Ransomware

Crypto-Locker Mijnal is a ransomware-type infection that encodes personal data with AES+RSA algorithms. The application of such means that the assigned cipher is hard to break using traditional methods. In other words, it makes sure manual decryption does not take place after data is locked. Unfortunately, in most cases, it appears to be impossible indeed, but you should give it a try after reading this text. Alike other infections, Mijnal encrypts your data by changing a file extension to .mijnal. For example, a sample like "1.mp4" will be altered to "1.mp4.mijnal" and reset its original icon. After the encryption process gets to a close, the virus creates a text note called "README_LOCK.txt" that contains redemption instructions. The information presented inside is written in Russian, which means that developers mainly focus on the CIS regions. However, there are some English users that may be affected by it as well. If you are willing to decrypt your data as soon as possible, cybercriminals ask victims to open the attached link via the Tor browser and follow the instructions right there. Then, extortionists will more likely ask you to pay a certain amount in Bitcoin to gain access back to your data. Despite paying the ransom is usually the only method to overcome data encryption, we recommend against meeting any requests as it can be dangerous for your pocket and privacy as well.

Leitkcad is a pure example of crypto-malware that runs encryption over personal data to garner a so-called ransom. The most vivid symptoms hinting at the Leitkcad's presence is the assignment of .leitkcad extension. In other words, it will be seen at the end of each file affected by malware. For example, a file like 1.mp4 will be changed to 1.mp4.leitkcad and reset its original icon. Then, once all of the files are changed, the virus moves to the next phase creating a note called help-leitkcad.txt. It contains information on the encryption as well as instructions to restore your data. Cybercriminals say that you should contact an operator and fill in your ID, personal key, and e-mail via the chat page. The link to it can be opened only by using the Tor browser, which has to be downloaded by victims. Then, after establishing contact with cybercriminals, you will receive further instructions on how to purchase the decryption software. Also, it is worth-noting that rebooting and altering encrypted files can lead to permanent loss. Extortionists set certain algorithms that help them detect your activity. This means that if you refuse to comply with any of the above warnings, your files will be deleted momentarily.

A new cryptovirus known as LuciferCrypt stepped into the game a couple of days ago to encrypt personal data. As long as the study goes, it is already evident that this ransomware restricts access to data by assigning a long-string extension (.id=[].email=[].LuciferCrypt). A quick illustration of an infected sample would look like this 1.id=0ED53ADA.email=cracker.irnencrypt@aol.com.LuciferCrypt.mp4. After the encryption process is done, the virus continues its presence creating a text file called HowToRecoverFiles.txt. Within this document, extortionists are notifying victims about successful encryption. To revert it, victims should contact cyber criminals via e-mail and pay a fee to recover the files. Once done, your data will be decrypted automatically, without involving any manipulations. It is also said that the price directly depends on how fast you reply to the swindlers. Before doing that, you are also allowed to take advantage of free decryption. Developers offer to send up to 3 files (less than 4MB and non-archived), which should not contain valuable information.

After Pump Ransomware attacks your system, all data become chained by strong algorithms restricting access to it. The malware appends .pump extension to the files it encodes. For example, a file like 1.mp4 will acquire a new look of 1.mp4.pump and reset its original icon. The extension applied in the end means that your files are under encryption. Such modifications are usually accompanied by the creation of ransom instructions. In our case, the virus drops a text file called README.txt that will help you recover the files. The content presented inside is short, cybercriminals only attached their e-mail address to call victims into contacting them. Then, they will supposedly give further instructions on how to purchase the decryption software. No matter how far the price goes, complying with the requests of swindlers is risky - they may become foolish in their promises and leave you no tools even after making a payment.

