Ransomware

Roger is another form of Dharma family that encrypts data with unbreakable ciphers and demands victims to pay a ransom. When it infiltrates your system, all stored data will be retitled with the victim's ID, cybercriminal's e-mail, and .roger extension. To illustrate, a file like 1.mp4 will upgrade to 1.mp4.id-1E857D00.[helpdecoder@firemail.cc].ROGER". Note that IDs and e-mails may vary individually. After the virus finishes the file encryption, it will create a text file called FILES ENCRYPTED.txt on your desktop. In this note, people can familiarize themselves with the steps to unlock their data. For this, you should click on the attached link in the Tor browser and they will get back to you in 12 hours to instruct you on purchasing their decryption software. If not, then you should write to them by using a backup e-mail. Unfortunately, paying for the software might be a trap that will putt your finances under a risk.

PwndLocker Ransomware is a file-encrypting virus created for targeting business networks and local governments. However, regular users can also become a victim of cybercriminals. After penetration, PwndLocker damages settings of multiple Windows Services and encrypts both internal and network data by changing extensions and creating a ransom note. The number of assigned extensions may vary depending on file formats. The virus uses .ProLock, .pwnd or .key extensions, however, it does not make any sense which one altered your files because they implement the same function. For example, in some cases, the original 1.mp4 will be transformed into 1.mp4.ProLock. In other scenarios, the affected data can experience ".pwnd" or ".key" extensions. The ransom note (H0w_T0_Rec0very_Files.txt), that is therefore dropped on the desktop, suggests that your network has been penetrated and encrypted with strong algorithms.

Phobos is a fraudulent organization, that has made a strong statement in the ransomware world. Since 2017, it has piled its collection up to numerous different variations, recent ones include Eight Ransomware, Eject Ransomware, Eking Ransomware, and Iso Ransomware. Like in other ransomware, its developers decided to use a more traditional process of encryption. It scans your system for various file formats like MS Office documents, OpenOffice, PDF, text files, databases, images, videos, and others. Once done, it gets set up for the encryption according to this formula 1.mp4.[ID-random-user-id-number].[cybercriminals-e-mail].{extension}. Depending on which version attacked your computer, extensions may vary between .eight, .eject, .eking, or .iso. Here are some samples of infected files: 1.mp4.id[XXXXXXXX-2776].[use_harrd@protonmail.com].eight; 1.jpg.id[XXXXXXXX-2833].[cynthia-it@protonmail.com].eject; 1.doc.id[XXXXXXXX-2275].[decphob@tuta.io].eking;1.jpg.id[XXXXXXXX-2589].[backup.iso@aol.com].iso. After the encryption completes, users are presented with a text file (info.txt or info.hta) that explains how to decrypt your data.

Major is a file-encryption virus classified as ransomware. Once installed, it encrypts the entirety of files stored on the system that remain unlocked until a ransom is paid. The recent version of the virulent program appends brand new .Air extension to each file that consists of a unique ID number and e-mail address of intruders at the end. After encryption, the inflicted file would like like this: 1.mp4.33868453691972502380.ex_parvis@aol.com.AIR. Previously, the ransomware used: .onix, .cube, .mars, .orion and .legacy extensions with similar naming pattern. After the process is finished, the program will, therefore, create an HTML or text file (READ_ME.txt, TRY_TO_READ.html) and change the wallpaper of the desktop.

DeathHiddenTear Ransomware is a file-encryption virus discovered by Michael Gillespie. Being classified as ransomware, it ciphers the entire data (e.g. images, videos, text files, etc.) that is stored on PC or other external devices like flashcards connected to your computer. Ransomware is designed to demand a ransom that needs to be paid to retrieve your files. Alike other ransomware, DeathHiddenTear assigns .encryptedS (for small files) and .encryptedL (to big files) extensions. Most recent variations utilize .enc suffix. To illustrate, after encryption, 1.mp4 will be transformed into 1.mp4.encryptedS and restricts you from opening these files. After that, the program will drop a text file (Decrypt Instructions.txt) onto your desktop which contains the information about the locked data.

Scarab-Danger is a ransomware-type virus that encrypts data and extorts money from its victims. After penetration, it assigns a new .danger extension to each file that was encrypted. As an example, the original 1.mp4 will be changed to 1.mp4.danger. Besides that, Scarab-Danger always updates adding new extensions like .inchin, .btchelp@xmpp.jp, .fastrecovery@xmppp, .fastrecovery@xmpp.jp, .online24files@airmail.cc and many others. Basically, it does not matter which one replaced your file since all of them are for the same purpose. After the virus successfully locks your data, it drops a text file with ransom information. In most cases it is called HOW TO RECOVER ENCRYPTED FILES.TXT.

Besides targetting regular users, Kazkavkovkiz a.k.a. NetWalker a.k.a Mailto also draws its strands towards business figures. Like other ransomware, it encrypts data by assigning a unique extension and dropping a text file as a result. However, instead of using one common extension, it generates various versions according to these patterns - .mailto[kkeessnnkkaa@cock.li].{random-alphanumerical-sequence}, .mailto[sevenoneone@cock.li].{random-alphanumerical-sequence} or .mailto[kazkavkovkiz@cock.li].{random-alphanumerical-sequence}. For example, the non-affected 1.mp4 will migrate to .mailto[kazkavkovkiz@cock.li].14b1 or similarly. In the note, victims are told that their files got heavily encrypted and require a fast decision, otherwise, they will disappear forever. Malefactores have used following naming pattern for ransom note from the beginning {random id}-Readme.txt.

LockBit is a ransomware-type threat that attacks user's data with encryption algorithms and holds it locked until those pay a ransom. To do so, it retitles files with the .lockbit, .lock2bits or .abcd extensions. When finished, the malicious program will generate a text file named Restore-My-Files.txt. This file is saturated with the necessary steps that victims have to do in order to decrypt their data. Firstly, you have to contact cyber criminals via their e-mail, then they will instruct you on how to pay for the decryption software. Besides that, you are allowed to send them any blocked file (not more than 1 MB) so that they could show that they can be trusted. Despite this, it is not recommended to purchase something from extortionists since there have been multiple times when those did not keep their promises and fooled gullible users.