Tutorials

New Project Site email spam is a deceptive phishing campaign that masquerades as a legitimate purchase order request, aiming to trick recipients into revealing their email login credentials. Typically, these emails solicit responses for supplies related to a fictitious project, urging recipients to click on a link that leads to a fraudulent website. Upon clicking, victims are directed to a page designed to look like a cloud storage portal, which prompts them to input their email credentials to access a nonexistent document. Spam campaigns like this often infect computers by distributing malicious files as attachments or links, which can contain various types of malware. When users inadvertently open these attachments or click on these links, the malware is downloaded and installed, potentially compromising sensitive data and system integrity. Cybercriminals may use social engineering tactics to create a sense of urgency, making users more likely to fall for the scam. Consequently, such infections can lead to unauthorized access to personal accounts, identity theft, and financial losses, highlighting the importance of vigilance when handling unsolicited emails.

Discovered during a review of new file submissions to the VirusTotal website, RDanger Ransomware is a type of malware that encrypts files on an infected system and demands a ransom for decryption. Upon infection, it appends the filenames of encrypted files with a unique identifier, such as 1.jpg.277-9OL-741, making it evident that the file is compromised. The encryption process concludes with the creation of a ransom note named ATTENTION! ALL YOUR FILES ARE ENCRYPTED!.TXT, which usually appears on the desktop or in various folders containing the encrypted files. The message within the note informs victims that their files have been encrypted and instructs them to pay a ransom in cryptocurrency for a decryption tool that purportedly restores their files. However, this note does not include specific payment details or instructions, suggesting it might still be in development.

Hazard Ransomware is a harmful variant belonging to the MedusaLocker family of ransomware. This malware encrypts files on infected systems, adding unique file extensions to them. Specifically, it appends extensions such as .hazard18 to the filenames, indicating that the affected files have been encrypted. For instance, an original file named document.docx becomes document.docx.hazard18, signaling the encryption process has taken place. The ransomware employs RSA and AES encryption algorithms, which secure files by rendering them inaccessible without a specific decryption key known only to the attackers. Once the encryption occurs, the ransomware leaves a ransom note titled HOW_TO_BACK_FILES.html. This note typically appears in every folder containing encrypted files, informing the victim of the actions taken and providing instructions to contact the attackers for decryption details.

WhiteHorse Ransomware is a malicious software designed to encrypt files on an infected system and extort money from victims in exchange for decryption. Once this ransomware infiltrates a computer, it modifies the filenames by appending the .WhiteHorse extension. For instance, if you have a file named document.jpg, it will be renamed to document.jpg.WhiteHorse, rendering it inaccessible without the decryption key. The ransomware utilizes strong encryption algorithms, making it nearly impossible to decrypt the files without a unique decryption key, which is held by the cybercriminals behind the ransomware. After encrypting the files, WhiteHorse Ransomware creates a ransom note named #Decrypt#.txt within each folder containing the encrypted files.

H0rus Ransomware is a malicious software designed to extort money from its victims by encrypting their files and demanding a ransom for the decryption key. Once it infects a system, it scans the victim's computer for specific file types and then encrypts them, making them inaccessible without the unique decryption key possessed by the attackers. The ransomware appends a unique file extension, typically .h0rus13, to the encrypted files, signaling that the victim's data has been taken hostage. This makes it immediately evident to the user that their files have been compromised. The encryption algorithm employed by H0rus Ransomware is often highly sophisticated, using strong cryptographic methods such as AES (Advanced Encryption Standard) or RSA (Rivest-Shamir-Adleman) encryption, ensuring that decrypting the files without the private key is practically impossible. In addition to encrypting files, H0rus Ransomware leaves a ransom note, usually named #Recovery.txt, in each folder that contains the encrypted files.

Key Group Ransomware is a malicious software identified while inspecting new submissions to VirusTotal and belongs to the Xorist ransomware family. After infiltrating a system, Key Group Ransomware encrypts victim files and appends specific extensions such as .keygroup, .keygroup777, or .keygroup777tg, depending on the variant. For instance, a file initially named document.docx would be renamed to document.docx.keygroup777 if compromised by this ransomware. The encryption algorithm used, typically found in Xorist ransomware, is a strong cryptographic method intended to prevent unauthorized access without a decryption key. Once the encryption is complete, the ransomware displays a pop-up window and leaves a text file named HOW TO DECRYPT FILES.txt on the infected system. Both the pop-up and the text file instruct victims to contact the attackers for file decryption, stating that incorrect entry of the decryption code could result in permanent data loss.

Itlock Ransomware is part of the MedusaLocker family, a notorious group of ransomware variants known for disrupting personal and organizational workflows by encrypting essential files. This ransomware appends the extension .itlock20 to the filenames of affected files, rendering them inaccessible without a specific decryption key. The number in the extension can vary, but it consistently follows the "itlock" format. The encryption method employed by Itlock ransomware involves a combination of RSA and AES encryption, which ensures that files are securely locked, and only the attackers possess the decryption keys required to restore the files. Once the encryption process is complete, Itlock ransomware generates a ransom note named How_to_back_files.html, which appears on the infected device. This HTML file states that the user's files are encrypted and safe but modified, emphasizing that only the attackers can resolve the issue. The note warns against using third-party software to restore the files, as this could result in permanent corruption.

CYBORG Ransomware is a type of malicious software identified by the malware researcher GrujaRS. This ransomware is designed to encrypt user data and demand a ransom for decryption tools or software. During its encryption process, CYBORG renames files by appending the .petra extension, among others like .lazareus and .Cyborg1. For instance, an original file named 1.jpg would be renamed to 1.jpg.petra after encryption. Once the process is completed, CYBORG stores a text file named Cyborg_DECRYPT.txt on the desktop and even changes the wallpaper to inform users that their data has been encrypted. The ransom note generally demands a payment of $300 in Bitcoin, providing an email address for further contact. As is the norm with ransomware, meeting these ransom demands is strongly discouraged since there is no guarantee that the perpetrators will provide the necessary decryption tools.