Ransomware

Neqp is a ransomware infection belonging to the Djvu/STOP Ransomware family, that appeared in June 2023. This family has released a number of file encryptors that target various users worldwide. Once the system is penetrated by ransomware, the virus begins scouting for potentially valuable file formats and running data encryption. After the cryptographic encryption occurs, users will no longer be able to access and use their data as before. You may immediately spot the change by looking at the altered names of the files. This specific ransomware assigns the .neqp extension, making a file like 1.pdf change to 1.pdf.neqp and reset its original icon. Usually, Neqp Ransomware and other modern Djvu/STOP versions generate "online" keys, which means full decryption of data is likely impossible without the help of cybercriminals. There are, however, sometimes exceptions to this – which can be found about further below.

Just like many previous versions of this virus, Nerz Ransomware is a malicious program recently developed by the STOP (Djvu) ransomware family, which runs data encryption. Once it gets on your computer, the virus covers all personal data with strong encryption algorithms, so that you could no longer be able to get access to them. Unfortunately, preventing ransomware from blocking your data is impossible unless you have special anti-malware software installed on your PC. In case of its absence, the files stored on your disks will be restricted and no longer accessible. After the encryption process is done, you will see all the files change to 1.pdf.nerz and similarly with other file names. This version of STOP ransomware uses .nerz extension to highlight the encrypted data. Then, as soon as ransomware has stormed through your system and put all the sensitive data under a lock, it goes further creating a ransom note (_readme.txt).

Hidden Ransomware, a variant of the Voidcrypt ransomware family, is a malicious program that carries out its nefarious activities by encrypting data and then demanding ransoms in exchange for decryption tools. As part of the encryption process, all the affected files undergo a renaming process, adopting a specific pattern. The new filenames include the original file name, the email address of the cyber criminals, a unique ID assigned to the victims, and the .hidden extension. For example, a file named 1.pdf would be transformed into something like 1.pdf.[Wannadecryption@gmail.com][random-sequence].Hidden after encryption. In addition to the file renaming, the ransomware drops ransom messages in !INFO.HTA files within compromised folders.

Werz Ransomware (also known as STOP Ransomware) is ruinous virus, whose operating principle is based on strong file encryption and money extortion. There have been more, than 700 versions of this malware, with several major modifications and numerous minor changes. Recent ones use random 4-letter extensions added to affected files, to indicate that they are encrypted. Werz appeared in the very end of May 2023. Since the very beginning, Werz Ransomware has used the AES-256 (CFB mode) encryption algorithm. Depending on the exact extension there are slightly different, but similar removal and decryption methods. Variation under research today uses .werz extensions. Like its predecessors, it creates a ransom note called _readme.txt, below is an example of such a text file.

DarkRace Ransomware, discovered by security researcher S!Ri, poses a significant threat to computer systems and the security of sensitive data. This article delves into the workings of DarkRace, its impact on files, and the implications for victims. By understanding the nature of this ransomware strain, users can better protect themselves against such malicious attacks. DarkRace is a type of ransomware that encrypts files on infected systems, rendering them inaccessible to users. This malware appends a distinct extension, .1352FF327 to filenames and leaves a ransom note in the form of a text file named Readme.1352FF327.txt. Once infected, victims are informed that their data has been stolen and encrypted, and they are threatened with the publication of their sensitive information on a TOR website if the ransom demands are not met.

Weqp is a recent ransomware infection developed by the STOP/Djvu malware group and appeared in the end of May, 2023. Developers behind it have released a number of very similar infections to encrypt users' data and blackmail them into paying money for the recovery. Malware primarily uses a combination of symmetric and asymmetric encryption algorithms to encrypt victims' files. The specific encryption algorithms employed by STOP/Djvu have evolved over time as the malware has undergone several variants and updates. However, the most commonly observed encryption algorithm used by STOP/Djvu is the RSA algorithm for asymmetric encryption. Weqp Ransomware barely differs from other previously developed versions. It encrypts all kinds of important files and alters their appearance with the .weqp extension. To illustrate, a file like 1.pdf will change to 1.pdf.weqp and reset its icon under the virus affection. After this, a text file called _readme.txt ends up created to explain how files can be decrypted.

Weon Ransomware is one of the newest versions developed by the STOP (Djvu) family. It was first spotted in the end of May 2023. This ransomware targets various types of personal data (e.g. images, videos, documents, etc.) using online keys randomly generated for each victim. Once they are applied and data becomes encrypted, users are no longer able to access and interact with it. During the encryption process, all of the files get assigned with .weon extension. This means that files will change their name and reset their icons. For example, a file like 1.pdf will be changed to 1.pdf.weon and lose its initial icon at the end of encryption. Then, just like other recent versions of the STOP (Djvu) family, Weon creates a text note called _readme.txt that contains decryption instructions. No matter which one was dropped on your PC, all of them display the same information.

Jigsaw Ransomware is widely-spread family of ransomware. Ransomware is designed to encrypt files on a victim's computer, rendering them inaccessible, and then demands a ransom payment in exchange for the decryption key needed to restore the files. Jigsaw Ransomware gained attention in April 2016 when it was first discovered. It was named after the iconic character from the movie "Saw" due to its use of an image of the character as its logo. Jigsaw Ransomware targets Windows-based systems and spreads through various methods such as malicious email attachments, infected downloads, or exploit kits. Once a computer is infected with Jigsaw Ransomware, it begins encrypting files on the system, including documents, images, videos, and other important data. It then displays a ransom note on the victim's screen, demanding a payment, usually in Bitcoin, within a specified time frame. If the victim fails to pay the ransom within the given time, Jigsaw Ransomware threatens to delete a portion of the encrypted files as a form of punishment. It also displays a countdown timer, adding a psychological element of urgency.