Ransomware

SEX3 is a computer virus classified as ransomware. Also, it was discovered to be a new version of another file encryptor called SATANA Ransomware. Software of this type is developed to encrypt potentially valuable data and demand file owners to pay money for their decryption. While running encryption, SEX3 Ransomware is programmed to alter targeted files with the .SEX3 extension. This is simply a visual change to highlight blocked data on top of successful encryption. After this, the virus changes the desktop wallpapers and also creates a text note called !satana!.txt that contains short instructions about how to unlock access to files.

Onelock is a ransomware infection developed by the Medusa ransomware family. Its purpose is to encrypt access to potentially important data (using RSA and AES encryption algorithms) and extort money from victims for full decryption. While rendering files inaccessible, the virus adds the new .onelock extension, which would make a file like 1.pdf change to 1.pdf.onelock and reset its original icon. The same pattern applies to other files that get targeted by the infection. After successful completion, Onelock creates the how_to_back_files.html file to feature decryption instructions. Overall, it is said that ransomware developers are the only figures able to decrypt victims' data. For this, victims are therefore instructed to contact cybercriminals using a chat link in Tor Browser (or e-mail) and pay some specified amount of ransom.

Alpha865qqz is a new file encryptor that belongs to the Maoloa ransomware family. While running an investigation concerning this malware, it was spotted that Alpha865qqz mimics some traits of another infection called GlobeImposter. For instance, during encryption, it appends the .Globeimposter-Alpha865qqz extension to targeted files. To illustrate, 1.pdf will change to 1.pdf.Globeimposter-Alpha865qqz, 1.png to 1.png.Globeimposter-Alpha865qqz, and so forth. After completing the encryption process, Alpha865qqz creates an executable file called HOW TO BACK YOUR FILES.exe that lists decryption instructions. Some other versions of Alpha865qqz created the HOW TO BACK YOUR FILES.txt text file instead, and also changed the original icons of files.

Faust is a new ransomware variant developed by the Phobos malware group. Its purpose is to encrypt potentially important pieces of data and make victims pay money for its decryption. Along with encryption, the virus also alters the way files appear - for instance, a file originally named 1.pdf will change to something like 1.pdf.id[9ECFA84E-3421].[gardex_recofast@zohomail.eu].faust and reset its original icon after encryption. This new string of characters that ransomware appends consists of a unique victim's ID, cybercriminals' email address, and the .faust extension. Following the successful completion of the encryption, Faust Ransomware generates a pop-up window (info.hta) and text file (info.txt) that contain decryption guidelines.

AXLocker is a ransomware virus that encrypts personal data (documents, photos, databases, etc,) and demands victims to pay money for its decryption. Unlike other ransomware infections that typically rename encrypted data (by adding new extensions), AXLocker leaves files to look in their original appearance. Despite this, victims will not be able to access their data and the virus will then display a pop-up window with decryption-related demands and allocated time to meet them.

Dharma is a notorious malware group that has been distributing a number of high-end ransomware infections. Zxcvb is one of the most recent versions released by cybercriminals. Alike its precursors, the virus encrypts access to system-stored files and changes their visual appearance (by adding the victim's ID, paymoney@onionmail.org email address, and the .zxcvb extension). For instance, a file originally named 1.pdf will change to something like 1.pdf.id-9ECFA84E.[paymoney@onionmail.org].zxcvb and so forth with other affected data. Once Zxcvb deprives access to files, it creates a ransom-demanding note called FILES ENCRYPTED.txt and also displays a pop-up window.

D0ggerofficial is a ransomware virus that runs encryption of data using AES-256 algorithms. While doing so, it also renames all targeted files (documents, videos, images, etc.) with the .locked extension. For instance, a file originally named 1.pdf will change to 1.pdf.locked and reset its original icon. Following this, D0ggerofficial displays a pop-up window with decryption instructions. Cybercriminals say victims have to make a payment of 0.25 BTC (roughly 4,200) in order to retrieve a special decryption key from the cybercriminals' remote server. Victims can also obtain more detailed information by contacting the attackers via their Telegram channel (@d0ggerofficial).

Eyedocx is a ransomware infection that encrypts access to system-stored data and presents instructions to make victims pay for the decryption. Once the encryption process gets put underway, all files will change according to this example - originally named 1.pdf will change to 1.pdf.encrypted and reset its icon. The assignment of random extensions is a common effect of many ransomware infections, designed to highlight the blocked data. The .encrypted extension is quite generic and can therefore be used by other ransomware variants as well. Once Eyedocx finishes running encryption, it creates a text note (readme.infomation) with ransom-demanding instructions.