvu ransomware family, is a malicious software that encrypts files on infected systems, making them inaccessible to users. Upon infiltrating a computer, it changes the filenames by appending the .hhjk extension to them—for example, document.docx becomes document.docx.hhjk. The encryption algorithm employed by Hhjk is highly advanced, making it extremely difficult to decrypt the files without the specific decryption key held by the cybercriminals. After the encryption process is completed, a ransom note file named _readme.txt is created in every folder that contains encrypted files. This note informs victims about the encryption and provides instructions on how to pay the ransom, which typically amounts to 980 USD, though a discount is offered if the victim contacts the attackers within 72 hours, reducing the ransom to 490 USD.

JOKER (Chaos) Ransomware is a malicious program categorized under the ransomware class, primarily designed to encrypt valuable data on a victim's computer and demand a ransom for the decryption key. Based on the Chaos ransomware variant, this ransomware appends encrypted files with an extension composed of four random characters. For example, a file named 1.jpg would be renamed to 1.jpg.xb0d after encryption. After encrypting files, the ransomware changes the desktop wallpaper and creates a ransom note titled read_it.txt. In the note, the attackers demand 1,500 USD, payable in Monero cryptocurrency, for the decryption software. The exact amount in Monero is listed as 9.05 XMR, although this value can fluctuate based on current conversion rates.

Qual Ransomware is a malicious program identified as part of the Djvu ransomware family, designed to encrypt files on an infected system and demand a ransom for their decryption. When Qual executes, it appends the .qual extension to the name of each encrypted file, rendering them inaccessible without the decryption key. For example, a file initially named photo.jpg will be renamed to photo.jpg.qual. The encryption mechanism employed by Qual is robust, typically utilizing advanced cryptographic algorithms that make decryption without the corresponding decryption key virtually impossible. After encrypting the files, Qual drops a ransom note in a text file named _readme.txt, which can usually be found in every folder containing encrypted files. This note instructs the victim to contact the attackers via specific email addresses and outlines the ransom amount required for the decryption tool, often offering a discount if payment is made within a certain timeframe.

DragonForce Ransomware is a sophisticated type of malware designed to encrypt files on a victim's computer, rendering them inaccessible until a ransom is paid. This ransomware first surfaced in early 2024 and was identified through malware samples on VirusTotal. Upon execution, DragonForce encrypts files and renames them by appending the extension .dragonforce_encrypted. An example of this would be renaming document.pdf to random_string.dragonforce_encrypted. The encryption methodology employs strong algorithms, making decryption challenging without the specific decryption key. These keys are usually stored remotely by the attackers to prevent victims from easily retrieving them. Alongside the encrypted files, DragonForce also generates a ransom note named readme.txt, typically placed in each affected directory and on the victim's desktop.

StormCry Ransomware, also known as Stormous, is a particularly vicious type of malware that encrypts valuable data on infected systems and demands a ransom for decryption. Discovered by cybersecurity researchers during routine investigations, this ransomware targets a wide array of files including databases, documents, photos, and videos. Once the encryption process is completed, it renames the affected files by appending a .stormous extension—turning files like example.jpg" into "example.jpg.stormous. The attackers use robust cryptographic algorithms to ensure that the victims cannot regain access to their files without a unique decryption key that they hold. This tactic not only makes the data unusable but also leaves victims with few options for recovery other than paying the ransom. After encryption, StormCry Ransomware generates ransom notes in both HTML (readme.html) and text format (pleas_readme@.txt), which are placed in visible locations on the infected machine, such as the desktop and within encrypted folders.

Promorad Ransomware is a malicious variant of the notorious Djvu ransomware family, designed to encrypt vital files on a victim's computer and demand a ransom for their decryption. Once it infiltrates a system, it appends the .promorad or .promorad2 file extension to the names of the encrypted files, rendering them inaccessible. For instance, a file previously named document.jpg will be renamed to document.jpg.promorad. This ransomware uses robust encryption algorithms, frequently leveraging AES or RSA cryptographic methods to ensure that decrypting the files without the necessary key is practically infeasible. After encryption, Promorad Ransomware generates a ransom note named _readme.txt, which is strategically placed in every folder that contains encrypted files. This note contains instructions on how victims can contact the cybercriminals and make the ransom payment to obtain the decryption key.