Ransomware

Skylock is a new ransomware variant originating from the MedusaLocker family. Upon successful infiltration, the virus encrypts access to files (based on AES and RSA cryptography) and assigns the .skylock extension to them. For instance, a file like 1.pdf will change to 1.pdf upon successful encryption. To reverse the damage and return the blocked data, cybercriminals present decryption instructions inside the How_to_back_files.html file. In general, victims are told they need to purchase special decryption software from cybercriminals behind the infection. To do so, they have to establish contact with the extortionists using one of the communication channels (either via the link in the TOR browser or provided e-mail addresses). It is also said victims can send 2–3 files that do not contain any important information and get them back decrypted for free. This is to prove that threat actors are actually capable of decrypting the files. Should victims refuse to get in touch with the extortionists and pay for decryption, their data will be leaked to public resources, which may incur reputational damage to the users' company or personal identity. Unfortunately, despite the fact that decryption can be unaffordable or needless for some users, cybercriminals are usually the only figures able to decrypt access to data.

If your files became unavailable, unreadable, and got .kiwm extensions it means your computer is infected with Kiwm Ransomware (variation of STOP Ransomware or as it is, sometimes, called DjVu Ransomware). It is a malicious program that belongs to the group of ransomware viruses. This particular version was released in the beginning of April 2023. This virus can infect almost all modern versions of the operating systems of the Windows family, including Windows 7, Windows 8, Windows 10 and the latest Windows 11. The malware uses a hybrid encryption mode and a long RSA key, which virtually eliminates the possibility of selecting a key for self-decrypting files. Like other similar viruses, the goal of Kiwm Ransomware is to force users to buy the program and key needed to decrypt files that have been encrypted. The version, that is under research today, is almost identical to the previous ones, except for new e-mails used for contacting malefactors and new extensions added.

Kitz Ransomware (belongs to the family of STOP Ransomware or Djvu Ransomware) is high-risk file-encrypting virus, that affects Windows systems. In the beginning of April 2023, the new generation of this malware started encoding files using .kitz extensions. Virus targets important and valuable file types such as photos, documents, videos, archives, encrypted files become unusable. Ransomware puts _readme.txt file, that is called "ransom note" or "ransom-demanding note" on the desktop and in the folders with encrypted files. Developers use the following e-mails for contact: support@freshmail.top and datarestorehelp@airmail.cc. Hackers demand $980 for the decryption of your files (the message states, that victims will get a 50% discount if they'll contact cybercriminals within 72 hours after the encryption). According to many reports, malefactors often don't reply to victims, when they receive ransom payment. We strongly do not recommend paying any money. Files encrypted by some versions of Kitz Ransomware can be decrypted with help of STOP Djvu Decryptor.

BlackByteNT is a recently-discovered ransomware infection. After the system gets infiltrated with it, all potentially important file types will become inaccessible due to full-fledged encryption. In addition to encrypting access to data, the file encryptor also replaces original filenames with a random string of characters and the .blackbytent extension at the end. For instance, a file like 1.pdf will change to something like dnoJJlc=.blackbytent and lose its original icon as well. The last significant part of the ransomware is BB_Readme_[random_string].txt⁣ – a ransom note that contains decryption guidelines. Cybercriminals say the data has been encrypted and exfiltrated to their servers. In order to return access and prevent data from ending up leaked, victims are demanded to cooperate with the extortionists and follow the information presented through the TOR link provided within the note. Should victims delay communication, the price for decryption will rise higher, and within 4 days of inaction, victims will no longer be able to use the decryption services of cyber criminals. Lastly, cyber-crooks warn victims against using third-party decryption tools assuming there is a risk of damaging them and therefore losing the possibility of ever decrypting them.

STOP Ransomware (Djvu Ransomware) is officially the most common encryption virus in the world. The encryptor operates according to the classical scheme: it encrypts files, adds a new extension to them, and places a ransom note on the infected machine. More than 50% of ransomware-infected computers are infected with STOP Ransomware. It has got second name – ⁣Djvu Ransomware, after the extension .djvu, that was appended to the files on first infected computers. With several minor and major modifications, virus continues its devastating activity in the present days. A recent variation of malware (Kifr Ransomware appeared in April 2023) adds .kifr extension to files. Kifr Ransomware encrypts victims' files using the AES encryption algorithm. AES (Advanced Encryption Standard) is a widely-used symmetric encryption algorithm that is considered to be secure and is used to protect sensitive data in many applications. AES encryption uses a secret key to encrypt and decrypt data, and the strength of the encryption depends on the length of the key used. Of course, affected files become inaccessible without a special "decryptor", which has to be bought from hackers.

Nitz Ransomware is a large family of encryption viruses with over than a year of history. It has undergone multiple visual and technical modifications during the time. This article will describe the peculiar properties of the latest versions of this malware. Since the beginning of April 2023, STOP Ransomware started to add following extensions to encrypted files: .nitz. And after the name of the extension, it is called "Nitz Ransomware". Virus modifies the "hosts" file to block Windows updates, antivirus programs, and sites related to security news. The process of infection also looks like installing Windows updates, the malware generates a fake window and progress bar for this. This version of STOP Ransomware now uses the following e-mail addresses: support@freshmail.top and datarestorehelp@airmail.cc. STOP Ransomware creates ransom note file _readme.txt.

If you landed on this article, you most likely got hit by Niwm Ransomware, that encrypted your files and modified their extensions to .niwm. The name Niwm is only given to this malware to help users find the removal and decryption solution, and according to the suffix it appends. In fact, this is just the 681-th version of STOP Ransomware (sometimes called Djvu Ransomware), that has been active for more than 5 years and became one of the most widespread ransomware families. Niwm was released in the first days of April 2023. Unfortunately, there are low chances for 100% decryption now as it uses strong encryption algorithms, however, with instructions below you will be able to recover some files. uses the combination of RSA and AES encryption algorithms to encrypt the victim's files. The RSA algorithm is used to encrypt the AES key, and the AES algorithm is used to encrypt the victim's files. The AES key is generated randomly for each victim and is stored on the attacker's server. But first you need to remove ransomware files and kill its processes. Below is an example of Niwm Ransomware ransom note, that it leaves on the desktop (_readme.txt). It's quite typical and remains almost the same with minor changes for several years.

Cylance is the name of a ransomware infection that targets Windows and Linux users. Users infected with this type of malware will no longer be able to access their data due to encryption. In addition, victims will also see the affected files modified with the .Cylance extension. After this, they will be no longer accessible and victims will have to follow decryption instructions in the generated ransom note (named CYLANCE_README.txt). Please note that Cylance Ransomware has nothing to do with Cylance by BlackBerry – legitimate enterprise cybersecurity solutions. In general, the ransom note says the victim's data has been encrypted and cybercriminals are the only holders of private keys that are able to decrypt it. To obtain this key and presumably software for running decryption, victims are instructed to contact the swindlers via e-mail and transfer money to them. The price is undisclosed and most likely calculated for each victim separately. Additionally, cybercriminals also offer to test decryption for free by sending one encrypted file. No matter how trustworthy cybercriminals seem, it is always advised against collaborating with them and paying the ransom. Many victims end up fooled and do not receive promised decryption tools. While this has not been reported to be the case with Cylance Ransomware, the risk exists nonetheless.