Ransomware

Bhui Ransomware is a type of malware that encrypts files on a victim's computer and demands payment in exchange for a decryption key. Bhui ransomware is part of the STOP/Djvu ransomware family and is spread through malicious files disguised as freeware, key generators, and hacked games, which are commonly found on file-sharing and torrent sites. Once installed, Bhui encrypts all files on the victim’s computer, adding the .bhui extension to the filenames. For example, a file named 1.jpg gets renamed to 1.jpg.bhui, and 2.png becomes 2.png.bhui. Bhui ransomware encrypts files using a strong encryption algorithm called Salsa20. The encryption algorithm is complex and makes it difficult to decrypt files without the decryption key. In addition to file encryption, Bhui generates a ransom note, a text file called _readme.txt. The ransom note emphasizes that file decryption is only possible with the use of specific decryption software and a unique key.

Ahtw Ransomware is a type of malware that encrypts files on a victim's computer and then demands payment in exchange for the decryption key. Once the ransomware infects a system, it can quickly encrypt files without the user's knowledge, making it difficult to detect the infection until it is too late. The ransomware is associated with the STOP/Djvu family and is often distributed alongside other malware, including RedLine or Vidar. Once the encryption process is complete, Ahtw Ransomware renames each encrypted file by adding the extension .ahtw to its name. The criminals behind Ahtw Ransomware demand a ransom of $980 in exchange for the key and decryptor, which they claim is the only way to decrypt the encrypted files. Ahtw ransomware creates a ransom note named _readme.txt in each affected directory. The ransom note provides details on how to reach out to the attackers and instructions for making a ransom payment.

TmrCrypt0r is a ransomware virus that belongs to the Xorist ransomware family. It encrypts important personal files, such as photos, videos, and documents, and adds the .TMRCRYPT0R extension to every file's name. Once the files are encrypted, they become inaccessible and cannot be opened without decryption. After encrypting the files, TmrCrypt0r creates a ransom note that provides payment information and the threat of what will happen if payment is not made. The ransom note is usually found in a text file or a pop-up window and prompts the victims to pay a ransom in exchange for the decryption key.

MiniMe Ransomware is a type of malware that encrypts files on a victim's computer and demands payment in exchange for the decryption key. It is a relatively new ransomware strain that was first discovered in 2023. The ransomware is, probably named after the popular movie character "Mini-Me" from the Austin Powers series. MiniMe Ransomware adds the .minime extension to encrypted files. For example, a file named example.doc would be renamed to example.doc.minime after encryption. MiniMe Ransomware uses a combination of RSA and AES encryption to encrypt files on a victim's computer. MiniMe Ransomware creates a ransom note named read_it.txt in each folder that contains encrypted files. The ransom note contains instructions on how to pay the ransom and obtain the decryption key.

Ahgr Ransomware is a type of malware that encrypts files on a victim's computer and demands a ransom for their release. Ahgr is part of the Djvu ransomware family and encrypts files by adding the .ahgr extension to their names. Ahgr ransomware uses the Salsa20 encryption algorithm, which provides an overwhelming amount of possible decryption keys, making it difficult to brute force the 78-digit number of keys. When Ahgr ransomware infects a computer, it creates a ransom note as a text file named _readme.txt in every folder that the ransomware has encrypted files. The note assures victims that they can retrieve all their files and claims that various files, including pictures, databases, documents, and other important data, have been encrypted using a robust encryption.

Ahui Ransomware is a type of malware that encrypts files on a victim's computer and demands payment in exchange for the decryption key. It is a variant of the STOP/Djvu ransomware family. Malware adds the .ahui extension to encrypted files. Once the ransomware infects a computer, it searches for important user data such as databases, archives, spreadsheets, pictures, and other types of files. It uses the Salsa20 encryption algorithm, which is not the strongest method but still provides an overwhelming amount of possible decryption keys. To brute force the 78-digit number of keys, you need 3.5 unvigintillion years (1*10^65), even if you use the most powerful regular PC. Quantum computers can show a bit better performance, but it is still not enough to break the encryption. Ahui ransomware creates a ransom note named _readme.txt in every folder where it encrypts files.

Being part of the STOP/Djvu family, Neon is a ransomware-type virus that puts up a lock on personal data. This version was released in the first days of June 2023. The encryption is done using military-grade algorithms that generate online keys on special servers. This ensures no third-party tools can access the keys to decipher the files. Just like other infections of this type, Neon changes the names of each infected file. It does so by appending a new extension (.neon) to every encrypted piece. For example, a file like 1.pdf will be modified and change its name to 1.pdf.neon after encryption. After this stage of the virus is over - Neon Ransomware creates a text note called _readme.txt containing decryption instructions. A number of other ransomware variants developed by Djvu used the same content for the ransom instructions.

CrossLock is a dangerous malware categorized as ransomware. The activity of this crypto-ransomware started in mid-April 2023. According to the ransom not it is aimed at English-speaking users, but it can spread around the world. This ransomware encrypts user data using a combination of the Curve25519 and ChaCha20 algorithms and then demands ransom in Bitcoins to get the files back. The original name is indicated in the note: CrossLock. The executable file spotted is notepad.exe (can be other random name). Malware was written in the Go language. The extension is added to encrypted files: .crlk. CrossLock Ransomware creates ransom note, that is called ---CrossLock_readme_To_Decrypt---.txt in a folders with encrypted files and on the desktop. Below is the content of this note.