Ransomware

AUDIT Ransomware is yet another version of notorious ransomware virus from Crysis-Dharma-Cezar family. Now it adds .AUDIT extension to encrypted files (please, do not confuse with Nessus Pro's report files). This variation of ransomware currently doesn't have decryptor, however, we recommend you to try instructions below to recover affected files. Dharma-AUDIT Ransomware appends suffix, that consists of several parts, such as: unique user's id, developer's e-mail address and, finally, .AUDIT suffix, from which it got its name. The pattern of filename modification looks like this: file called 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].AUDIT. According to our information, hackers demand $10000 ransom from the victims. Bad news are, that using cryptocurrency and TOR-hosted payment websites makes it almost impossible to track the payee. Besides, victims of such viruses often get scammed, and malefactors don't send any keys even after paying the ransom. Unfortunately, manual or automatic decryption is impossible unless ransomware was developed with mistakes or has certain execution errors, flaws or vulnerabilities. We do not recommend to pay any money to malefactors. However, good news are, that often, after some period of time security specialists from antivirus companies or individual researchers decode the algorithms and release decryption keys or police finds servers and unveils the master keys.

CryptConsole 3 Ransomware is the successor of CryptConsole and CryptConsole 2 ransomware viruses. This crypto-extortionist encrypts data on servers and PCs using AES, and then requires a ransom of 0.14 BTC (or sometimes $50) to return files. Virus was created on C# for the Microsoft .NET Framework. The third generation of CryptConsole started spreading in June, 2018. Most of variations extort 50$. They offer to decrypt 1 file for free, but the overall cost will then increase on 50$. Mention that CryptConsole 1 and CryptConsole 2 can be decrypted with a tool developed by Michael Gillespie (download below). The third version is currently undecryptable. You can restore files form bacckups, but if you don't have backups, follow instructions below to attmempt restoring files using standard Windows featutes or using file-recovery software.

GandCrab V5.0.5 Ransomware is fifth generation of high-risk GandCrab Ransomware. Probably, this virus was developed in Russia. This crypto-extortor encrypts user and server data using the Salsa20 algorithm, and RSA-2048 is used for auxiliary key encryption. 5-th version appends .[5-random-letters] extension to encrypted files and creates ransom note called [5-random-letters]-DECRYPT.txt. Examples of ransom notes: VSVDV-DECRYPT.html, FBKDP-DECRYPT.html, IBAGX-DECRYPT.html, QIKKA-DECRYPT.html. GandCrab V5.0.5 Ransomware demands $800 ransom in BitCoins or DASH cryptocurrencies for decryption. However, often, malefactors deceive users and don't send keys. Thus, victim won't recover her/his files, but put credentials at risk on doubtful exchange of cryptocurrencies.

Minotaur Ransomware is new type of ransomware, that encrypts user files and demands 0.125 Bitcoins for decryption. All files encrypted by Minotaur receive .Lock extension. According to security specialists, Minotaur Ransomware firstly attacks data on flash drives, and only then switches to local drives. Currently, there is no way to return captured files. If you have backups, you need to remove Minotaur Ransomware from your computer, make sure it is not active and restore from backups. Otherwise, you can make attempt to recover files using instructions below (restore points, previous versions of files, data recovery software). Please, remember, that by paying to racketeers, you put your credentials at risk. Often, after some time antivirus companies or individual enthusiasts break encryption algorithms amd release decryption tools. Of you won't succeed in restoring your files today, preserve important data for possible recovery in future.

In this article we descrbe third generation of STOP Ransomware, previous two versions were described by our team earlier. This variation was actively spreaded in August and September, 2018. Virus already attacked users from 25 countries including Brazil, Chile, Vietnam, USA, United Arab Emirates, Egypt, Algeria, Indonesia, India, Iran, Poland, Belarus, Ukraine. This variation uses uses symmetric and asymmetric cryptography and adds .KEYPASS, .WHY or .SAVEfiles extensions to the files after encryption. Intruders demand $300 ransom for decryption. They offer to decrypt up to 3 random files for free, to prove that decryption is possible. Hackers also warn, that if amount is not paid within 72 hours data restoration will be impossible.

Magniber My Decryptor Ransomware is wide-spread crypto-virus, that targets Windows-PCs. Focuses on English and South Korean users. Since June 2018, Magniber attacks have shifted to other countries in the Asia-Pacific region: China, Hong Kong, Taiwan, Singapore, Malaysia, Brunei, Nepal and others. Virus got its name from the combination of the two words Magnitude + Cerber. Here, Magnitude is a collection of exploits, the last for Cerber is the vector of infection. With this threat, the Cerber malware ended its distribution in September 2017. But on the Tor site of the ransomware it is stated: My Decryptor, here is where second part of the name came from. After encryption Magniber My Decryptor Ransomware can add 5-6-7-8 or 9 random letters as file extension. Magniber My Decryptor Ransomware demands 0.2 BitCois for file decryption. Hackers threaten to double the amount in 5 days. Virus can encrypt almost any file on your computer, including MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives.

Gamma Ransomware is file-encrypting virus, categorized as ransomware and belonging to Crysis-Dharma-Cezar family. This is one of the most widespread ransomware families. It got its name due to file extension it adds to encrypted files. Virus uses complex extenion that consists of e-mail adress and unique 8-digit identification number (randomly generated). Gamma Ransomware developers demand from 0.05 to 0.5 BTC (BitCoins) for decryption, but offer to decrypt 1 non-archived file for free. The file should be less than 1 Mb. We recommend you to recover 1 random file, as it can help fo possible decoding in future. Keep the pair of encrypted and decrypted samples. Currently, there is no decryption tools available for Gamma Ransomware, however, we recommend you to use instructions and tools below. Often, users remove copies and duplicates of docmunets, photos, videos - infection may not affect deleted files. Some of removed files can be restored by using file recovery software.

Java Ransomware is extremely harmful file-encrypting virus, that belongs to the family of Dharma/Crysis ransomware. It adds .java extension to all encrypted files. Usually, this is complex suffix that contains unique id and e-mail. Java Ransomware uses spam mailing with malicious .docx attachments. Such attachments have malicios macros, that runs when user opens the file. This macros downloads executable from the remote server, that, in its turn, starts encryption process.