Tutorials

UraLocker Ransomware is a newly identified crypto-malware strain designed to deny victims access to their personal files until a ransom is paid. Upon infection, it encrypts a broad range of file formats on the compromised device using strong 2048-bit RSA public-key encryption, effectively making the files inaccessible without a corresponding private decryption key held by the attackers. After successful encryption, the ransomware appends the extension .rdplocked to every affected file, transforming, for example, picture.jpg into picture.jpg.rdplocked, and does this for all targeted file types across the drive. In addition to locking critical data, it drops a ransom note named Decrypt.html into numerous folders where files were encrypted, and also changes the desktop wallpaper with a message warning users about the attack. This ransom note instructs victims to pay a specific Bitcoin amount and to contact the criminals via a qTox ID for decryption instructions. The attackers threaten permanent data loss if contact is not initiated, further pressuring victims to comply.

Basta Ransomware is an advanced strain of crypto-malware that belongs to the notorious Makop ransomware family and is designed to encrypt files on a victim’s Windows device while demanding a ransom for decryption. Upon successful infiltration, it systematically targets user data - including documents, photos, videos, and databases - and applies powerful cryptographic algorithms to render the files inaccessible. During this process, Basta appends a complex file extension to every locked file, for example, changing picture.jpg to picture.jpg.[victimID].[basta2025@onionmail.com].basta, which includes a unique victim identifier, a contact email, and the .basta extension. After encryption, Basta leaves its distinctive ransom note, named README-WARNING+.txt, in every folder that contains encrypted files. The ransom note informs victims that their data has been both encrypted and stolen, threatening to leak or destroy the data if demands are not met and strictly instructing the victim to contact the attackers (typically through an email address on the note). It explicitly warns users against using third-party decryption services, threatening permanent data loss or further extortion if attempts are made.

Dire Wolf Ransomware is a sophisticated strain of crypto-malware that targets Windows systems, functioning primarily as a file-locking ransomware. Upon successful infiltration, it systematically encrypts a vast array of commonly used file types—documents, images, archives, and more—effectively rendering them inaccessible to their owners. To mark its handiwork and make identification obvious, .direwolf is appended as a new extension to each affected file, transforming names such as report.docx into report.docx.direwolf. This variant typically relies on advanced cryptographic algorithms, most likely AES or RSA, which ensures that breaking the encryption without access to the unique decryption key possessed by the attackers is virtually impossible. Following encryption, it generates an ominous ransom note named HowToRecoveryFiles.txt and places it strategically in every folder containing locked files, as well as the desktop, to maximize the likelihood that victims will see it immediately. The note threatens public disclosure of stolen data and urges the victim to contact the attackers within a limited confidentiality window for possible recovery. It typically contains unique credentials, links to a live chat, and instructions for reaching an official site hosted on Tor, suggesting a well-organized criminal operation behind the attack. Victims often experience symptoms like being unable to open files, noticing the new extension, and seeing the desktop or folders populated with ransom messages.

Midnight Ransomware is a dangerous file-encrypting malware strain identified as part of the Babuk ransomware family, discovered during active research on malicious file submissions to VirusTotal. It is designed to illegally extort victims by encrypting all accessible files on an infected system, rendering user data unusable and then demanding a hefty ransom for restoration. Once activated, Midnight Ransomware systematically renames every targeted file by appending the .Midnight extension, so, for example, a file named invoice.pdf would become invoice.pdf.Midnight. This aggressive malware utilizes robust cryptographic algorithms, typically leveraging a combination of symmetric and asymmetric encryption, which makes decryption nearly impossible without a private key stored on the attackers’ remote servers. When the encryption process concludes, the victim will find a ransom note named How To Restore Your Files.txt dropped into affected folders. This note informs users that their files are locked and threatens permanent data loss or public data leaks unless instructions are followed and payment is made within a few days, with late payment resulting in a higher ransom.

