Ransomware

RansomNow is another file-encryptor virus issued by cybercriminals to extort money from desperate victims. It is very similar to the already-discussed Polaris Ransomware as it runs the same encryption pattern with AES and RSA algorithms. Another similarity shared between these ransomware attacks is that they do not attach any new extension to enciphered data. Despite files do not experience any significant visual changes, users will still be unable to open them up. The virus also creates a text file called README TO UNLOCK FILES.txt that features decryption instructions. Developers say victims can restore the data only by purchasing a special key. The price to be paid equals 0.0044 BTC, which is approximately 250$ at the moment of writing this article. Keep in mind that cryptocurrencies rates always change, so there is a chance you will have to pay more or less even tomorrow. After sending the necessary amount of BTC, users should deliver the proof of the transaction to the attached e-mail address (ransomnow@yandex.ru). In addition to that, crooks list a couple of resources where to buy the required cryptocurrency, if you are new to the crypto world. It is also strongly warned against running manipulations with files yourself or with the help of third-party tools.

Decaf is categorized as a ransomware program designed to blackmail victims into paying money for the recovery of blocked data. Its first attacks were registered at the beginning of November 2021 and continue taking place across multiple users. The virus employs its own extension called .decaf which is assigned during encryption. An example of how encrypted files would like after encryption is this "1.pdf.decaf". It is impossible to blink the infection because all files lose their accessibility and icons as well. Upon successful installation of cryptographic ciphers, Decaf creates a text note named README.txt that contains info on how to recover your data. Cybercriminals say all server and PC data has been encrypted with strong algorithms preventing any third-party decryption. The only possible way to restore access to the entire data is to use a special "universal" decryptor stored by the extortionists. To learn further instructions regarding decryption, victims should write to the attached e-mail address (22eb687475f2c5ca30b@protonmail.com). From there, will be likely informed about the price of decryption software and ways to obtain it. As a rule, cybercrooks request their victims to send varying amounts of money in some cryptocurrency to their wallets. The range can fluctuate from hundreds to thousands of dollars for the restoration of data.

Polaris is a ransomware program that uses a combination of AES and RSA algorithms to encrypt users' data. Unlike other infections of this type, Polaris does not add any extension to the encrypted files. The only thing that changes is accessibility to files - victims are no longer eligible to open the stored data. In order to solve this, Polaris developers encourage their victims to read recovery instructions in a file called WARNING.txt. The text note creates at the end of encryption and says you should contact extortionists using e-mail communication (pol.aris@opentrash.com or pol.aris@tutanota.com). There is also an option to add cybercriminals on Discord instead. Whilst writing a message, victims should state the name of the company that got under attack. This is a clue that Polaris targets business networks so they could afford to pay the required ransom. The most common advice you may see on the web regarding ransom payments is to avoid them as much. This is true because many cybercriminals tend to fool their victims and not send any decryption tools eventually.

If you found your files have new .hamster extension and no longer accessible, then you are infected with a virus called Hamster Ransomware. Infections of this type hack your PC settings to run through encryption of data. They also apply some visual changes to make victims spot the result of infection. After successful encryption, you will see a file like 1.pdf change to 1.pdf.hamster and reset its default icon to blank. The virus will also create a text note called How To decrypt.txt. As stated in the note, Hamster Ransomware penetrated your network and blocked access to most of the data. In order to get it back, victims are instructed to contact cyber criminals with their assigned ID and purchase the tool for decryption. It is important that victims reach out to malware developers using TOX messenger, which should be installed in case of absence. The frauds also advise you to contact them within 72 hours since the attack. This way, the price for complete data recovery will be reduced. It is also mentioned the attackers will tell how they infiltrated your system and what can be done to fix the existing vulnerability in the future.

Hospitalhelper is the name of another ransomware infection. Although it is new, the virus copies traits of other popular versions. File encryption, new extension, and ransom note are the main changes brought by Hospitalhelper. For instance, a file like 1.pdf will change to something like this 1.pdf.hospitalhelper.5BB-DE6-0CC and reset its shortcut icon. While .hospitalhelper is a constant extension, 5BB-DE6-0CC represents random combination of letters reflecting a victim's ID. After your files have been altered this way, access to them will be no longer available. Hospitalhelper also creates a text note called !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT that contains ransom instructions.

Scott.Armstrong is a ransomware virus that encrypts sensitive files by appending the .LOCKED extension. This is meant to highlight the blocked data and catch the attention of infected victims. For example, a file like 1.pdf will change to 1.pdf.LOCKED and reset its original icon. After this, users will no longer be able to access their data as previously. Rigth at the end of encryption, the virus triggers a pop-up window called HOW_TO_RECOVER_MY_FILES.hta to open. It also creates a separate text note (HOW_TO_RECOVER_MY_FILES.txt) containing detailed instructions on how to return your data. The text note instructs victims to install the qTox private messenger and contact developers using the provided TOX-ID. Alternatively, you may also establish contact with cybercriminals through e-mail by sending your Key Identifier, which is attached in the note. You are also allowed to send up to 3 files together with the Key ID to get them decrypted for free. These files should be less than 5MB each, non-archived, and do not contain any valuable information (e.g. databases, backups, large excel sheets, etc.). Based on the message content, it is clear that Scott.Armstrong puts more emphasis on infecting company networks to export bigger amounts of ransom.

Willow encrypts personal data using cryptographic ciphers, alters file extensions to .willow and demands 500$ payment to reset the assigned changes. All of these traits categorize it as ransomware. A sample of encrypted data would look something like this 1.pdf.willow. The files will lose their original shortcut icons as well. Willow Ransomware also changes desktop wallpapers and creates the READMEPLEASE.txt text note. Both wallpapers and text note display the same ransom instruction that victims should follow to recover the data. It is said victims should pay 500$ in BTC to the attached Bitcoin address unless they want to lose their files forever. It is also mentioned third-party decryptors will not be able to remove ciphers applied to files by Willow. Unfortunately, this is nothing, but true as many ransomware infections use high-grade encryption algorithms and store their keys on online servers. For this reason, manual decryption very often appears to be impossible. We do not recommend you pay the required ransom because there is a risk to get scammed eventually. Extortionists hold fame for dumping their victims and not sending any decryption tools even after receiving the money.

Mallox is the name of a ransomware virus able to encrypt all valuable data stored on a PC. The file-encryptor uses strong encryption algorithms to assign unique ciphers and deny further access to data. It also attaches the new .mallox extension meant to highlight the blocked data. To illustrate, a file like 1.pdf will change to 1.pdf.mallox and reset its original icon. Note that removing the .mallox extension will not help you open the file as long as it is encrypted. After successful encryption, the virus opens and places a text note called RECOVERY INFORMATION.txt onto your desktop that contains ransom instructions. The file says only unique decryption software will be able to access your data. In order to get it, users should send an e-mail letter with their personal ID to cybercriminals. Then, victims will be given further instruction on how to purchase the decryption tool. It is also mentioned there is a possibility to test free file decryption by sending a few encrypted samples that do not contain valuable data. Before you start thinking about recovery options, we have to inform you about the risks of paying the ransom. Many cybercriminals fool their victims and do not send any decryption instruments even after receiving the money.