Ransomware

ZareuS is the name of a ransomware infection that encrypts files and extorts an amount in crypto from victims. During encryption, the virus alters file appearance using the .ZareuS extension. In other words, if a file like 1.pdf ends up affected by the infection, it will be changed to 1.pdf.ZareuS and reset its original icon as well. Thereafter, to guide victims through the decryption process, cybercriminals create a text file called HELP_DECRYPT_YOUR_FILES.txt to each folder with no longer accessible data. It says the encryption occurred with the use of strong RSA algorithms. Victims are therefore instructed to buy a special decryption key, which costs 980$ and the amount has to be sent to the cybercriminals' crypto address. After doing so, victims have to notify about the completed payment by writing to lock-ransom@protonmail.com (e-mail address provided by the attackers). As an additional measure to incentivize victims into paying the ransom, extortionists propose to decrypt 1 file for free. Victims can do it and receive one file fully unlocked to confirm that decryption actually works. It is unfortunate to say this, but files encrypted by ZareuS Ransomware are almost impossible to decrypt without the help of cybercriminals. It may be only if ransomware is bugged, contains flaws, or other drawbacks alleviating third-party decryption. A better and guaranteed method to get back your data is to recover it using backup copies. If such are available on some non-infected external storage, you can easily substitute your encrypted files with them.

LokiLok is the name of a ransom infection. Upon successful installation onto a targeted system, it encrypts important files and blackmails victims into paying money for their decryption. We also discovered that LokiLok was developed on the basis of another ransomware virus called Chaos. Once encryption occurs, victims can see their data change with the .LokiLok extension. To illustrate, a file named 1.pdf will most change to 1.pdf.LokiLok and reset its original icon. After this, victims will no longer be able to access their data and ought to seek decryption instructions in the read_me.txt file. The virus also replaces default wallpapers with a new picture. Cybercriminals want victims to buy a special decryption tool. To do this, victims should contact extortionists using the attached e-mail address (tutanota101214@tutanota.com). Prior to buying the necessary software, it is also offered to send 2 small files - cybercriminals promise to decrypt and send them back to prove decryption abilities. In addition, the message also instructs against trying to use external recovery methods since it may lead to irreversible destruction of data. Whatever guarantees are given by ransomware developers, it is always not recommended to trust them. Many fool their victims and do not send the decryption software even after sending them money.

Pay Ransomware is, in other words, a file-encryptor that prevents users from accessing their own data. A recent investigation confirmed that this virus belongs to a group of ransomware developers known as Xorist. Similar to other infections of this type, the virus changes all encrypted files using the .Pay extension. To illustrate, a file named 1.pdf will change to 1.pdf.Pay and reset its original icon as well. After getting things done with encryption, Pay Ransomware displays a pop-up window and creates a text file titled HOW TO DECRYPT FILES.txt. Both of them contain identical information on how to return access to files. It is said that victims can restore access to files by paying 50$ to the Bitcoin address of cybercriminals. After completion, victims will have to contact extortionists via the qTox client and receive their decryption code. There is also a warning that 5 unsuccessful attempts to enter the right code will result in irreversible destruction of data. Following this, swindlers encourage victims to be more careful while doing the above-mentioned. Additionally, it is also said that no third-party software like antivirus will help, but only prevent further decryption of data. Unfortunately, what they outline in their messages can be true - some cybercriminals set up protection against manual attempts to decrypt blocked data. In such a case, the only option, if you are in burning need of restoring your files, is either to pay the required ransom or use your own backup copies from external storage to compensate for the loss.

CryptBIT encrypts system-stored files making them no longer accessible and also demands victims to pay 400EUR for data decryption. Infections operating this way are therefore categorized as ransomware. During encryption, CryptBIT highlights blocked data by adding new extension (.cryptbit). In other words, a file like 1.pdf will change to 1.pdf.cryptbit and reset its original icon as well. The same change will occur with other file types encrypted by ransomware. The virus also changes desktop wallpapers and creates a text file named CryptBIT-restore-files.txt into each encrypted folder. This file instructs victims on how to decrypt their data. The note displays text that all files have been encrypted and uploaded to external servers. It is, therefore, said that victims can recover their data, but have to send 400EUR (in bitcoins) to the attached crypto address. Cybercriminals also ask to include the victim's e-mail address, to which they promise to send the necessary file decryptor. Unfortunately, it is unclear how victims should do it. While performing cryptocurrency transfers, it is often (if not always) impossible to include additional information like e-mail. Thus, such technical misunderstandings already give strong reasons against trusting cybercriminals behind CryptBIT Ransomware. It is also possible that this ransomware is only a pilot version, and cybercriminals will distribute updated ransomware someday in the future. Whatever it is, paying the ransom is always not recommended.

