Ransomware

Being part of the Dharma Ransomware family, Dharma-TOR is another malicious program that runs encryption over personal data. By committing this act, developers force victims into paying the so-called ransom. The first sign of Dharma-Tor infecting your system reflects in new file extensions. Cybercriminals assign the victim's personal ID, contact address, and .TOR extension to the end of each file. For instance, 1.pdf or any other files stored on your system will get a new look of 1.pdf.id-C279F237.[todecrypt@disroot.org].TOR, or something similar. Soon after all data becomes successfully changed, Dharma-TOR features a pop-up window along with a text file called FILES ENCRYPTED.txt, which is dropped onto the desktop. Both pop-up window and text note are meant to instruct victims through the recovery process. It is said that users should contact developers by e-mail stated in the extension with their personal ID. In case of no response, victims are guided to choose another e-mail address attached in the note. After establishing successful contact with cybercriminals, users are likely to get payment instructions to purchase decryption of data.

Users infected with Makop Ransomware will see their data blocked from regular access and changed by visual means. There are different versions used by Makop developers to spread onto victims. The only real difference between them lies in various extensions and e-mail addresses (.hinduism, .gamigin, .dev0, etc.) used to rename the encrypted files. The rest can be described as pure replication of previous Makop versions by a template. Once this virus gets settled into a PC, almost all data available will be assigned with unique victims' ID, contact e-mail, and random extension depending on which version pounced your system. For instance, a file like 1.pdf will be changed to something like this 1.pdf.[9B83AE23].[hinduism0720@tutanota.com].hinduism, or similarly with other extensions like .gamigin, .dev0, or .makop. Soon after this part of encryption gets to a close, the virus drops a text note called readme-warning.txt into each folder containing compromised data. The note lists out a number of Q&A items explaining recovery details. Users are said they have the only way to restore data - pay for decryption in Bitcoins. The payment instructions will be obtained only after establishing contact by e-mail (hinduism0720@tutanota.com, gamigin0612@tutanota.com, xdatarecovery@msgsafe.io, or other address). Likewise extensions, contact addresses are one part of the equation varying from person to person as well.

Gooolag is a ransomware infection that makes all stored data cut off from regular access to demand paying recovery ransom. It is more likely to see high-revenue companies infected with this ransomware version. Cybercriminals use the .crptd extension to each encrypted file. For instance, a data piece like 1.xls will change to 1.xls.crptd and reset its original icon. Following this stage of encryption, victims are met with decryption instructions presented inside of a text note called How To Restore Your Files.txt. The note unveils a world of agonizing information regarding the data. At first, cybercriminals state 600 Gigabytes of important data have been uploaded to anonymous servers. Then, victims are getting punched with some intimidation calls - DDoS (distributed denial-of-service) attacks on entire domains and company contacts. To prevent it from happening and losing the whole data, victims are obliged to contact extortionists using e-mail communication (Gooolag46@protonmail.com or guandong@mailfence.com). Should developers suspect something related to police or cyber authorities, the recovery process will be affected.

Kikiriki is a ransomware infection that isolates access to data stored on a PC. All important files end up encrypted and altered by visual means. Kikiriki developers append the new .kikiriki extension along with the victim's ID. To illustrate, a file like 1.pdf is likely to change to 1.pdf.kikiriki.19A-052-6D8 and similarly. Soon after this, the virus creates a text file called !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT. Ransomware developers state there is no other way to decrypt your data other than paying the ransom. The price for decryption is yet to be decided in further negotiations, however, victims are already informed it should be done in Bitcoin. To learn further payment instructions, victims are asked to contact extortionists via qTOX or Jabber platforms. It is also prompted to try free data decryption. Victims are free to send 2 blocked files of .jpg, .xls, .doc, or similar format except for databases (maximum 2MB in size). This should prove the decryption ability and elevate the trust of victims. Despite this, it is common to see many cybercriminals fool their victims even after receiving the ransom. Thus, paying the ransom is full of risks that should be considered by anyone infected with malware.

