Ransomware

Polis is a recent ransomware infection. Alike other malware within this category, it renders files inaccessible and demands victims to pay a monetary ransom. During encryption, the virus assigns its own .polis extension to highlight the blocked data. For instance, an innocent file previously named 1.pdf will change its name to 1.pdf.polis and reset the original icon as well. Following this, Polis Ransomware creates a text note (Restore.txt) to instruct what victims should do. It is said victims have 2 days to establish contact with cybercriminals (via e-mail) and pay money to them for decryption. Otherwise, if the deadline will not be met, extortionists promise to publish the uploaded copies of locked data on special public domains. By posing such threats, cybercriminals try to make victims act immediately and follow what the guidelines say.

Moisha is a ransomware virus developed and promoted by the PT_MOISHA Hacking Team. This group of developers targets files of business-related users. After infiltrating the system and running strong encryption of data, the cybercriminals demand $10,000 in ransom for file decryption and a guarantee to not publish the collected information. All of this information is presented in more detail within the !!!READ TO RECOVER YOUR DATA!!! PT_MOISHA.html text note created after successful encryption. Unlike other ransomware infections, Moisha does not add any custom extensions to the affected files.

If your files became no longer accessible and now appear with the new .MEOW extension (then .PUTIN, .KREMLIN and .RUSSIA extensions), then you are most likely infected with Meow Ransomware (a.k.a. MeowCorp2022 Ransomware and ContiStolen Ransomware). This file-encryptor blocks access to practically all types of system-stored data using the ChaCha20 algorithm and demands victims to establish contact with its developers (presumably to pay for decryption). In addition, it was also determined that this ransomware works on code stolen from another popular file-encryptor named Conti-2 Ransomware. Information about contacting swindlers can be found inside a text note called readme.txt, which the virus drops into each folder with encrypted files.

Loplup is a file-encrypting virus that was determined to be part of the ZEPPELIN ransomware family. While restricting access to system-stored data, it renames attacked files by adding the custom .loplup.[victim's_ID] extension. This means a file previously called 1.pdf will change to something like 1.pdf.loplup.312-A1A-FD7. Note that the victim's ID is variable so it can be different in your case. Following successful encryption of data, Loplup creates a text file (!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT) that contains decryption guidelines.

FirstKill is a ransomware infection designed to encrypt users' data and blackmail victims into paying financial ransom for its recovery. It uses AES and RSA military-grade algorithms to run strong encryption and prevent victims from re-accessing their files. During this process, FirstKill also renames all targeted files with the .FirstKill extension and resets their original icons to blank. For instance, a previously untouched file like 1.pdf will change to 1.pdf.FirstKill and become no longer accessible. Following this, the virus creates a text note called CO_SIĘ_STAŁO.html which contains instructions for decrypting the data.

ChinaHelper is a ransomware virus designed to encrypt personal data and blackmail victims into paying the ransom. While restricting access to data with the help of AES-256 and RSA-2048 algorithms, the virus assigns the .cnh extension so that a file like 1.pdf turns into 1.pdf.cnh, for instance. The next thing ChinaHelper does is creating a text note called README.txt. There is also another variant spotted in a later distribution, which assigned .cnhelp or .charm extension to files and created the HOW_TO_RETURN_FILES.txt file instead.

Bom is the name of a ransomware infection. Malware within this category encrypts system-stored data and demands victims to pay money for its return. This ransomware variant is also a by-product of the VoidCrypt family. During encryption, the virus renames all targeted files according to this example - 1.png.[tormented.soul@tuta.io][MJ-KB3756421908].bom. Your renamed files may slightly vary (e.g., different string of characters), but the basis will remain the same. After successfully restricting access to data, the ransomware creates a text note called Scratch - to provide decryption guidelines.

DASHA Ransomware is a new variant of Eternity Ransomware. This malware is designed to encrypt system-stored data and demand money for its decryption. While restricting access to files (e.g., photos, videos, documents, databases, etc.), the virus alters file appearance with the .ecrp extension. For instance, a file previously named 1.pdf will therefore change to 1.pdf.ecrp and become no longer accessible. Once this process gets to a close and all targeted files are eventually renamed, DASHA replaces the desktop wallpapers and displays a pop-up window with ransom instructions.