Tutorials

Ljaz Ransomware is a type of malicious software that encrypts files on a victim's computer, rendering them inaccessible. The attackers then demand a ransom, often in the form of cryptocurrency, in exchange for providing the decryption key or tool necessary to unlock the encrypted files. Ljaz Ransomware adds the .ljaz file extension to the encrypted files. Ljaz Ransomware creates a ransom note in a text file named _readme.txt. This note usually contains instructions on how to pay the ransom to get the decryption key or tool. STOP/Djvu Ransomware family uses the Salsa20 encryption algorithm to encrypt the victim's files. It also uses RSA encryption, which is one of the most commonly used encryption methods by ransomware groups. The ransomware begins its execution chain with several levels of obfuscation designed to slow down the analysis of its code by threat analysts and automated sandboxes.

Ljuy Ransomware is a type of malware that belongs to the Djvu family. It is designed to infiltrate a computer system, encrypt files, and then demand a ransom for the decryption of these files. The ransomware uses a robust ciphering algorithm known as Salsa20, which is common among all other STOP/Djvu ransomware family members. Once inside a system, Ljuy ransomware encrypts files and appends its extension (.ljuy) to filenames. For instance, it changes 1.jpg to 1.jpg.ljuy, 2.png to 2.png.ljuy, and so forth. Ljuy ransomware creates a text file named _readme.txt, which serves as the ransom note. This note contains payment and contact information. It informs the victim that their files, including pictures, databases, documents, and other crucial data, have been encrypted using a strong algorithm and can only be recovered through the purchase of a decryption tool.

BuLock Ransomware is a type of malicious software, or malware, that encrypts files on a victim's computer or network, rendering them inaccessible. The attackers then demand a ransom from the victim in exchange for the decryption key to unlock the files. The ransomware is also known as a Crypto Virus or Files Locker due to its encryption capabilities. BuLock Ransomware adds the .bulock16 extension to the files it encrypts. The digit in the extension may vary depending on the ransomware variant. BuLock Ransomware uses a combination of RSA and AES cryptographic algorithms to encrypt files. These are robust encryption methods that make it challenging to decrypt the files without the specific decryption key. BuLock Ransomware creates a ransom note named HOW_TO_BACK_FILES.html. This note informs the victim that their network has been compromised and their files encrypted. It also warns that the attackers have exfiltrated confidential data from the network, which they threaten to sell or leak online if the ransom is not paid. The note also offers the victim the chance to test decryption on 2-3 files before paying the ransom.

We noticed a login from a device you don't usually use is a common type of phishing email scam. The email typically appears to come from a reputable company, such as a social media platform or an email service provider, and informs the recipient that there has been a suspicious login to their account from an unfamiliar device. The goal of the scam is to trick the recipient into revealing their login credentials or other sensitive information. The email typically provides details of the alleged sign-in, such as the device and location used, and prompts the user to secure their account if the activity was not initiated by them. The link provided for securing the account leads to a fraudulent website designed to capture the user's login details. Once scammers obtain these login credentials, they can hijack the email account to launch further phishing attacks on the victim's contacts. The stolen credentials can also be used for identity theft or unauthorized access to other online accounts associated with the victim. In some cases, stolen email accounts can be sold on the dark web, contributing to a broader black market for compromised credentials.

Hhaz Ransomware is a type of malicious software that encrypts a user's data, rendering it inaccessible. It is a variant associated with the Djvu ransomware family. The ransomware alters filenames by appending the .hhaz extension and creates a text file named _readme.txt that includes a ransom note. For instance, it transforms 1.jpg into 1.jpg.hhaz, 2.png into 2.png.hhaz, and so forth. Hhaz ransomware uses the Salsa20 encryption algorithm. If Hhaz cannot establish a connection to its server before starting the encryption process, it uses an offline key. This key is the same for all victims, potentially making it possible to decrypt .hhaz files in the future. The ransom note guarantees the targeted individual that their locked files can be recovered by acquiring a decryption tool and a specific key. The cost for decrypting the data is set at $980, with a 50% discount available if the victims reach out to the threat actors within a 72-hour window. The note underscores the absolute impossibility of data recovery without making the stipulated payment.

Hhuy Ransomware is a variant of the notorious STOP/DJVU ransomware family. It encrypts images, documents, and other important files on infected computers, rendering them inaccessible. The ransomware then demands a ransom, typically ranging from $490 to $980, payable in Bitcoins, to decrypt the files. Hhuy ransomware targets a wide range of file extensions, including but not limited to .doc, .docx, .xls, .xlsx, .ppt, .pptx, .jpg, .pdf, and .psd. Once a file is encrypted, the ransomware appends the .hhuy extension to the file name, making it impossible to open with any program. Hhuy ransomware uses the Salsa20 encryption algorithm. Although not the strongest method, it still provides an overwhelming number of possible decryption keys, making brute force attacks practically impossible with current computing technology. Upon successful encryption, Hhuy ransomware creates a ransom note named _readme.txt. This note typically contains instructions on how to pay the ransom, along with contact information for the attackers, usually in the form of email addresses.

Nbwr Ransomware is a type of file-encrypting malware that belongs to the Djvu family. It is a malicious software that encrypts user data, rendering it inaccessible. The ransomware modifies filenames by appending the .nbwr extension and generates a text file (_readme.txt) containing a ransom note. The ransom note assures the victim that their encrypted files can be restored by purchasing a decrypt tool and a unique key. The price of data decryption is usually high, with a 50% discount available if threat actors are contacted within 72 hours. The Nbwr ransomware uses the Salsa20 encryption algorithm. This method provides an overwhelming amount of possible decryption keys, making brute force attacks virtually impossible. The ransom note assures the victim that their encrypted files can be restored by purchasing a decrypt tool and a unique key.

GrafGrafel is a type of ransomware, a malicious software that encrypts data and demands a ransom for its decryption. It is part of the Phobos ransomware family. The GrafGrafel ransomware targets both local and network-shared files, leaving critical system files unaffected. Once GrafGrafel ransomware infects a computer, it encrypts files and alters their filenames. The original titles are appended with a unique ID assigned to the victim, the cyber criminals' email address, and a .GrafGrafel extension. For example, a file initially named 1.jpg would appear as 1.jpg.id[G7RF34WQE-5687].[GrafGrafel@tutanota.com].GrafGrafel following encryption. The specific encryption algorithm used by GrafGrafel ransomware is yet unknown. However, ransomware typically uses strong encryption algorithms that can only be unlocked by a decryptor code known only to the attacker. After the encryption process is completed, GrafGrafel ransomware creates ransom notes in a pop-up (info.hta) and text files (info.txt). These notes are dropped in encrypted directories and on the desktop.