Ransomware

Also known as Hakbit, Thanos is a ransomware group that develops a number of file-encrypting infections. It was first discovered by GrujaRS, an independent security researcher specializing in ransomware. The virus has quite a long genealogy tree with lots of different versions using AES algorithms to run file encryption. Each of them has a separate extension that is assigned to encrypted data. The most recent are .steriok, .cyber, and .crystal. If you spotted the change of shortcut icons along with extensions, this means your files have been successfully encrypted. To illustrate, a file like 1.pdf will change to 1.pdf.steriok, 1.pdf.cyber, 1.pdf.crystal or similarly depending on which version infiltrated your system. After encryption, Thanos creates either HOW_TO_DECYPHER_FILES.txt, HELP_ME_RECOVER_MY_FILES.txt or RESTORE_FILES_INFO.txt text files. These are the names of ransom notes containing instructions on how to redeem your data.

Zoom is a ransomware program that runs encryption of data to demand money for its recovery. During file encryption, Zoom uses strong mathematical algorithms along with the .zoom extension that is appended to change files visually. For instance, a file like 1.pdf will change to 1.pdf.zoom and reset its default shortcut icon. The same will be seen across all other data targetted by Zoom Ransomware. After getting things done with the encryption, Zoom changes desktop wallpapers and creates the recover-youe-all-files.txt file containing ransom instructions.

CryptoJoker is a ransomware family that releases every new file-encryptor each year. Alike other ransomware infections, CryptoJocker pursues data encryption of potentially valuable data (e.g. pictures, videos, music, documents, databases, etc.) to demand money for its complete return. Depending on which version attacked your system, the encrypted files will be appended with one of these following extensions - .encrypter@tuta.io.encrypted, .crjoker, .cryptolocker, .cryptoNar, .cryptolocker, .nocry, .devos, .devoscpu. Those are often accompanied by .fully and .partially suffixes, suposed to mean, that some files are fully or partially encrypted. For instance, a file like 1.pdf may change to 1.pdf.crjoker, 1.pdf.encrypter@tuta.io.encrypted, and so forth. Different versions of CryptoJocker used different formats of presenting ransom instructions. Some display an interactive window, while others create separate text notes.

Discovered by a researcher named S!Ri, Foxxy is a malicious program that belongs to the malware category known as ransomware. Its main goal is to encrypt personal data and demand money for its recovery. The moment Foxxy starts enciphering data, all files will get a new .foxxy extension and reset their shortcut icons. This is how an encrypted file like 1.pdf will finally look like - 1.pdf.foxxy. Then, as soon as the encryption process is done, the virus displays a full-screen window and creates a text note called ___RECOVER__FILES__.foxxy.txt. Both of them feature ransom instructions to recover the data. You can check the full content of both ransom notes down below:

Udacha is a ransomware virus that encrypts data with AES+RSA algorithms and demands payment of 490$ (0.013 BTC) in order to return it. This information is visible inside of the ReadMe_Instruction.mht file, which is created after encryption puts its finishing touches onto the data. Prior to this, however, users will see their files changed with the .udacha extension. To illustrate, a file like 1.pdf will change to 1.pdf.udacha and reset its shortcut icon. Below, you can see the full information that is written within the ransom note.

GABUTS PROJECT is a ransomware virus that encrypts system-stored data to extort money for its return. It does so by appending the .im back extension to each modified file. Files like music, videos, pictures, and documents will acquire the new extension and reset their original shortcut icons. Here is an example of how encrypted files will look like - 1.pdf.im back; 1.mp4.im back; 1.png.im back, 1.docx.im back, and so forth. After this, the virus features a pop-up window and creates the "gabuts project is back.txt" file containing ransom instructions. The text is written in first person with requests to send 100 BTC for data decryption. This is exactly the price victims should send in order to restore the data. It is also mentioned this payment has to be done within 1 day after infection. To begin communication, victims should write to the pinned e-mail address. According to the text, there is also an option to decrypt 1 file by accessing the tor link. Unfortunately, nobody will pay the price of 100 Bitcoins (5,712,670$) unless it is a big corporation that lost extremely important data.

Also known as Ranzy Locker, ThunderX 2.1 is a new ransomware sample that runs thorough data encryption. Depending on which version attacked your system specifically, you may see one of these 3 different extensions assigned to data - .RANZY, .RNZ, .tx_locked or .lock. To illustrate, an innocent file like 1.pdf will change to 1.pdf.ranzy, 1.pdf.tx_locked, or 1.pdf.lock at the end of encryption. It will also reset its shortcut to blank. Right after this, the virus creates a text note named readme.txt that contains ransom instructions. Cybercriminals call victims to follow the listed instructions as this is the only option to recover your data. All files have been rendered inaccessible with the help of secure encryption algorithms. To revert these consequences, victims are guided to contact developers through e-mail and buy unique decryption software. While sending a message, it is also required to attach a key string and personal ID from the note. In addition, they offer to send 3 files and receive them decrypted for free. They claim this is a guarantee of their trustworthiness and ability to restore the data. Nobody apart from victims knows how much money extortionists behind ThunderX 2.1 demand.

Babyduck is a ransomware infection that encrypts data by assigning the .babyduck extension. The word encryption means users will no longer be able to open system-stored files because they are blocked. Those files will undergo two visual changes - a new extension and a reset of shortcut icons. To illustrate, a file like 1.pdf will be altered to 1.pdf.babyduck and drop its icon to blank. Right after this, Babyduck creates a text note with ransom instructions (README.babyduck). Research related to this ransomware version has been temporarily frozen and not yet updated. The only thing that stands out clearly is how encrypted data will look after the ransomware attack. Despite there is no precise information on ransom instructions, they are more likely similar to other file-encryptors. Cybercriminals will probably ask you to pay for special decryption software that will access your data. The payment can be usually done only in cryptocurrency like Bitcoin. Apart from this, it is also common to see extortionists offer free file encryption.