Kekware is a recent ransomware-type virus. The main symptom of this infection successfully breaching the system is strong encryption of data. As a result, users will no longer be able to access or modify files as they used to do previously. Victims will also see a change in how their data appears - all encrypted samples get renamed according to the following pattern - [random_string].[original_extension][random_string].cyn. To illustrate, a file like 1.pdf may change to something like 7462.jpg7088.cyn and reset its original icon as well. After this part of encryption is done, the virus creates a file called YcynNote.txt, which holds decryption instructions. As said within the note, victims ought to pay a ransom of $500 in bitcoin to the attached cryptocurrency wallet. If victims decide to not follow the demands, cybercriminals say no decryption of data will ever be possible without their involvement. Unfortunately, at the moment of writing this article, this claim should indeed be taken quite seriously. If you do not have backup copies of data saved on external storage devices, you will have a bare chance to decrypt the Kekware data using third-party tools.

NOKOYAWA is a ransomware-classified infection that runs encryption of data and blackmails victims into paying money for its recovery. A report published by Trend Micro featured similar attack traits of NOKOYAWA Ransomware to Hive - a widespread and disruptive group of developers that breached more than 300 organizations in just a few months. Cybercriminals behind NOKOYAWA Ransomware use the .NOKOYAWA extension to rename targetted data. For instance, a file like 1.xlsx will change its name to 1.xlsx.NOKOYAWA and reset the original icon as well. Successful encryption is therefore followed by ransom note creation - the NOKOYAWA_readme.txt file arrives on the desktop. Inside this note, cybercriminals attempt to convince victims into opting for paid decryption. They duplicate information in English and Chinese guiding to contact extortionists through one of their e-mail addresses (brookslambert@protonmail.com or sheppardarmstrong@tutanota.com). Should victims repel their suggestions, the swindlers threaten to publish, as they say, "black shit" to open-access resources. The price for decryption is kept secret until victims establish the contact and it is also likely to be evaluated individually for each victim. In other words, the amount of ransom may range vastly depending on how valuable the captured data is. As a rule, it is not recommended to trust cybercriminals and follow their demands since it can cost you simply a waste of money.

D3adCrypt encrypts system-stored data (with the .d3ad extension) and demands victims to pay a monetary ransom for its return. For instance, a file like 1.pdf will become 1.pdf.d3ad resetting its original icon as well. There is also a ransom note being created (d3ad_Help.txt) explaining to victims how they can return access to files. It is said victims should write an e-mail with their personal ID to the provided d3add@tutanota.com address. In case nobody responds, there is an extra e-mail victim should contact as well (propersolot@gmail.com). Cybercriminals conclude the ransom message with warnings against renaming files, decrypting files on your own, or trying to involve the help of third-party entities. Note that the price for decryption is kept secret until victims establish further communication with cybercriminals. It is also possible for the price to vary depending on how much informational damage victims suffered during encryption. Usually, cyber experts do not recommend paying the ransom - extensive researches show that many extortionists fool their victims and do not provide them with promised decryption tools. Alas, there are no feasible ways to decrypt your data at the moment of writing this article. It may become possible in the future, but no one can say when. You can try some trusted and globally-used tools from our guide below, but there is no guarantee they will be able to actually help. For now, the best way you can avoid paying the ransom and recover your data at the same time - is via backup copies.

Discovered by MalwareHunterTeam, Spark is a ransomware virus designed to keep files at lock and blackmail victims into paying money to return them. This is done through the so-called encryption process when infections of such use strong military-grade algorithms to generate ciphers. As a result, data becomes no longer accessible to users. People attacked by Spark Ransomware will see their files change to something like this 1.pdf.Spark and reset their icons. After rendering all targetted files restricted, the virus displays a pop-up window containing ransom instructions. Cybercriminals say decryption is impossible without a special private key. This is why victims are guided to purchase the key by contacting developers via their e-mail address (notvalidemailadress.ransom@gmail.com). Swindlers also warn against doing modifications to files shutting down the PC, which may result in permanent data loss and system damage as well. There is a timer, within which, victims should contact developers and pay for decryption. However, extortionists do not specify what will happen after the time expires. Based on other ransomware analyses, many frauds threaten the collected data to be permanently deleted or leaked to dark web resources, though, it does not prove this is the case with Spart Ransowmare as well. It is unfortunate to acknowledge, but you are less likely to find a 100% working decryption tool for .Spark files.