Tutorials

BlackBit is a sophisticated strain of ransomware, first discovered in February 2023. It is a variant of the LokiLocker ransomware, and it uses .NET Reactor to obfuscate its code, likely to deter analysis. The ransomware is built on the Ransomware-as-a-service (RaaS) model, where ransomware groups lease out their infrastructure. BlackBit modifies filenames by prepending the spystar@onionmail.org email address, a victim's ID, and appending the .BlackBit extension to filenames. For example, it renames 1.jpg to [spystar@onionmail.org][random-id]1.jpg.BlackBit. BlackBit Ransomware likely uses a strong encryption algorithm, such as AES or RSA, to encrypt the victim's files, rendering them inaccessible without the decryption key. BlackBit ransomware creates a ransom note named Restore-My-Files.txt and places it in every folder containing encrypted files. The ransom note instructs victims to contact the attackers via spystar@onionmail.org. In addition to the text file, BlackBit also changes the desktop wallpaper and displays a pop-up window containing a ransom note.

Lomx Ransomware is a type of malicious software that belongs to the Djvu ransomware family. Its primary function is to encrypt files on the infected computer, rendering them inaccessible to the user. Once the files are encrypted, Lomx appends the .lomx extension to the file names, effectively marking them as encrypted. For example, a file originally named photo.jpg would be renamed to photo.jpg.lomx after encryption. After infecting a computer, Lomx targets various file types and encrypts them using a robust encryption algorithm. The exact encryption method used by Lomx is not specified in the provided sources, but it is common for ransomware from the Djvu family to use strong encryption algorithms that are difficult to crack without the decryption key. Lomx creates a ransom note named _readme.txt in the directories containing the encrypted files. This note informs victims that their files have been encrypted and that they must purchase a decryption tool and key from the attackers to recover their files. The note typically includes instructions on how to pay the ransom and contact information for the attackers.

Loqw Ransomware is a dangerous computer virus that belongs to the STOP (Djvu) ransomware family. Its main purpose is to encrypt files on the victim's computer and demand a ransom for their decryption. The criminals behind this ransomware use various social engineering tactics to lure unsuspecting users into downloading or running the malware. Once Loqw ransomware infects a computer, it encrypts the files and adds the .loqw extension to each filename. Loqw ransomware uses the Salsa20 encryption algorithm. This method is not the strongest, but it still provides an overwhelming amount of possible decryption keys. To brute force the 78-digit number of keys, you would need 3.5 unvigintillion years (1*10^65), even if you use the most powerful regular PC. After encrypting the files, Loqw ransomware creates a ransom note named _readme.txt. This note contains instructions for the victim on how to pay the ransom, which ranges from $490 to $980 (in Bitcoins).

GREEDYFATHER is a type of ransomware, a malicious software that encrypts data on a victim's computer and demands a ransom for its decryption. This article will provide a comprehensive understanding of GREEDYFATHER ransomware, its infection methods, the file extensions it adds, the encryption it uses, the ransom note it creates, and potential decryption tools and methods. GREEDYFATHER Ransomware appends the .GREEDYFATHER extension to the filenames of the encrypted files. For example, a file named 1.jpg would be renamed to 1.jpg.GREEDYFATHER. The specific encryption algorithm used by GREEDYFATHER ransomware is not explicitly mentioned in the search results. However, ransomware typically uses strong encryption algorithms, such as AES (Advanced Encryption Standard) or RSA (Rivest-Shamir-Adleman), to encrypt files. These encryption methods are virtually unbreakable without the correct decryption key. After encrypting the files, GREEDYFATHER creates a ransom note named GREEDYFATHER.txt in each directory containing the encrypted files. The note reassures the victim that the encrypted files can be restored and instructs them to send a couple of locked files to the attackers for a test decryption. It also warns against the use of free decryption tools.

Ljaz Ransomware is a type of malicious software that encrypts files on a victim's computer, rendering them inaccessible. The attackers then demand a ransom, often in the form of cryptocurrency, in exchange for providing the decryption key or tool necessary to unlock the encrypted files. Ljaz Ransomware adds the .ljaz file extension to the encrypted files. Ljaz Ransomware creates a ransom note in a text file named _readme.txt. This note usually contains instructions on how to pay the ransom to get the decryption key or tool. STOP/Djvu Ransomware family uses the Salsa20 encryption algorithm to encrypt the victim's files. It also uses RSA encryption, which is one of the most commonly used encryption methods by ransomware groups. The ransomware begins its execution chain with several levels of obfuscation designed to slow down the analysis of its code by threat analysts and automated sandboxes.

Ljuy Ransomware is a type of malware that belongs to the Djvu family. It is designed to infiltrate a computer system, encrypt files, and then demand a ransom for the decryption of these files. The ransomware uses a robust ciphering algorithm known as Salsa20, which is common among all other STOP/Djvu ransomware family members. Once inside a system, Ljuy ransomware encrypts files and appends its extension (.ljuy) to filenames. For instance, it changes 1.jpg to 1.jpg.ljuy, 2.png to 2.png.ljuy, and so forth. Ljuy ransomware creates a text file named _readme.txt, which serves as the ransom note. This note contains payment and contact information. It informs the victim that their files, including pictures, databases, documents, and other crucial data, have been encrypted using a strong algorithm and can only be recovered through the purchase of a decryption tool.

BuLock Ransomware is a type of malicious software, or malware, that encrypts files on a victim's computer or network, rendering them inaccessible. The attackers then demand a ransom from the victim in exchange for the decryption key to unlock the files. The ransomware is also known as a Crypto Virus or Files Locker due to its encryption capabilities. BuLock Ransomware adds the .bulock16 extension to the files it encrypts. The digit in the extension may vary depending on the ransomware variant. BuLock Ransomware uses a combination of RSA and AES cryptographic algorithms to encrypt files. These are robust encryption methods that make it challenging to decrypt the files without the specific decryption key. BuLock Ransomware creates a ransom note named HOW_TO_BACK_FILES.html. This note informs the victim that their network has been compromised and their files encrypted. It also warns that the attackers have exfiltrated confidential data from the network, which they threaten to sell or leak online if the ransom is not paid. The note also offers the victim the chance to test decryption on 2-3 files before paying the ransom.

We noticed a login from a device you don't usually use is a common type of phishing email scam. The email typically appears to come from a reputable company, such as a social media platform or an email service provider, and informs the recipient that there has been a suspicious login to their account from an unfamiliar device. The goal of the scam is to trick the recipient into revealing their login credentials or other sensitive information. The email typically provides details of the alleged sign-in, such as the device and location used, and prompts the user to secure their account if the activity was not initiated by them. The link provided for securing the account leads to a fraudulent website designed to capture the user's login details. Once scammers obtain these login credentials, they can hijack the email account to launch further phishing attacks on the victim's contacts. The stolen credentials can also be used for identity theft or unauthorized access to other online accounts associated with the victim. In some cases, stolen email accounts can be sold on the dark web, contributing to a broader black market for compromised credentials.