Ransomware

Tripoli classified as a ransomware infection meant to cause encryption of personal data. Usually, the main target is photos, videos, documents, and other files that can store sensitive data. After this virus attacks your system, all files will be affected by the .crypted extension. Some victims reported that extension like .tripoli also exists, meaning that there are two versions of Tripoli Ransomware. In fact, does to matter which one penetrated your PC, because the way they work is almost the same. As a result of encryption, all files will be restricted from regular access, users will no longer be able to open or change them. To fix it, extortionists are offering to run through the steps listed in a text note (HOW_FIX_FILES.htm). The steps oblige victims to install the Tor browser and purchase decryption software following the attached address. The decision on making the payment has to be done within 10 days. We insist against acting on fraudulent steps as there is no guarantee that they will send you the promised tools. A better way is to delete Tripoli Ransomware and restore the lost files from an external backup (USB storage). If you do not have one, try using the guideline below to access your data.

FLAMINGO is a malicious piece designed to block access to user's data by running encryption with cryptographic algorithms. Despite the ransomware is relatively new, already known that it uses the .FLAMINGO extension to encrypt data. For example, a file like 1.mp4 will change to 1.mp4.FLAMINGO following successful encryption. After this, users receive decryption steps located in a text note called #READ ME.txt. According to them, victims have to send a test file via e-mail (not more than 3MB) to prove the decryption capabilities of cybercriminals. Then, you will get a reply with instructions to buy (in BTC) a decryption tool. We have to inform you that manipulating files, restarting, or shutting down your PC can be unpredictably dangerous for your data. Usually, ransomware developers create special values that delete data completely if detected attempts to change it. Unfortunately, the 100% way to recover data encrypted by FLAMINGO has not been found just yet. You can only uninstall the virus to prevent further encryption. The decryption may be possible but should be tested individually.

Being developed by the Phobos Ransomware family, Acuff puts up a strong lock on victims' data by running encryption with cryptographic algorithms. This, therefore, restricts any attempts to recover data completely. After the attack has been committed, you may see your files change to something like this 1.mp4.id[C279F237-2275].[unlockfiles2021@cock.li].Acuff, which is a testament that your files have been infected. Acuff Ransomware uses the victim's ID, cybercriminals' email, and .Acuff extension to highlight the encrypted data. In order to help users restore their data, extortionists offer to walk your way through the note listing decryption instructions. The information can be found in two files called info.hta and info.txt that are created after encryption. The first step on the path of decryption is to contact cyber criminals via an e-mail address attaching your personally-generated ID (unlockfiles2021@cock.li or decryfiles2021@tutanota.com). After that, swindlers will respond back with details on how to buy decryption software. Before doing so, you are also offered to send up to 5 files (less than 4MB and non-archived) for free decryption. Despite this activity may seem trustworthy, we recommend you against meeting any requirements set by developers of malware. It would be a risk to pay a large amount of money for the sake of file recovery.

Bondy is a ransomware-type infection that targets various kinds of data by running encryption with potent RSA algorithms. It is usually distributed in two versions: first assigns the .bondy extension whilst another uses .connect to encrypt files of victims. Thus, the infected data will appear as 1.mp4.bondy or 1.mp4.connect depending on which version attacked your system. The last and most important part of ransomware activity is creating a text note (HELP_DECRYPT_YOUR_FILES.txt) to explain decryption instructions. It is claimed that your data has been encrypted with RSA, which is an asymmetric cryptographic algorithm requiring a private key to unlock the data. Such a key is stored on the server of cybercriminals. It can be obtained only by paying 500$ in Bitcoin through the wallet attached in the note. Additionally, extortionists offer to decrypt 1 file for free as evidence that they can be trusted. In fact, everything can go the other way - cybercriminals will fool you and not provide any tools to recover your data. Statistics show that this happens to many users who venture to pay a ransom. Since there are no free tools that could unblock your data, the only and best way is recovering files from an external backup, if it was created before the attack.

Determined by Karsten Hahn, Netflix Login Generator is a malicious program categorized as ransomware. Initially, it is promoted as a tool to create a Netflix account for free, without purchasing a subscription. However, instead of this, the program initiates the setup of ransomware that encrypts personal data (with AES-256 algorithms). It becomes a real surprise for inexperienced users when they see their data locked and no longer accessible. The encrypted data can be clearly seen by the new extension that is assigned to each file. For instance, the original sample like 1.mp4 will get a new look of something like this 1.mp4.se. Then, soon after encryption, the virus drops a note called Instructions.txt changing desktop wallpapers to content included in the generated note. The enclosed information suggests the steps to perform data decryption. To do this, extortionists ask the transaction of 100$ equal to Bitcoin. An interesting and peculiar fact is that Netflix Login Generator can self-terminate if your system is not based on Windows 7 or 10. Whatever the case, if this malware persists in your system, you have to delete it and recover the data using an external copy of files.

CURATOR is another version of ransomware infections that puts up a lock on victims' data demanding a fee for its return. The basic symptom of CURATOR leaving its traces in your system is the appendance of new extensions onto affected files. For example, a file like 1.mp4 will emerge as 1.mp4.CURATOR after interacting with ransomware. To recover your data, extortionists offer to read instructions in the !=HOW_TO_DECRYPT_FILES=!.txt note that is created soon after encryption. According to the provided note, attackers have encrypted your files with strong algorithms (ChaCha+AES), which restrict attempts to restore files on your own. As a result, the only feasible way appears to buy the decryption key stored on the server of cybercriminals. Once you make a decision, extortionists kindly ask you to contact them via e-mail to get further instructions. You can also take advantage of a special offer - send up to 3 files (not more than 5 MB) for free decryption. Although such a move can instill trust in gullible users, we recommend against paying the ransom. There is always a risk of getting money-naked and not receive any of the promised tools for data recovery.

Being part of the Dharma family, Dharma-BLM is a malicious piece that pursues financial gain by encrypting personal data. It does so by assigning a string of symbols including unique ID, cybercriminals' e-mail, and .blm extension at the end of each file. Here is an example of how infected data will look like 1.mp4.id-C279F237.[blacklivesmatter@qq.com].blm. When the encryption process is done, the virus moves on to the next step and creates a text note (FILES ENCRYPTED.txt) containing ransom instructions. The message justifies that all data has been successfully encrypted and requires action within 24 hours - to contact cybercriminals via e-mail and receive payment details to buy the decryption tools. Victims are also warned that any manipulations with files like name change will lead to permanent loss. Additionally, developers propose you to send a file for free decryption, which has been a trick used by many ransomware creators to instill trust in gullible users and make a deal. Unfortunately, more often than not, the decryption of data without the involvement of developers will give no fruits, unless ransomware contains some bugs or flaws that will allow third-party tools to crack open the assigned cipher.

BitRansomware is known as a file-encrypting virus meant to block user's data and keep it under lock until a ransom is paid. Such malware earns a lot of money on inexperienced users who have been given no choice but to pay a fee because their data is encrypted with unbreakable ciphers. Imagine all of your personal data becomes inaccessible - this is what BitRansomware does. It assigns the new .readme extension at the end of each file to highlight them from the original ones. A sample of encrypted data looks like this 1.mp4.readme. After this process, extortionists will display a text note called Read_Me.txt explaining the decryption process. It is said that all important files have been successfully encrypted and the only possible way to implement full decryption is to pay a fee through a Tor link attached in the note. Usually, this is the truth, because files can be decrypted only if ransomware contains some flaws or bugs overlooked by developers. Whatever the case, we do not recommend paying a ransom, because trusting extortionists is a quite tricky thing.