Tutorials

Discovered in 2020, CoronaLock restricts access to users' data by encrypting it with ChaCha, AES and RSA algorithms. Files compromised by this ransomware, experience a change in extension to either .pandemic, .corona-lock or .biglock. For example, if 1.mp4 gets modified by the virus, it will migrate to 1.mp4.corona-lock or 1.mp4.biglock. After this, extortionists display ransom information in the note (!!!READ_ME!!!.TXT or README_LOCK.TXT) that is dropped on the desktop. Interestingly enough, people who get attacked with ".biglock" extension, do not have any contact information in the ransom note to connect with cybercriminals. It seems like its developers forgot to include it before the release. In the meantime, ".corona-lock" versions do not have that drawback and contain e-mail in the text file. If you want to take a test-decryption, you are free to send them one file.

Being categorized as ransomware-infection, Django is not a virus to be trifle with. As soon as it drops on your PC, it causes havoc around personal data by encrypting with special algorithms that do not allow third-parties tools to have any argument in the future. During data encryption, your files get altered with the .djang0unchain3d extension. This means that a file like 1.mp4 will be changed to 1.mp4.djang0unchain3d and reset its original icon. It seems like developers inspired a Hollywood movie called "Django Unchained" and decided to borrow its name. Once the encryption gets to a close, victims are presented with ransom instructions in Readme.txt that explain how to decrypt your data. Cybercriminals say that in order to retrieve your files, you should contact them via the attached e-mail address and include your ID. If you do not get an answer within 24 hours, you should write to another e-mail mentioned in the note. After this, extortionists will ask you to purchase the decryption key via the BTC wallet which will help you restore access to blocked data eventually.

Discovered recently, Dharma-2020 is a ransomware program that uses strong cryptographic algorithms to block data and demand to pay a ransom. After the virus attacks your computer, it instantly ciphers the stored files by retitling them with a criminal's e-mail address and other symbols. For example, 1.mp4 will be renamed into something like 1.mp4.id-{random-8-digit-alphanumerical-sequence}.[btckeys@aol.com].2020. After successful encryption, the program shows a message window and creates a ransom note called FILES ENCRYPTED.txt. The malware locks any attempts to decrypt your files and to use certain security programs. Then, Dharma-2020 Ransomware does a pure classic asking users to pay a ransom in BTC (from $50 to $500) and send a paycheck to their e-mail after which, they will give you a decryption program.

BlackClaw is a recent ransomware infection that uses AES and RSA algorithms to encrypt user's data. Some experts similized it with another file-encrypting virus called Billy's Apocalypse"because of similar ransom note details, however, as research continued, it turned out that there is no correlation with it. BlackClaw is an independent piece that assigns .apocalypse extension to encrypted files. For example, a file like 1.mp4 will suffer a change to 1.mp4.apocalypse. After these changes have been applied, users no longer have access to their data. The next step of BlackClaw after blocking data is dropping a text file (RECOVER YOUR FILES.hta or RECOVER YOUR FILES.txt) that notifies people about encryption. To decrypt files, users have to give 50$ over to bitcoin address mentioned in the note and contact extortionists via the Telegram channel. Thereafter, victims will supposedly get a decryption tool to restore locked files. Although 50$ is not that big amount for ransomware developers, there is still a risk of being fooled and ignored by cyber criminals after making a payment.

Determined by Jakub Kroustek, GNS Ransomware belongs to the Dharma family that encrypts users' data and demands a certain fee to get it back. Likewise other Dharma versions, GNS applies a string of symbols including victim's ID, cybercriminal's email (geniusid@protonmail.ch), and .GNS extension at the end. If an original file like 1.mp4 gets configured by GNS, it will be renamed to 1.mp4.id-9CFA2D20.[geniusid@protonmail.ch].GNS or similarly. The next stage after encryption is presenting victims with detailed instructions on the decryption process. These are incorporated in the FILES ENCRYPTED.txt file or a pop-up window that comes after encryption. Choosing to pay a ransom is also a huge risk since most people get scammed and do not receive promised tools as a result. Our guide below will teach you how to deal with such infections like GNS and create better soil for being protected in the future.

Oled-Makop Ransomware is a type of virus that aims at encrypting multiple files and demanding a payment to get decryption software. All of these symptoms are part of ransomware operation. Once installed, it is configured to cipher various kinds of data ranging from videos, images, text files, PDFs to others. Then, the isolated files are suffering a couple of changes: firstly, they change their extensions to .[e-mail@mail.cc].oled or .[e-mail@mail.cc].makop (.[somalie555@tutanota.com].makop)and reset their icons to clean sheets. For example, normal 1.mp4 will be transformed into 1.mp4.[makop@airmail.cc].makop immediately after the penetration. After that, the program creates a ransom note, called readme-warning.txt, where developers explain why your data was locked and how to recover it. To incept their trust, they are offering to decrypt one simple file with .jpg, .xls and .doc extensions (not over 1 MB) by sending it via a given e-mail as well as proceeding a payment to get a "scanner-decoder" program. Very often, decryption with third-parties tools is impossible without the involvement of malware developers. However, it does not mean that you have to gift them money since there is a risk that they will not keep their promises. Instead, you should delete Oled-Makop Ransomware from your computer to ensure further safety and recover the lost data from an external backup if possible.

Ragnar Locker is a malicious piece classified as ransomware that encrypts personal data and disables the work of installed programs like ConnectWise and Kaseya, which provide solutions for many Windows services, including data recovery, ransomware protection, and other ways to secure privacy. This is made to slacken the ability of the system to counter ransomware infection. In fact, you will not spot these changes and your data will be locked instantly. The way Ragnar Locker encrypts user's files is by assigning the .ragnar (or .ragn@r) extension with random characters. For instance, the original file named 1.mp4 will be retitled to 1.mp4.ragnar_0FE49CCB and reset its icon as well. After the encryption process gets to a close, Ragnar Locker creates a text file named according to the combination used for encrypted files (RGNR_0FE49CCB.txt). Unfortunately, attempting to use third-parties utilities for decryption, may injure data and lead to its permanent loss. Therefore, the best way to retrieve files for free is to delete Ragnar Locker Ransomware and restore blocked files from backup (USB-storage), if possible.

CONTI is a ransomware-type virus that encrypts user's data and keeps it locked until the ransom is paid. Some security experts indicate, that it can be a successor or Ryuk Ransomware. Whilst the encryption is being made, all files including photos, videos, documents, and other regular data will be altered with the new .CONTI extension. This means that the affected files will look like 1.mp4.CONTI or similarly depending on the original name. After this, successful encryption is followed up with a text file (CONTI_README.txt) that is dropped on the desktop of victims. For the moment, it is almost unreal to decrypt your files for free with the help of additional tools. If possible, you can restore your data from backup storage that was created before the infection. Either way, we recommend you to get rid of CONTI Ransomware to prevent further encryptions.