Tutorials

Dharma-Good Ransomware is typical representative of encryption viruses from Crysis-Dharma-Cezar ransomware family. This sample appends .good extension to affected files. Dharma-Good Ransomware adds complex extension, that consists of unique id, developer's e-mail and .good suffix. As a result, file named 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].good. Dharma-Good Ransomware developers can extort from $500 to $15000 ransom in BTC (BitCoins) for decryption. Usually, it is quite big amount of money, because hackers pay the commission to Dharma Ransomware as Service (RaaS) owners. Using cryptocurrency makes it impossible to track the payee. Besides, victims of such viruses often get scammed, and malefactors don't send any keys even after paying the ransom. We do not recommend to pay any money to malefactors. Usually, after some period of time security specialists from antivirus companies or individual researchers break the algorithms and release decryption keys. Mention, that some files can be restored by using backups, shadow copies, previous versions of files or file-recovery software.

Dharma-MERS Ransomware is another iteration of extremely dangerous Crysis-Dharma-Cezar ransomware family, that, in this case, adds .MERS extension to the end of the files it encrypts. Virus, actually, composes suffix using several parts: e-mail address, unique 8-digit identification number (randomly generated) and .MERS extension. So, finally, encoded files will receive following complex suffix - .id-{8-digit-id}.[{email-address}].MERS. As a rule, Dharma-type Ransomware extorts for $500 to $1500 ransom, that can be paid in Monero, Dash or BTC (BitCoins), and in return they promise to send decryption key. Using cryptocurrency makes it impossible to track the payee. We do not recommend to pay any money to malefactors. Usually, after some period of time security specialists from antivirus companies or individual researchers break the algorithms and release decryption keys. Mention, that some files can be restored by using backups, shadow copies, previous versions of files or file-recovery software.

Dharma-Qbix Ransomware is one of the subspecies of Crysis-Dharma-Cezar ransomware family, that appends .bkpx extension to the files it encrypts. Virus utilizes extension, that consists of several parts: e-mail adress, unique 8-digit ID (randomly generated) and .qbix suffix. As a rule, Dharma-Qbix Ransomware virus asks for $500 to $1500 ransom, that have to be paid in Monero, Dash or BTC (BitCoins), and in return they promise to send decryption key. However, malefactors often do not hold back promises and do not send any decryption keys, or just ignore e-mails from victims, who paid the ransom. It is not advised to send any funds to the hackers. Usually, after some period of time security specialists from antivirus companies and individual researchers break the algorithms and release decoding key. Its noteworthy, that some files can be restored by using backups, shadow copies, previous versions of files or file-recovery software and instructions given on this page.

GlobeImposter 2.0 Ransomware is the second generation of file-encrypting ransomware virus GlobeImposter. The name "GlobeImposter" was originnaly given to it by crypto-ransomware identification service called "ID-Ransomware", because of the assignment by the extortioners of the "proprietary" ransom note from the Globe Ransomware family. The purpose was to frighten the victims, to confuse the researchers, to discredit the decryption programs released for the Globe-family. Thus, all Globe-imitators, which are not decrypted by the decryption utilities released for Globe 1-2-3, received the conditional name GlobeImposter, and after that - GlobeImposter 2.0. Virus can be detected by various antivirus programs as Trojan.Encoder.7325, Trojan.Encoder.10737, Trojan.Encoder.11539, Ransom_FAKEPURGE.A or Ransom.GlobeImposter.

Obfuscated Ransomware (BigBobRoss Ransomware) is dangerous encryption virus, that uses AES-128 encryption algorithm to cipher user's files. After successful encryption it appends .obfuscated, .cheetah, .encryptedALL or .djvu extensions (latest versions also add prefix [id={8-digit-code}]). Obfuscated Ransomware creates ransom note called Read me.txt, and puts it on the desktop and in the folders with encoded data. It also modifies desktop wallpaper, placing text on white background. Malefactors allow to decrypt 1 files under 1 Mb of size for free, as a proof of operability. Obfuscated Ransomware attacks sensible files, such as photos, videos, documents, databases, etc. Virus focuses on English-speaking users, which does not prevent spread throughout the world. The first victims are from Moldova. It is currently unknown, how much they want for decryption. Of course, we do not to pay the ransom, as there are many cases when hackers don't send master keys or decryptors. There is still a chance decryption tool will be released by antivirus companies or security enthusiasts.

MegaLocker Ransomware (NamPoHyu Virus) is new ransomware virus, that encrypts data from sites, servers, using AES-128 (CBC mode), and then requires $250 ransom for individuals ($1000 for companies) in BTC to return files. Any Windows computers, Linux devices and Android devices connected to computers and network devices used to access the Internet are subject to attack. After encryption MegaLocker adds .crypted or .NamPoHyu extensions to affected files. MegaLocker Ransomware was first spotted in March, 2019, when multiple sources stated they were infected with MegaLocker Virus, that encrypted files on NAS devices with .crypted extension. In April, 2019 name was changed to NamPoHyu Virus and now .NamPoHyu extension is appended. Developers are from Russia (or Russian-speaking country). It is not recommended to pay the ransom to malefactors as there is no guarantee, they will send decryptor in return. Paying the ransom also stimulates the hackers to run malvertising campaign and infect new victims.

GandCrab v5.3 Ransomware is probably imposter of original GandCrab Ransomware family. However, it still encrypts files in similar fashion to GandCrab v5.2 Ransomware. Encrypted files get .[5-6-7-8-random-letters] extension and ransom note file has different name: [5-6-7-8-random-letters]-MANUAL.txt, however, still looks identical to previous generation. After debugging executable files security specialists find ironical comments "Jokeroo, new ransom", "We rulez!!". Jokeroo is a new Ransomware-as-a-Service, that is promoted on underground hacking sites and via Twitter that allows affiliates to allegedly gain access to a fully functional ransomware and payment server. GandCrab Ransomware grows into separate industry, where people with bad intentions and basic computer knowledge can earn money with this criminal schemes. Some of the previous versions of GandCrab Ransomware could be decrypted with speciql decryptor from BitDefender, we will provide download link for this tool below.