Ransomware

Eeyee is a dangerous virus that executes data encryption using cryptographic ciphers to restrict victims from accessing it. Such type of infection is classified as ransomware and aims to pull its victims into sending money for the decryption. In order to show that files stored on a PC have been encrypted, the virus assigns its own .eeyee extension with strings of random symbols generated uniquely for each encrypted sample. For instance, a file like 1.pdf will face a change to 1.pdf._9kS79wzVPITFK7aqOYOceNkL7HXF2abMSeeTutfPGP_I8Rqxs2yWeo0.eeyee or similarly with other symbols. Encrypted files will be blocked from any access and also reset their icons to blank. Almost immediately after encryption, Eeyee creates the 6pZZ_HOW_TO_DECRYPT.txt text note with ransom instructions. The note is meant to inform victims about the changes and guide them through the recovery process. Cybercriminals say it is mandatory to purchase special decryption software to return the files and prevent leaks of the compromised data. Victims are instructed to contact the swindlers using the onion link in Tor Browser. After completing these steps, victims will get in touch with the developers and learn further details on buying the tools. The note also contains some messages advising to not modify data or ask for help from third parties (FBI, Police, Recovery companies, etc.).

Youneedtopay is a type of virus categorized as ransomware. It functions by encrypting personal files and demanding money for their return. During this process, ransomware assigns the .youneedtopay extension to all blocked data. For instance, a file like 1.pdf will be changed to 1.pdf.youneedtopay and reset its original icon. After appending these changes, the virus creates a text note called READ_THIS.txt which is meant to explain decryption instructions. Desktop wallpapers get altered as well. Take a closer look at what is the content there.

Admin Locker is the name of a ransomware virus that started its spread in December 2021. It uses a combination of AES+RSA algorithms to write secure cryptographic ciphers over the stored data. This affects files' access and their visual appearance. Admin Locker appends one of the following extensions to all blocked data - .admin1, .admin2, .admin3, .1admin, .2admin, or .3admin. It does not matter which one of them was applied to you. Their only function is to show files have been encrypted and make victims see it. For instance, a file like 1.pdf will change to 1.pdf.1admin (or other extension) and become no longer accessible. After encryption is done, Admin Locker explains how to recover the data in its text note (!!!Recovery File.txt) and on its web page that can be accessed via the TOR link.

Noway is a ransomware infection that encrypts all important data using AES-256 algorithms. It also renames the blocked data with randomly-generated symbols and .noway extension. To illustrate, a file like 1.pdf will change to 611hbRZBWdCCTALKlx.noway and lose its original icon upon successful encryption. As a rule, the majority of ransomware-encrypted files cannot be decrypted without the help of cybercriminals. Despite this, Noway Ransomware is one of few that can be officially decrypted using the Emisoft tool for free. You can download it further in our guide below. We encourage you to not rush with the decryption process as you must delete the virus first (also guided in this tutorial). In addition to running encryption over personal data, Noway issues a text note called Unlock your file Instraction.txt. The note shows how to recover your data with the help of ransomware developers. The crooks give 72 hours for deciding to pay the ransom. Should victims exceed this given deadline of payment, swindlers claim your data will become inaccessible forever. This is not true as Emisoft developers managed to crack open the ciphers and help victims decrypt files of Noway for free.

RL Wana-XD is a ransomware infection that encrypts important data stored on a PC. To highlight it, the virus ads its own .XD-99 extension to all the affected filenames. For instance, a file like 1.pdf will change to 1.pdf.XD-99 and reset its original icon. As a result, victims will be no longer able to access the file and browse its content. To revert these implications, developers of RL Wana-XD offer their victims to read special decryption instructions inside of a text note (Readme.txt). The text note is short, yet specific - developers claim the only way to return your data is to pay for unique decryption software and key. In order to do this, victims are guided to contact the swindlers through Wana-XD@bk.ru or RL000@protonmail.ch e-mail addresses. Unfortunately, keys used by RL Wana-XD Ransomware to encipher your data are often secure and stored in the ONLINE mode. This means manual decryption with the help of third-party tools is likely to give no fruit or manage to decode only some part of the data. Unless you have your personal ID ending with t1, third-party decryption will be less likely to help. At the same time, paying cybercriminals is always associated with risk as they can fool their victims and not send any promised decryption.

Razer is the name of a ransomware infection that runs encryption of data requesting victims to pay money for its return. Users infected with this virus will see their file names changed with a random string of characters, cybercriminals' e-mail address (razer1115@goat.si), and .razer extension at the end. For instance, a file named 1.pdf that went through these changes will look something like this 1.pdf.[42990E91].[razer1115@goat.si].razer and reset its icon to blank. In order to decrypt the data, virus developers offer to follow their instructions provided within the readme-warning.txt text note. It is said victims should contact the frauds using one of the e-mails (razer1115@goat.si, pecunia0318@tutanota.com, or pecunia0318@goat.si) and pay the ransom in bitcoins. To convince victims that they can be trusted, cybercriminals offer the so-called guarantee option where victims are allowed to send 2 files with simple extensions (max 1MB) and receive them decrypted for free. Many ransomware creators use this trick to prompt victims into paying the ransom and staying in contact with them. We highly recommend you avoid meeting the requests of the developers and recover your data using a backup, instead.

Discovered by a malware researcher named S!Ri, Surtr is a ransomware program developed to encrypt various types of personal data. It is always common to see popular files like music, photos, and documents affected during the virus attack. Surtr uses the cybercriminals' e-mail (DecryptMyData@mailfence.com) and .SURT extension to rename all the blocked data. For example, a file like 1.pdf will change to 1.pdf.[DecryptMyData@mailfence.com].SURT and reset its original icon to blank. The same change will be applied to other data that went through the encryption. In addition, there are also two files getting created upon successful encryption - a text note called SURTR_README.txt and SURTR_README.hta that its meant to open a pop-up window. Both these files are used to deliver ransomware instructions for victims. You can take a close look at their contents here below:

Being part of the Dharma ransomware family, Dr is another file-encryptor that blocks access to data and demands its victims to pay money for the return. As soon as encryption comes into effect, all files stored on a system will be changed with the unique ID of victims, developers' e-mail address, and .dr extension. An affected sample like 1.pdf will transform into something like this 1.pdf.id-1E857D00.[dr.decrypt@aol.com].dr, and so forth with other types of encrypted data. The only variable information is victims' IDs, so they are most likely to be different for each infected user. After successful encryption, the virus creates a text note called FILES ENCRYPTED.txt. It also force-opens a pop-up window containing the same ransom instructions as in the note. Victims are given instructions to contact extortionists via e-mail communication. Their e-mail address is also visible inside of the new extension that is added to blocked data. In case developers do not respond within 12 hours, victims should write to another e-mail stated in the note. Furthermore, crooks behind Dr Ransomware also warn their victims to not rename files or use third-party tools to decrypt them. There is also no information on how much victims should pay for the decryption of their data as this will be known while contacting the frauds.