Ransomware

STOP/Djvu has been one of the most popular and devasting ransomware families that target a lot of worldwide users. It is operated by experienced developers that create and issue new ransomware versions on a regular basis. Alike other malware of this type, STOP/Djvu uses strong cryptographic algorithms along with assigning custom extensions to restrict access to data. After this, users become unable to open their files as they are blocked with secure ciphers. While being depressed and mentally down after receiving the virus, cybercriminals offer a file-saving solution - to buy special decryption software that will return access to data. They show ransom instructions inside of a note (.txt, HTML, or pop-up window) that is created at the end of encryption. Victims are often instructed to contact developers and send an estimated sum of money in BTC or other cryptocurrencies. However, it is obvious that many would like to avoid it and recover the files for free or at least at a low price. This is exactly what we are going to talk about today. Follow our guide below to learn all the necessary steps you should apply to decrypt or restore files blocked by STOP/Djvu.

NRCL blocks access to data and asks its victims to pay the so-called ransom. Malware that runs data encryption and extorts money from the infected is usually categorized as ransomware. NRCL does it using strong cryptographic ciphers to prevent manual file decryption. Upon its successful encryption, files stored on a system will undergo two visual changes - the new .NRCL extension and icons reset to blank. A sample that went through these changes would look something like this 1.pdf.NRCL. In addition, NRCL creates a text file called Note.txt with instructions on how to return your data. The same information is also concealed inside of a small decryption utility that can be opened through NRCL_Decryptor.exe. The content of both files says there is only one way to recover your data - pay 300$ for the decryption. Extortionists also guide victims to not shut their PC or run manipulations with files. To complete the payment and get a special decryption key, victims have to contact developers via e-mail communication. After that, victims should receive the key, insert it into the dedicated space of the pop-up window and click on Decrypt. However, at the moment of writing this article, malware experts found that e-mails provided by NRCL are non-existent meaning this ransomware can still be under development.

MME is categorized as a ransomware infection that spreads into unprotected systems to encrypt data and extort money from victims for its return. The virus uses its own extension (.MME) to highlight the blocked data and make users spot its restriction. For instance, a previously untouched file called 1.pdf will change to 1.pdf.MME and reset its original icon upon successful encryption. As a result of this change, victims will no longer be able to access the file. In order to fix this and get back to regular usage of files, cybercriminals offer to opt for the paid solution - buy special decryption software that will return your data. Instructions to do are listed in a text note named Read_Me.txt that comes along with the encryption. You can take a look at its detailed content here below:

BLUE LOCKER is a high-risk infection classified as ransomware. Its main purpose lies in extorting money from victims after successful encryption of personal data. It assigns the new .blue extension and issues a text note called restore_file.txt to guide victims through the recovery process. This means a file like 1.pdf will be altered to 1.pdf.blue and reset its original icon. The text inside of the note is similar to other ransomware infections. It is said that all files have been encrypted, backups deleted, and copied to the server of cybercriminals. To revert the damage and return back to normal experience with fully functioning files, victims should buy a universal decryptor held by malware developers. If you decide to ignore the requests of cybercriminals, they will start flushing your files on dark web resources. While contacting developers on the decryption, it is offered to send 1 file so they can unlock it for free. Communication between victims and cybercriminals is written to be established via e-mail methods (grepmord@protonmail.com). After getting in touch with them, victims will retrieve further instructions on how to pay and acquire the decryption software.

Originating from Italy, Giuliano is a ransomware-type program set up with strong cryptographic algorithms (AES-256) to run secure encryption of data. Upon blocking access off to personal files, extortionists try to deceive victims into paying money for the decryption of data. Victims can detect their files have been encrypted simply by looking at the extension - the virus appends the new ".Giuliano" extension to highlight the blocked data. This means a file like 1.pdf will change to 1.pdf.Giuliano and reset its original icon. Information about file recovery can be found inside of a text note called README.txt. Decryption instructions inside of this file are represented in the Italian language. Cybercriminals inform victims about successful infection and encourage them to follow listed instructions. They say you should visit a GitHub page to fill out some forms. After this, malware developers are likely to get in touch with their victims and ask to pay some money-ransom. Usually, it is requested to run the payment in BTC or other cryptocurrency used by developers. Alas, ciphers applied by Giuliano Ransomware are strong and barely decryptable with third-party tools. For now, the best way to recover your files aside from collaborating with swindlers is to use backup copies.

Being a dangerous ransomware virus, Rook targets data encryption and tries to blackmail users into paying the ransom. The virus is easy to distinguish from other versions as it assigns the .rook extension to all blocked data. This means a file like 1.pdf will change to 1.pdf.rook and reset its original icon upon successful encryption. Right after this, Rook Ransomware creates a text note named HowToRestoreYourFiles.txt showing users how they can recover the data. The text note content says you can restore access to the entire data only by contacting swindlers and paying the money ransom. Communication should be established by e-mail (rook@onionmail.org; securityRook@onionmail.org) or TOR browser link attached to the note. While writing a message to cyber criminals, victims are offered to send up to 3 files (no more than 1Mb) and have them decrypted for free. This way cybercriminals prove decryption abilities along with their trustworthiness to some extent. Also, if you contact extortionists within the given 3 days, cybercriminals will provide a 50% discount for the price of decryption. Unless you fit in this deadline, Rook developers will start leaking your files to their network to abuse them on darknet pages afterward. They also say no third-party instruments will help you recover the files.

HarpoonLocker is the name of a recent ransomware infection reported by users on malware forums. The virus runs encryption of data with AES-256 and RSA-1024 algorithms making all restricted data cryptographically secure. As a result of this configuration change, users will be no longer able to access their own data stored on infected devices. HarpoonLocker assigns the .locked extension, which is commonly used by many other ransomware infections. This makes it more generic and sometimes hard to differ from other infections like this. It also creates a text note (restore-files.txt) containing ransom instructions. Developers say all data has been encrypted and leaked to their servers. The only way to revert this and get files back safely is to agree on paying the ransom. Victims are instructed to download the qTOX messenger and contact extortionists there. There is also an option to try decryption of 3 blocked files for free. This is a guarantee given by cybercriminals to prove they can be trusted. Unfortunately, there are no other contacts apart from qTOX that victims could use to get into a discussion with cybercriminals. Many cyber researchers joked that HarpoonLocker should also be called Unnamed qTOX Ransomware since there is nobody victims can talk to. For this and many other reasons, it is highly advised against meeting the listed requirements and paying the ransom. Quite often cybercriminals fool their victims and do not send any decryption tools even after receiving the money.

First found and researched by an independent expert named S!R!, NoCry is a ransomware program designed to run data encryption. It is a very popular scheme employed by ransomware developers to extort money from victims upon successful restriction of data. For now, there are two known versions of NoCry differing by extensions assigned to blocked data. It is either .Cry or .IHA extension that will be appended to encrypted files. For instance, 1.pdf will change its look to 1.pdf.Cry or 1.pdf.IHA and reset its shortcut icon to blank after getting affected by malware. Extortionists behind NoCry Ransomware demand payment for returning the data via an HTML file called How To Decrypt My Files.html. It also force-opens a pop-up window that victims can interact with to send the ransom and decrypt their data. The contents of both are identical and inform victims about the same. NoCry gives about 72 hours to send 100$ in BTC to the attached crypto address. If no money will be delivered within the allocated timeline, NoCry will delete your files forever. This is an intimidation strat meant to hurry up victims and pay the demanded ransom quicker.