Ransomware

Theva is the name of a ransomware virus that encrypts system-stored data and demands victims to pay money in Bitcoin for its decryption. During encryption, targeted files end up visually altered - for instance, 1.pdf will change to 1.pdf.[sql772@aol.com].theva and so forth with other files. Upon successful blockage of data, Theva Ransomware represents its decryption instructions in a text document called #_README_#.inf. It also changes victims' desktop wallpapers. In order to recover the data, victims are urged to contact cybercriminals via the given e-mail address (sql772@aol.com) and pay the ransom in Bitcoin cryptocurrency. It is said the price for decryption depends on how fast victims establish contact with swindlers. Following successful payment, threat actors promise to send the necessary decryption tool that will unlock all blocked data.

Eternity is a ransomware virus that was discovered by Cyble researchers. This piece of malicious software belongs to the Eternity malware family and is designed to extort money from victims by encrypting potentially valuable data (with secure AES and RSA cryptographic algorithms). Dasha is another popular ransomware variant from this family. There are two known versions of Eternity - one does not change files visually and the other assigns the .ecrp extension to filenames and alters original icons. For instance, 1.pdf may either remain the same or become 1.pdf.ecrp after encryption depending on which ransomware version attacked the system. After successfully completing encryption, Eternity displays a pop-up window containing decryption instructions. Because Eternity Ransomware is a public Malware-as-a-service (MaaS) virus, which many threat actors may buy, the content of instructions (contact details, ransom size, countdowns, etc.) may slightly vary as well. Below are examples of ransom texts from two ransomware variants.

Black Hunt is a malicious infection classified as ransomware. Upon infiltration, it begins encrypting data and then blackmails victims into paying for decryption (in #BlackHunt_ReadMe.hta and #BlackHunt_ReadMe.txt ransom notes). While running encryption, the virus also assigns the victim's ID, cybercriminal's email address, and .black extension to influenced files. To illustrate, a file originally named 1.pdf will change to something like 1.pdf.[nnUWuTLm3Y45N021].[sentafe@rape.lol] and acquire the new Black Hunt icon as well. Desktop wallpapers get altered as well. Inside the ransom notes cybercriminals state victims have 14 days to contact them by e-mail and buy a unique key for decryption. Unless the deadline is met, threat actors say they will start selling or leaking the collected data to various third-parties. Victims can review their "data situation" via the provided TOR link.

ScareCrow is a ransomware infection that first appeared on malware radars in 2019. Since then, the ransomware has undergone a couple of insignificant changes and upgrades. For instance, depending on which ScareCrow versions attacked the system, either .scrcrw or .CROW extensions will be assigned to targeted files. Ransomware infections are designed to encrypt potentially valuable data and hold it blocked until victims meet cybercriminals' demands to pay a ransom. ScareCrow uses a combination of AES and RSA cryptographic algorithms to thoroughly encryption of data. After successfully making files inaccessible, the virus automatically opens a pop-up window with decryption instructions. Please note that paying the ransom might not be mandatory - victims are advised to contact reputable ransomware researcher Michael Gillespie and decrypt ScareCrow files for free.

Lucknite (ETH) or LuckniteRansom is a ransomware virus that was recently inspected by malware researchers. The purpose of this malware type is to encrypt potentially important data and hold it hostage until victims pay money for ransom. During encryption, this ransomware also assigns the .lucknite extension to each targeted file. For instance, originally named 1.pdf will change to 1.pdf.lucknite and lose its shortcut icon after encryption. After this, cybercriminals feature decryption instructions in the README.txt note. Sometimes the content of the ransom may vary slightly depending on which ransomware version affected the system.

OBZ is a ransomware-type virus that encrypts access to data and blackmails victims into paying money for decryption. At the time of encryption, the virus alters targeted files with the .OBZ extension. For instance, a file originally named 1.pdf will turn into 1.pdf.OBZ or 1.pdf.obz depending on which ransomware version penetrated the system. In addition, victims also reported seeing a malicious process named Traffic Light in Windows Task Manager. Once the encryption process gets to a close, OBZ Ransomware creates a text document (ReadMe.txt) that features decryption instructions. It is worth noting that the content of this ransom note is identical to other previously discovered U2K and MME ransomware, which may indicate that OBZ was developed by the same group of developers.

CryWiper is a devastating virus that damages the configuration of data to make it inaccessible and then demands money from victims for fake decryption. CryWiper developers disguise their software as ransomware that encrypts data, however, it is in fact a data wiper that simply corrupts the files. While running "encryption", the virus deletes all shadow copies from the root drive and appends the new .CRY extension to highlight the files. For instance, a file originally named 1.pdf will turn into 1.pdf.CRY and become permanently damaged. After this, CryWiper creates a file called README.txt with misleading decryption instructions. It is known that CryWiper avoids damaging .exe, .dll, .lnk, .msi, and .sys files and others stored in Boot, System, and Windows directories. In addition, this virus has also been observed getting distributed via the browserupdate.exe malicious file, programmed in C++ language, and targetting organizations that are localized in Russia.

Beijing is a ransomware-classified infection that encrypts access to data and demands that victims pay money for its decryption. This file encryptor is also likely released by the same cybercriminals who previously developed another ransomware named LeakTheMall. During encryption, victims will see their files change visually - it is the new .beijing that will be eventually added to them. For instance, an originally named 1.pdf will change to 1.pdf.beijing and become no longer accessible. After this, the virus creates text instructions in !RECOVER.txt explaining what should be done to recover the data.