Ransomware

Qoqa Ransomware (that is a part of a large family of STOP/Djvu Ransomware) is an obnoxious virus, that encrypts files on computers using the AES encryption algorithm, makes them unavailable, and demands money in exchange for so-called "decryptor". Files processed by the latest version of STOP Ransomware, in particular, can be distinguished by .qoqa extensions. The analysis showed that the cryptographic installer loaded with the "crack" or adware is installed under an arbitrary name in the %LocalAppData%\ folder. When executed, it loads four executable files there: 1.exe, 2.exe, 3.exe and updatewin.exe. The first of them is responsible for neutralizing Windows Defender, the second is for blocking access to information security sites. After the malware is launched, a fake message appears on the screen that says about installing the update for Windows. In fact, at this moment, almost all user files on the computer are encrypted. In each folder containing encrypted documents, a text file (_readme.txt) appears, in which attackers explain the operation of the virus. They offer to pay them a ransom for decryption, urging them not to use third-party programs, as this can lead to the deletion of all documents.

Roghe is a ransomware virus targeting personal data of victims. After the malware infects a targeted system, it starts encryption of potentially important files making them inaccessible until a decryption key is retrieved. During the encryption process, Roghe Ransomware assigns the .enc extension to infected files. For instance, a file like 1.pdf will turn to 1.pdf.enc and so forth with other affected files. Once all files become enciphered, the virus changes the desktop wallpapers and force-opens a pop-up window that features decryption guidelines. The text featured on newly-assigned wallpapers lets users know they have been infected and encourages them to follow instructions from the opened pop-up window. In addition, it also features a QR code leading to more information about the malware. The "Roghe Decryptor" window says victims have 15 minutes to retrieve the key and paste it for unlocking access to files - otherwise, the encrypted files will be deleted forever. It also says that within 20 minutes operating system will be inaccessible, essentially becoming locked.

New wave of STOP Ransomware infection continues with Qowd Ransomware, that appends .qowd extensions. STOP Ransomware was first detected in 2018 and has since evolved into one of the most prevalent types of ransomware. Those ".qowd" extensions are added to encrypted files in the end of February 2023. This tricky virus uses the AES encryption algorithm to encode users' important information. As a rule, Qowd Ransomware attacks photos, videos, and documents - data, that people value. The malware developers extort ransom and promise to provide a decryption key in return. Full decryption of lost data is possible in a minority of cases, if an offline encryption key was used, otherwise, use instructions on the page to recover enciphered files. The ransomware also creates a ransom note (_readme.txt) that informs the victim about the attack and demands payment in Bitcoin or other cryptocurrencies in exchange for the decryption key.

Iotr Ransomware (sometimes called STOP Ransomware or DjVu Ransomware) is a wide-spread encryption virus, that first appeared in December 2017. Since then, lots of technical and design changes took place, and a few generations of malware changed. Ransomware uses the AES-256 (CFB-mode) encryption algorithm to encode user's files, and after this last version (appeared in the end of February 2023) appends .iotr extensions. After encryption, virus creates a text file _readme.txt, which is called "ransom note", where hackers disclose ransom amount, contact information, and instructions to pay it. STOP Ransomware with .iotr file extensions use following e-mails: support@freshmail.top and datarestorehelp@airmail.cc, just like dozens of its predecessors.

Kangaroo is a ransomware infection released by developers behind earlier file-encryptors, such as Apocalypse, Fabiansomware, and Esmeralda. Although this file-encryptor was actively circulating in 2021, some users may still end up penetrated by it these days. The purpose of malware within this category is to encrypt potentially important data and extort money for decryption from victims. The feature that makes Kangaroo stand out among other common ransomware infections is that it configures registry values to display a ransom message prior to entering the Windows log-in screen. Immediately after logging into the system, it also displays a fake screen with the same ransom message but this time with a dedicated field for inserting a password to unlock it. During encryption, Kangaroo also assigns the .crypted_file extension and creates identical ransom messages in form of text notes. Such text notes get created additionally to each encrypted file and are named based on the post-encryption file's name (like here 1.pdf.crypted_file.Instructions_Data_Recovery.txt).

Ioqa Ransomware (a.k.a. STOP Ransomware or Djvu Ransomware) is an extremely dangerous virus that encrypts files using AES-256 encryption algorithm and adds .ioqa extensions to affected files. The infection mostly involves important and valuable files, like photos, documents, databases, e-mails, videos, etc. Ioqa Ransomware does not touch system files to allow Windows to operate, so users will be able to pay the ransom. If the malware server is unavailable (computer is not connected to the Internet, remote hackers' server does not work), then the encryption tool uses the key and identifier that is hard-coded in it and performs offline encryption. In this case, it will be possible to decrypt the files without paying the ransom. Ioqa Ransomware creates _readme.txt file, that contains ransom message and contact details, on the desktop and in the folders with encrypted files. Developers can be contacted via e-mail: support@freshmail.top and datarestorehelp@airmail.cc.

Mikel Ransomware is a malicious infection designed to encrypt personal data and extort money for its decryption. It is also identified as a new variant of another file-encryptor named Proxima. During encryption, Mikel Ransomware assigns the .mikel extension to highlight the change. For instance, a file like 1.pdf will change to 1.pdf.mikel and reset its original icon. Please note that deleting the assigned extension from the encrypted file will not return access to it. Encryption makes data permanently locked and requires decryption keys to unlock it. After the encryption is complete, the virus creates the Mikel_Help.txt text note with instructions regarding decryption.

STOP Ransomware is a sophisticated encryption virus, that uses the Salsa20 algorithm to encode sensitive personal data, such as photos, videos, and documents. The latest version (Iowd Ransomware), appeared in the middle of February 2023, adds .iowd extension to files and makes them unreadable. To date, the family includes about more than 600 representatives, and the total number of affected users is approaching a million. Most of the attacks are in Europe and South America, India, and Southeast Asia. The threat also affected the United States, Australia, and South Africa. Although the Iowd virus is less known than GandCrab, Dharma, and other ransomware trojans, it is this year that accounts for more than half of the detected attacks. Moreover, the next rating participant, the aforementioned Dharma, lags behind him by this indicator by more than four times. A significant role in the prevalence of STOP Ransomware is played by its diversity: in the most active periods, experts found three or four new versions daily, each of which hit several thousand victims.