Datarip Ransomware is a recent and highly disruptive strain of file-encrypting malware that targets Windows systems, originating from the notorious MedusaLocker family. Once executed on a victim’s device, it systematically scans for documents, images, videos, databases, and many other file types, encrypting them using robust RSA and AES cryptographic algorithms. Following successful encryption, the ransomware appends a unique .datarip extension to every affected file, making them instantly unrecognizable and inaccessible without the decryption key. For instance, a file previously named holiday.jpg becomes holiday.jpg.datarip, clearly signaling to users that their data is under hostage. To further its intimidation, the malware alters the desktop wallpaper and drops a ransom note - RETURN_DATA.html - directly onto the desktop and within folders containing encrypted content, ensuring the victim’s awareness is immediate and persistent. This HTML ransom note sternly warns against using third-party recovery tools, renaming encrypted files, or modifying them, as these actions may result in irreversible data corruption. Compounding the pressure, the criminals claim to have exfiltrated sensitive data and threaten to leak or sell this information unless contact is made and payment arranged within a strict time frame. Contact details, typically anonymous email accounts, are provided for negotiations, where victims are encouraged to send samples for "free decryption" as proof of capability. Datarip’s communication tactics underscore the dual risk of permanent data loss and potential privacy breaches.

APEX Ransomware is a highly disruptive strain of malicious software that targets Windows systems, designed to extort victims by rendering their files completely inaccessible through strong cryptographic algorithms. Detected in the wild by malware researchers and submitted to public repositories like VirusTotal, this ransomware encrypts a wide array of personal and business files, systematically appending a new custom extension, .Apex, to every file it processes, such as transforming report.pdf into report.pdf.Apex. On top of the file modification, it generates a ransom note named APEXNOTE.txt in every folder where encrypted files reside. The encryption employed by APEX employs robust methods—likely using AES or RSA encryption, as with many modern ransomware variants—making unauthorized file recovery virtually impossible without a unique decryption key held by the attackers. The ransom note typically demands a payment of $10,000 in Bitcoin through a specified darknet portal, threatening to destroy the decryption tool if the ransom is not paid within 24 hours.

PANDA Ransomware represents a severe form of crypto-malware designed to encrypt victims’ files and demand exorbitant ransoms in exchange for decryption. Upon executing its malicious payload, this ransomware begins by targeting a wide array of file types and methodically encrypts them using robust cryptographic algorithms, often believed to be advanced AES or similar military-grade encryption. An unambiguous marker of this attack is the addition of the .panda file extension to every compromised file; an image like photo.jpg becomes photo.jpg.panda, signaling to the victim that their data is now inaccessible. Following full encryption, README.txt - a ransom note - appears throughout directories containing locked files and typically is also placed on the desktop. This note contains explicit instructions: pay $50,000 USD in Bitcoin within three days through a TOR-hosted payment portal or risk permanent data loss as the decryption key is allegedly destroyed after the deadline. Simultaneously, the desktop wallpaper is replaced with a visually alarming message urging the victim to consult the ransom note for details.

TXTME Ransomware is a recent and highly disruptive file-locking malware strain belonging to the notorious Dharma family, known for targeting Windows systems through malicious email attachments, pirated software, exploit kits, and especially weakly protected RDP services. Upon successful infiltration, this threat commences a systematic file-encryption routine that renders personal documents, photos, and other files completely inaccessible without the cryptographic key held by the attackers. As part of the encryption process, it alters filenames by appending a unique victim identifier, the attacker’s contact email, and the extension .TXTME; for example, an image file such as 1.jpg becomes 1.jpg.id-XXXXX.[ownercall@tuta.io].TXTME. The ransomware disables the system firewall, deletes Volume Shadow Copies to prevent easy recovery, and gains persistence by creating entries under Windows' Run registry keys while copying itself into the user's local application data folders. Capable of avoiding targets in specific geographic regions by extracting location data, TXTME demonstrates both technical sophistication and a keen awareness of its targets. It employs robust encryption algorithms—typically combining asymmetric and symmetric ciphers used by the Dharma/Crysis lineage—leaving files locked without any straightforward method of retrieval. Victims are then instructed, via two different ransom notes (including a popup and a dropped TXTME.txt file), to contact the cybercriminals and negotiate payment in Bitcoin for data recovery. Both the desktop pop-up and the TXTME.txt ransom note clearly warn users against renaming encrypted files or seeking third-party decryption, threatening permanent data loss for non-compliance.