Ransomware

D0ggerofficial is a ransomware virus that runs encryption of data using AES-256 algorithms. While doing so, it also renames all targeted files (documents, videos, images, etc.) with the .locked extension. For instance, a file originally named 1.pdf will change to 1.pdf.locked and reset its original icon. Following this, D0ggerofficial displays a pop-up window with decryption instructions. Cybercriminals say victims have to make a payment of 0.25 BTC (roughly 4,200) in order to retrieve a special decryption key from the cybercriminals' remote server. Victims can also obtain more detailed information by contacting the attackers via their Telegram channel (@d0ggerofficial).

Eyedocx is a ransomware infection that encrypts access to system-stored data and presents instructions to make victims pay for the decryption. Once the encryption process gets put underway, all files will change according to this example - originally named 1.pdf will change to 1.pdf.encrypted and reset its icon. The assignment of random extensions is a common effect of many ransomware infections, designed to highlight the blocked data. The .encrypted extension is quite generic and can therefore be used by other ransomware variants as well. Once Eyedocx finishes running encryption, it creates a text note (readme.infomation) with ransom-demanding instructions.

RAMP is the name of a malicious PC infection classified as ransomware. The main function of such malware is to encrypt system-stored data and very often capitalize on victims by extorting money from them for the recovery of files. When RAMP Ransomware blocks access to data, it also assigns the .terror_ramp3 extension to change files visually. For instance, a file originally named 1.pdf will change its name to 1.pdf.terror_ramp3 and become no longer accessible. The same will happen to other types of targeted data as well. After getting things done with encryption, the virus changes the desktop wallpapers and creates a text note (ramp3.txt) with recovery instructions.

Chily is the name of a ransomware infection designed to encrypt system-stored data and extort money for its decryption. During encryption, the virus also runs visual changes to files by appending the new .[Chily@Dr.Com] extension. To illustrate, a file originally named 1.pdf will change to 1.pdf.[Chily@Dr.Com] and reset its icon as well. After such changes, users will no longer be able to access their data as they used to before. Chily Ransomware also changes the desktop wallpapers and creates an HTML file (Read Me.Hta) that features decryption instructions.

bDAT is a ransomware virus that encrypts access to data and requires victims to contact developers in order to recover their data. It is also suspected that bDAT belongs to a popular ransomware group known as Dharma. While the encryption process is underway, the file-encryptor changes the files' appearance according to the following format - [victim's ID].[bkpdata@msgsafe.io].bDAT. For instance, a file originally named 1.pdf will appear as 1.pdf.id-9ECFA84E.[bkpdata@msgsafe.io].bDAT or similarly. After this, victims are presented with a pop-up window and info.txt file featuring decryption guidelines.

Azov is a ransomware infection that restricts access to data by running its encryption. During this process, the virus assigns the .azov extension to all affected files and creates the RESTORE_FILES.txt note in each folder with encrypted data (including desktop). For instance, a file originally named 1.png will change to 1.png.azov and reset its original icon.

Maze is a ransomware program discovered by one of the malware researchers named Jérôme Segura. This infection has been observed using RSA-2048 + ChaCha encryption algorithms and distributed in several different versions. Depending on the version that attacked the system, victims may see either .maze or .ILnnD extensions added to their files. For instance, an original file like 1.pdf may end up 1.pdf.maze or 1.pdf.ILnnD after successful encryption. After this, the virus changes desktop wallpapers and creates either DECRYPT-FILES.html or DECRYPT-FILES.txt files, again depending on the version of ransomware. Make sure you read our article below to potentially decrypt your data for free.

Duck is a recent file encryptor developed and published by the Phobos ransomware family. While blocking access to data, the virus alters files' appearance by adding the generated victim's ID, cybercriminals' e-mail, and .duck extension as well. For instance, a file originally named 1.pdf will change to something like 1.pdf.id[9ECFA84E-3316].[supprecovery@torguard.tg].duck, reset its icon, and become no longer accessible. Once all data ends up encrypted, cybercriminals display decryption instructions in two ransom notes (info.hta and info.txt) to extort money from victims.