Being part of the ByteLocker family, JanusLocker is a ransomware infection that blocks access to files stored on a system. By doing so, developers blackmail victims into paying a so-called ransom in exchange for the data. Both payment and decryption instructions are located inside of a text note, which is created after all files end up encrypted. JanusLocker assigns the .HACKED extension to each file piece. For instance, 1.pdf or any other file attacked on your PC will change to 1.pdf.HACKED and become no longer accessible. It is written that all-important data has been encrypted using AES-256 algorithms. To erase the appended cipher, users are guided to pay for unique decryption software. The software price equals roughly 0.018 BTC, which is about 618 USD at the moment of writing this article. After users complete the money transfer through the attached crypto address, they should notify cyber criminals with their transaction ID using e-mail (TwoHearts911@protonmail.com). Soon afterward, users should get the promised decryption tools purchased from cybercriminals. Unfortunately, this is not always the case. Many ransomware developers fool their victims even after receiving the payment. This is why trusting JanusLocker by monetary means is quite a huge risk.

BiggyLocker is a ransomware-type virus that makes most files stored on a system totally inaccessible. This process is more known as data encryption. It involves strong AES and RSA algorithms meant to assign military-grade ciphers, which make self-decryption next to impossible. Alike other malware of this type, BiggyLocker assigns the .$big$ to each encrypted piece of data. For instance, a file like 1.pdf will be changed to 1.pdf.$big$ and reset its original icon. Then, as soon as this part of encryption is done, the virus moves on to creating a text note called read_me.txt. It is dropped on a desktop and contains ransom instructions. As developers claim, it is impossible to recover the blocked files without their help. To do this, victims are requested to pay for the social decryption software held by cybercriminals themselves. The price for such is 120$ to be transferred in Bitcoin. Once victims have paid the demanded ransom via the crypto address, they should therefore contact extortionists using their e-mail address (cyberlock06@protonmail.com). After this, victims should supposedly get the promised decryption tools to regain access to their data.

Haron is one of many ransomware infections that target encryption of personal data to demand paying the so-called ransom. Such malware makes sure most of the data stored on your device is locked out from regular access. Put differently, users affected by ransomware are no longer permitted to access the files. To learn if they have been encrypted, it is enough to look at their appearance. Haron adds the .chaddad extension to each of the files and forces the reset of icons as well. For example, a file named 1.pdf will be changed to 1.pdf.chaddad and drop its icon to blank. After this part of infection gets to a close, victims receive two notes (RESTORE_FILES_INFO.txt and RESTORE_FILES_INFO.hta) with decryption instructions. These instructions are meant to inform users about encryption. In addition to that, they claim cybercriminals to be the only figures able to recover your data. For this, users are asked to purchase unique decryption software held by extortionists themselves. Victims have to access a link via the Tor browser to complete the required payment. Sometimes frauds forget to put the contact or payment links, which makes recovery via cybercriminals automatically impossible.

Pay Us Ransomware seems to be a by-product of Vn_os Ransomware, which we discussed on our blog already. It acts exactly the same way - running data encryption and pushing victims to pay a so-called ransom. The only difference stands for different names of extensions and notes. Pay Us appends the .pay us extension to each file encrypted. To illustrate, a file like 1.pdf will be changed to 1.pdf.pay us and reset its original icon after encryption. Then, once this process gets to a close, the virus springs into creating a text note (read_me.txt) that contains decryption instructions. As developers state, victims are having the only option to recover the data - that is to pay for decryption tools sold by the extortionists. The price for decryption is set at 1,500$ to be paid in BTC. The Bitcoin rate differs constantly, this is why the price tag can soar up any time in the future. It is quite uncertain how victims will be getting the promised tool after sending the money. There are no e-mail addresses attached for establishing contact with the fraudulent figures. Considering this, obtaining decryption instruments from cybercriminals is full of uncertainty. Therefore, we do not recommend you to do so as there is a risk to lose your money.