Ransomware

Alpha865qqz is a new file encryptor that belongs to the Maoloa ransomware family. While running an investigation concerning this malware, it was spotted that Alpha865qqz mimics some traits of another infection called GlobeImposter. For instance, during encryption, it appends the .Globeimposter-Alpha865qqz extension to targeted files. To illustrate, 1.pdf will change to 1.pdf.Globeimposter-Alpha865qqz, 1.png to 1.png.Globeimposter-Alpha865qqz, and so forth. After completing the encryption process, Alpha865qqz creates an executable file called HOW TO BACK YOUR FILES.exe that lists decryption instructions. Some other versions of Alpha865qqz created the HOW TO BACK YOUR FILES.txt text file instead, and also changed the original icons of files.

Faust is a new ransomware variant developed by the Phobos malware group. Its purpose is to encrypt potentially important pieces of data and make victims pay money for its decryption. Along with encryption, the virus also alters the way files appear - for instance, a file originally named 1.pdf will change to something like 1.pdf.id[9ECFA84E-3421].[gardex_recofast@zohomail.eu].faust and reset its original icon after encryption. This new string of characters that ransomware appends consists of a unique victim's ID, cybercriminals' email address, and the .faust extension. Following the successful completion of the encryption, Faust Ransomware generates a pop-up window (info.hta) and text file (info.txt) that contain decryption guidelines.

AXLocker is a ransomware virus that encrypts personal data (documents, photos, databases, etc,) and demands victims to pay money for its decryption. Unlike other ransomware infections that typically rename encrypted data (by adding new extensions), AXLocker leaves files to look in their original appearance. Despite this, victims will not be able to access their data and the virus will then display a pop-up window with decryption-related demands and allocated time to meet them.

Dharma is a notorious malware group that has been distributing a number of high-end ransomware infections. Zxcvb is one of the most recent versions released by cybercriminals. Alike its precursors, the virus encrypts access to system-stored files and changes their visual appearance (by adding the victim's ID, paymoney@onionmail.org email address, and the .zxcvb extension). For instance, a file originally named 1.pdf will change to something like 1.pdf.id-9ECFA84E.[paymoney@onionmail.org].zxcvb and so forth with other affected data. Once Zxcvb deprives access to files, it creates a ransom-demanding note called FILES ENCRYPTED.txt and also displays a pop-up window.

D0ggerofficial is a ransomware virus that runs encryption of data using AES-256 algorithms. While doing so, it also renames all targeted files (documents, videos, images, etc.) with the .locked extension. For instance, a file originally named 1.pdf will change to 1.pdf.locked and reset its original icon. Following this, D0ggerofficial displays a pop-up window with decryption instructions. Cybercriminals say victims have to make a payment of 0.25 BTC (roughly 4,200) in order to retrieve a special decryption key from the cybercriminals' remote server. Victims can also obtain more detailed information by contacting the attackers via their Telegram channel (@d0ggerofficial).

Eyedocx is a ransomware infection that encrypts access to system-stored data and presents instructions to make victims pay for the decryption. Once the encryption process gets put underway, all files will change according to this example - originally named 1.pdf will change to 1.pdf.encrypted and reset its icon. The assignment of random extensions is a common effect of many ransomware infections, designed to highlight the blocked data. The .encrypted extension is quite generic and can therefore be used by other ransomware variants as well. Once Eyedocx finishes running encryption, it creates a text note (readme.infomation) with ransom-demanding instructions.

RAMP is the name of a malicious PC infection classified as ransomware. The main function of such malware is to encrypt system-stored data and very often capitalize on victims by extorting money from them for the recovery of files. When RAMP Ransomware blocks access to data, it also assigns the .terror_ramp3 extension to change files visually. For instance, a file originally named 1.pdf will change its name to 1.pdf.terror_ramp3 and become no longer accessible. The same will happen to other types of targeted data as well. After getting things done with encryption, the virus changes the desktop wallpapers and creates a text note (ramp3.txt) with recovery instructions.

Chily is the name of a ransomware infection designed to encrypt system-stored data and extort money for its decryption. During encryption, the virus also runs visual changes to files by appending the new .[Chily@Dr.Com] extension. To illustrate, a file originally named 1.pdf will change to 1.pdf.[Chily@Dr.Com] and reset its icon as well. After such changes, users will no longer be able to access their data as they used to before. Chily Ransomware also changes the desktop wallpapers and creates an HTML file (Read Me.Hta) that features decryption instructions.