MARS Ransomware is a malicious program discovered by Michael Gillespie. The way it encrypts files is very similar to other infections of such type - by appending the new .mars or .vyb extension to highlight the affected data. Victims will see their files transform into something like this 1.mp4.mars or 1.mp4.vyb. As a result of these actions, files cannot be opened or manipulated by users in any way. To fix it and recover your data, cybercriminals offer to read instructions in a text note (!!!MARS_DECRYPT.TXT) created after encryption. It informs you that various data types stored on your PC have been encrypted with the virus. To revert it, people have to pay 500$ in BTC for the decryption key. Before doing so, extortionists strongly insist on sending up to 3 files for free decryption to make sure of their trustworthiness. After this, the cybercriminals team will reply back with the payment link towards purchasing their software. You can also contact developers via Telegram and buy the key right away without testing free decryption. Although such features provided by swindlers may instill trust in their intentions, it is recommended against agreeing on what they say, because there is no actual guarantee that they will return your data safe and undamaged.

FileEngineering is an example of ransomware-infection configuring files of victims to restrict access to them. Most of the time, users do not spot malware coming into the systems. Once upon a time, they end up seeing their data changed and locked from regular access. FileEngineering does it this way - by assigning victims' ID, cybercriminal's e-mail address, and .encrypted extension at the of the files. There are two versions of FileEngineering being spread around the web. The only difference is in using different e-mail addresses to contact swindlers. For example, you may see your data appear as 1.mp4.id=[BE38B416] Email=[FileEngineering@mailfence.com].encrypted or id=[654995FE] Email=[FileEngineering@rape.lol].encrypted depending on which version affected your PC. Then, the next step of FileEngineering's activity is creating a note called Get your files back!.txt that contains information regarding decryption. Inside of it, the information is addressed by a so-called security engineer. He says that you should contact him via e-mail and pay some amount of Bitcoin. Then, he will return your files decrypted and give some tips on improving your safety. Before that, you are also allowed to send a small file to prove he can unlock your data. Trusting cybercriminals is always a huge risk, so it is up to you whether you want it or not. If files are not of big value to you, you can simply delete FileEngineering and continue using your PC.

Sun or SunCrypt is classified as cryptovirus attacking systems to encrypt personal data. It started its journey in October 2019 and continues its presence infecting users until these days. The moment SunCrypt can be spotted in your PC is when it changes your files by adding the .sun extension. It was also heard about another version of SunCrypt which applies a string of random symbols instead of extensions. A change to something like this 1.mp4.sun or 1.mp4.G4D3519X58293C283957013M35DC8A2V0748D9845E7A5DBD6590E3F834C4638 means you are no longer allowed to access your data. To recover it back, SunCrypt creates a text notes (DECRYPT_INFORMATION.html or YOUR_FILES_ARE_ENCRYPTED.HTML) that contain ransom instructions. Although SunCrypt is mainly oriented towards English-speaking users, you have a possibility to switch between German, French, and Spanish as well. This by far increases the traffic of victims allowing developers to extend their business. As stated in the note, victims have to install the Tor browser and click on the "Go to our website" to purchase the decryption software. The required fee may vary based on the individual case, however, no matter how low or high it is, we recommend against going for such a risk.

Dharma-259 is a ransomware-type infection belonging to the Dharma family. This group of developers has brought the biggest impact to the malware industry. Having a range of malicious programs, 259 compliments the list, and encrypts personal data with strong algorithms that prevent users from regular access. As a result, all data change its name with a string of digits including personal ID, cybercriminal's e-mail, and .259 extension at the end of each file. For instance, ordinary 1.mp4 will experience a change to something like this 1.mp4.id-C279F237.[259461356@qq.com].259 and reset its default icon. Then, once the encryption process gets to a close, the virus force-opens a pop-up window and creates a text note called FILES ENCRYPTED.txt, both of which contain information upon data recovery. As stated in both pop-up and note, victims have to contact swindlers via e-mail attaching personal ID. In addition to that, you are allowed to send up to 1 file (less than 1 MB) for free decryption. Then, once extortionists receive your message, you will be guided with steps on how to purchase decryption software. Sometimes, the required fee may skyrocket beyond the limits, becoming unaffordable for most of the users. Even if you are ready to enrich cybercriminals buying their software, we recommend you against it, because most users report a high-risk of being fooled and not obtain any tools to restore the data at all.