Ransomware

Recently, experts have observed the epidemic of the virus Boty Ransomware (a variant of STOP Ransomware or Djvu Ransomware). This malware appeared in April 2023. It is an encryption virus, that uses a strong AES-256 encryption algorithm to encrypt user files and makes them unavailable for use without a decryption key. Latest versions of this pest add .boty extensions to affected files. Boty Ransomware creates a special text file, that is called "ransom note" and named _readme.txt. In this text file, malefactors provide contact details, overall information about encryption, and options for decryption. The virus copies it on the desktop and in the folders with encrypted files. Malefactors can be contacted via e-mails: support@freshmail.top and datarestorehelp@airmail.cc.

Boza Ransomware is a new variant of the STOP/Djvu Ransomware that emerged in early April 2023. This ransomware adds the .boza extension to the encrypted files, making them inaccessible to the user. Like other ransomware variants, Boza Ransomware uses advanced encryption algorithms to lock files, demanding a ransom in exchange for the decryption key. The ransomware targets a wide range of files, including documents, images, videos, audios, and other user data. Once the ransomware infects a computer, it scans the entire system for files and encrypts them using the AES-256 encryption algorithm, making them inaccessible. The ransomware also drops a ransom note called _readme.txt, providing instructions for the user to pay the ransom to the attacker in exchange for the decryption key. The attackers also use a unique encryption key for each infected system, making it difficult for security researchers to develop a universal decryption tool.

Kiop Ransomware is another representative of STOP/Djvu virus, that has been tormenting users since 2017. This particular version was released in the beginning of April 2023 and adds .kiop extension to all encrypted files, as can be seen from its name. Other than that, it's the same file-encypting and ransom-demanding virus as hundreds of its predecessors. Ransomware of this type uses the same cryptography, that is, unfortunately, still undecryptable. Kiop Ransomware, like other variants of STOP/Djvu Ransomware, typically uses a combination of symmetric and asymmetric encryption algorithms to encrypt the victim's files. Specifically, the ransomware uses AES-256 encryption to encrypt the victim's files symmetrically, and then uses RSA-2048 encryption to encrypt the AES encryption key asymmetrically. This means that the attacker holds the private RSA key needed to decrypt the AES encryption key, and therefore can decrypt the victim's files after receiving payment.The only things that change during last years are extension and contact e-mail addresses. The name of the ransom note remains unchanged (_readme.txt) and you can check the content in the text box below.

Skylock is a new ransomware variant originating from the MedusaLocker family. Upon successful infiltration, the virus encrypts access to files (based on AES and RSA cryptography) and assigns the .skylock extension to them. For instance, a file like 1.pdf will change to 1.pdf upon successful encryption. To reverse the damage and return the blocked data, cybercriminals present decryption instructions inside the How_to_back_files.html file. In general, victims are told they need to purchase special decryption software from cybercriminals behind the infection. To do so, they have to establish contact with the extortionists using one of the communication channels (either via the link in the TOR browser or provided e-mail addresses). It is also said victims can send 2–3 files that do not contain any important information and get them back decrypted for free. This is to prove that threat actors are actually capable of decrypting the files. Should victims refuse to get in touch with the extortionists and pay for decryption, their data will be leaked to public resources, which may incur reputational damage to the users' company or personal identity. Unfortunately, despite the fact that decryption can be unaffordable or needless for some users, cybercriminals are usually the only figures able to decrypt access to data.

If your files became unavailable, unreadable, and got .kiwm extensions it means your computer is infected with Kiwm Ransomware (variation of STOP Ransomware or as it is, sometimes, called DjVu Ransomware). It is a malicious program that belongs to the group of ransomware viruses. This particular version was released in the beginning of April 2023. This virus can infect almost all modern versions of the operating systems of the Windows family, including Windows 7, Windows 8, Windows 10 and the latest Windows 11. The malware uses a hybrid encryption mode and a long RSA key, which virtually eliminates the possibility of selecting a key for self-decrypting files. Like other similar viruses, the goal of Kiwm Ransomware is to force users to buy the program and key needed to decrypt files that have been encrypted. The version, that is under research today, is almost identical to the previous ones, except for new e-mails used for contacting malefactors and new extensions added.

Kitz Ransomware (belongs to the family of STOP Ransomware or Djvu Ransomware) is high-risk file-encrypting virus, that affects Windows systems. In the beginning of April 2023, the new generation of this malware started encoding files using .kitz extensions. Virus targets important and valuable file types such as photos, documents, videos, archives, encrypted files become unusable. Ransomware puts _readme.txt file, that is called "ransom note" or "ransom-demanding note" on the desktop and in the folders with encrypted files. Developers use the following e-mails for contact: support@freshmail.top and datarestorehelp@airmail.cc. Hackers demand $980 for the decryption of your files (the message states, that victims will get a 50% discount if they'll contact cybercriminals within 72 hours after the encryption). According to many reports, malefactors often don't reply to victims, when they receive ransom payment. We strongly do not recommend paying any money. Files encrypted by some versions of Kitz Ransomware can be decrypted with help of STOP Djvu Decryptor.

BlackByteNT is a recently-discovered ransomware infection. After the system gets infiltrated with it, all potentially important file types will become inaccessible due to full-fledged encryption. In addition to encrypting access to data, the file encryptor also replaces original filenames with a random string of characters and the .blackbytent extension at the end. For instance, a file like 1.pdf will change to something like dnoJJlc=.blackbytent and lose its original icon as well. The last significant part of the ransomware is BB_Readme_[random_string].txt⁣ – a ransom note that contains decryption guidelines. Cybercriminals say the data has been encrypted and exfiltrated to their servers. In order to return access and prevent data from ending up leaked, victims are demanded to cooperate with the extortionists and follow the information presented through the TOR link provided within the note. Should victims delay communication, the price for decryption will rise higher, and within 4 days of inaction, victims will no longer be able to use the decryption services of cyber criminals. Lastly, cyber-crooks warn victims against using third-party decryption tools assuming there is a risk of damaging them and therefore losing the possibility of ever decrypting them.

STOP Ransomware (Djvu Ransomware) is officially the most common encryption virus in the world. The encryptor operates according to the classical scheme: it encrypts files, adds a new extension to them, and places a ransom note on the infected machine. More than 50% of ransomware-infected computers are infected with STOP Ransomware. It has got second name – ⁣Djvu Ransomware, after the extension .djvu, that was appended to the files on first infected computers. With several minor and major modifications, virus continues its devastating activity in the present days. A recent variation of malware (Kifr Ransomware appeared in April 2023) adds .kifr extension to files. Kifr Ransomware encrypts victims' files using the AES encryption algorithm. AES (Advanced Encryption Standard) is a widely-used symmetric encryption algorithm that is considered to be secure and is used to protect sensitive data in many applications. AES encryption uses a secret key to encrypt and decrypt data, and the strength of the encryption depends on the length of the key used. Of course, affected files become inaccessible without a special "decryptor", which has to be bought from hackers.