Ransomware

bDAT is a ransomware virus that encrypts access to data and requires victims to contact developers in order to recover their data. It is also suspected that bDAT belongs to a popular ransomware group known as Dharma. While the encryption process is underway, the file-encryptor changes the files' appearance according to the following format - [victim's ID].[bkpdata@msgsafe.io].bDAT. For instance, a file originally named 1.pdf will appear as 1.pdf.id-9ECFA84E.[bkpdata@msgsafe.io].bDAT or similarly. After this, victims are presented with a pop-up window and info.txt file featuring decryption guidelines.

Azov is a ransomware infection that restricts access to data by running its encryption. During this process, the virus assigns the .azov extension to all affected files and creates the RESTORE_FILES.txt note in each folder with encrypted data (including desktop). For instance, a file originally named 1.png will change to 1.png.azov and reset its original icon.

Maze is a ransomware program discovered by one of the malware researchers named Jérôme Segura. This infection has been observed using RSA-2048 + ChaCha encryption algorithms and distributed in several different versions. Depending on the version that attacked the system, victims may see either .maze or .ILnnD extensions added to their files. For instance, an original file like 1.pdf may end up 1.pdf.maze or 1.pdf.ILnnD after successful encryption. After this, the virus changes desktop wallpapers and creates either DECRYPT-FILES.html or DECRYPT-FILES.txt files, again depending on the version of ransomware. Make sure you read our article below to potentially decrypt your data for free.

Duck is a recent file encryptor developed and published by the Phobos ransomware family. While blocking access to data, the virus alters files' appearance by adding the generated victim's ID, cybercriminals' e-mail, and .duck extension as well. For instance, a file originally named 1.pdf will change to something like 1.pdf.id[9ECFA84E-3316].[supprecovery@torguard.tg].duck, reset its icon, and become no longer accessible. Once all data ends up encrypted, cybercriminals display decryption instructions in two ransom notes (info.hta and info.txt) to extort money from victims.

Killnet is a ransomware infection designed to encrypt personal data. During encryption, it assigns the .killnet extension, forcing a vivid change in files' appearance. For instance, a file that was originally named 1.pdf will change to 1.pdf.killnet and become no longer accessible after encryption. To follow this stage of attack, the virus creates a text note called Ru.txt with text written in the Russian language. In addition, the ransomware replaces the desktop wallpapers as well. The information given inside this note is vague and does not give any clear guidelines on what victims should do. There are only a number of Telegram handles for different purposes named "donates", "support", and so forth. Normally, the goal of ransomware attackers is to extort money from victims by offering full decryption of data in return.

DAGON LOCKER is a new variant of Mount Locker ransomware. While encrypting access to data, the virus changes all files with the .dagoned extension. For instance, a file originally named 1.pdf will appear as 1.pdf.dagoned and become no longer accessible after encryption. Following this, cybercriminals create the README_TO_DECRYPT.html file to feature decryption instructions. Once opened, the file greets victims with information that all valuable files have been encrypted and exfiltrated to remote servers of cybercriminals. Unless victims contact extortionists using Tor Browser within 72 hours, the collected data may become leaked to the public. Unfortunately, it is usually impossible to decrypt files without the direct help of cybercriminals.

AROS is an infectious program categorized as ransomware. Software of such is designed to run encryption of system-stored data and blackmail victims into paying the so-called ransom fee for decryption. After infiltrating the system, AROS has been observed to assign the new .ARS extension, accompanied by cybercriminals' e-mail and unique victim's ID. To illustrate, a file originally named 1.pdf will experience a change to something like 1.pdf.[5d3e178db8].[luckyguys@tutanota.com].ARS and become no longer accessible. The final step of AROS Ransomware is the creation of How_to_decrypt_files.txt, which is a text note containing decryption guidelines.

Prestige is a ransomware infection that encrypts potentially valuable files and demands victims to pay a fee for recovering them. While making data no longer accessible, the virus appends the .enc extension and changes the original icons of files. For instance, a file like 1.pdf will change to 1.pdf.enc. After this, a text file named README gets created. Within the file cybercriminals let victims know what should be done to recover the files. It is said victims have to write an email message to prestige.ranusomeware@proton.me and include their personally generated ID. Following this, extortionists will give more explicit instructions on how to purchase the decryption tool.