Tutorials

Avaddon is a ransomware-type infection discovered by GrujaRS. It strengthens its encryption with AES and RSA algorithms so that regular users could not unlock their data. Affected files will be altered with the .avdn extension that is assigned at the end. For example, a file like 1.mp4 will experience an immediate change after encryption to 1.mp4.avdn. This change makes the file inaccessible and requires paying a ransom to decrypt it. Instructions on how to do so are presented in an HTML file ("[random_numbers]-readme.html") that is generated after the encryption process is complete.

HR is a malicious program categorized as ransomware that infects users via NAS servers. In fact, ransomware is created for earning money by encrypting data and demanding a ransom. Likewise other file-encryption malware, HR blocks various files and assigns .hr extension. Thereafter, the virus drops a text file (RANSOM_NOTE.txt) on your desktop to notify that your data has been encrypted. It also displays a list of steps that you should do to restore files. The following information says that you have to purchase a special key that costs 0.1130 BTC (1030$). Once payment is completed, you are asked to send them your ID number via the attached e-mail to check whether you have done the payment or not. Moreover, extortionists claim that using third-parties decryption tools is useless since they are obsolete and cannot handle ciphers generated by their ransomware. They try to incept you that they will not fool you and bring your files back in safety.

Vash-Sorena is a ransomware virus that encrypts files and demands to pay a fee to decrypt it. Some rumors say that it is another version developed by Dharma(CrySiS) or Banks1 family. Likewise, Vash-Sorena encrypts files according to this pattern -.[].crypto which has not been that popular around extortionists. Here is an example of compromised files reported by one of the victims - eula.1041.txt.Id-JGPXXOBN.[yourfile2020@protonmail.com].crypto. ID numbers with random hexadecimal characters are used presumably to highlight the relevance and identify victims. After successful encryption, the virus creates a text file called How_To_Decrypt_Files.txt. In this note, users are said that none of the tools can decrypt Vash-Sorena since it uses military-grade algorithms (AES and RSA 256). However, one of the victims managed to decrypt them via Kaspersky RannohDecryptor only losing file names. But, as it turned out later, you can decrypt only small files (PDFs, documents, images, etc.). Not excluded that further updates of Vash-Sorena will rectify that flaw soon. For now, there is no need in contacting them via e-mail or Telegram channel to buy their software unless you need to decrypt bigger data and do not have any backup of it. Either way, you can find all instructions and tips upon decryption in the article below.

Snatch is another malicious piece discovered by Michael Gillespie and categorized as ransomware. This virus snatches your data by encrypting it with cryptographic algorithms. Once your files get locked, you will see a new extension appended to it right away (.snatch, .wbqczq, .gdjlosvtnib, .FileSlack). For instance, normal 1.mp4 will be changed to 1.mp4.FileSlack or similarly. As usual, after the encryption process is completed, the ransomware drops a text file called Readme_Restore_Files.txt (in recent cases HOW TO RESTORE YOUR FILES.TXT). In this document, ransomware developers provide brief instructions on how to salvage your data. For this, you should contact them via attached e-mail to get further commands. Unfortunately, because Snatch Ransomware always updates and improves its algorithms, there is no free tool that can decrypt files ciphered by Snatch. Even if you venture to pay for software offered by cybercriminals, there is a high risk that you will be dumbed and hijacked. The only workable way to get your files back is delete Snatch Ransomware and copy your files back from external backups.

STOP Ransomware (also known as DJVU Ransomware) is ruinous virus, whose operating principle is based on strong file encryption and money extortion. There have been more, than 230 versions of this malware, with several major modifications and numerous minor changes. Recent ones use random 4-letter extensions added to affected files, to indicate that they are encrypted. Since the very beginning STOP Ransomware has used the AES-256 (CFB mode) encryption algorithm. Depending on exact extension there are slightly different, but similar removal and decryption methods. Variation under research today uses .nypd, .usam, .zwer or .kkll extensions. STOP Ransomware uses system directories to store its own files. In order to start automatically each time the OS starts, the encryptor creates an entry in the Windows registry section that defines the list of programs that start when the computer is turned on or restarted. Therefore, to be able to decrypt your files you need to remove the virus first. The technical peculiarity of this malware allows users to decrypt files successfully in some cases. The matter is STOP Ransomware tries to connect its server every time it starts encryption on a victim's computer. In case of a successful connection, each victim is assigned a unique key and that is impossible to retrieve. However, sometimes malfunction occurs, and the virus process either cannot connect to its command server or victim's computer disconnects to the Internet.

Crypren Ransomware is a type of malware that compromises your data by running encryption with the .ENCRYPTED extension. For instance, 1.mp4 or other regular files will be changed to 1.mp4.ENCRYPTED or similarly. Usually, due to asymmetric algorithms that are applied during encryption, the inflicted data becomes almost impossible to unlock. However, thanks to a security researcher named pekeinfo, there is no need in paying for decryption software. Besides that, we should point out that after the malware has finished the first step, it drops the READ_THIS_TO_DECRYPT.html file in each folder containing affected files. In this note, swindlers inform users about paid decryption service that requires buying a private key. Also, you are given 1 week to contact cybercriminals before your unique key will be destroyed. This key costs precisely 0.1 BTC (approximately 900 dollars). Luckily, you can download and use the decryption tool developed by pekeinfo in the article below. It turned out that Crypren Ransomware had a serious crack - they stored their keys locally.