Viruses

FOG Ransomware is a newly identified strain of malicious software designed to encrypt files on infected devices, rendering them inaccessible until a ransom is paid. This ransomware variant was first detected in early May 2024 and has primarily targeted educational institutions and recreation sectors in the United States. Once Fog ransomware encrypts files, it appends either the .FOG or .FLOCKED extension to the filenames. For example, a file named document.docx would be renamed to document.docx.FOG or document.docx.FLOCKED. FOG Ransomware uses a multi-threaded encryption routine to encrypt files. It gathers system information, such as the number of logical processors, to allocate threads efficiently for encryption. The ransomware employs Windows API calls and references the NT API for system information. It also uses a JSON-based configuration block to control pre- and post-encryption activities, including the use of an embedded public key for encryption. After encrypting the files, Fog ransomware drops a ransom note named readme.txt in the affected directories. This note provides instructions for the victims on how to contact the attackers and negotiate the ransom payment. The note typically includes a link to a Tor dark website where victims can communicate with the attackers and view a list of stolen files.

CAMBIARE ROTTA Ransomware is a type of cryptographic malware designed to encrypt files on a victim's computer, rendering them inaccessible until a ransom is paid. Unlike typical ransomware, CAMBIARE ROTTA is geopolitically motivated, specifically targeting Italian users as a form of punishment for Italy's geopolitical stance, particularly its alliance with Israel. This ransomware is part of the Chaos Ransomware family and is notable for its ideological rather than financial motivations. Once CAMBIARE ROTTA Ransomware infects a computer, it encrypts files using strong encryption algorithms such as AES (Advanced Encryption Standard) for file encryption and RSA (Rivest-Shamir-Adleman) for encrypting the AES key. The ransomware appends a random four-character extension to the filenames of encrypted files. For example, a file named document.pdf might be renamed to document.pdf.kg4v. After encrypting the files, CAMBIARE ROTTA Ransomware changes the desktop wallpaper and generates a ransom note titled Leggimi.txt (Italian for "ReadMe.txt"). The note contains a political message rather than instructions for paying a ransom. It states that Italy must be punished for its alliance with Israel and informs victims that there is no option for data recovery. This indicates that the primary motive behind CAMBIARE ROTTA is political rather than financial.

Waltuhium Stealer is a type of malicious software (malware) designed to steal sensitive information from infected computers. This stealer malware targets a wide range of data, including passwords, cryptocurrency wallets, and other confidential information. It is part of a broader category of malware known as information stealers, which are increasingly prevalent in the cybercriminal landscape. Waltuhium Stealer is equipped with several capabilities that make it a potent threat. It can extract passwords stored in web browsers and other applications, target various cryptocurrency wallets, log keystrokes to capture sensitive information such as login credentials, take screenshots of the victim's desktop, and extract WiFi profiles and passwords. Additionally, the malware can inject itself into Discord to steal tokens, passwords, and email addresses. The presence of software like Waltuhium on devices can result in severe privacy issues, significant financial losses, and identity theft. Waltuhium Stealer is designed to operate stealthily, making it difficult to detect. However, some potential indicators of infection include unusual system behavior or performance issues, unexpected pop-ups or redirects in web browsers, unauthorized access to online accounts, and unexplained transactions or changes in cryptocurrency wallets. Removing Waltuhium Stealer requires a comprehensive approach, combining manual and automated methods. The first step is to immediately disconnect the infected computer from the internet to prevent further data exfiltration.

Watz Ransomware is a variant of the STOP/DJVU ransomware family, a notorious group of file-encrypting malware. This ransomware encrypts files on the victim's computer, rendering them inaccessible, and demands a ransom payment in exchange for a decryption key. The primary goal of Watz Ransomware, like other ransomware, is to extort money from victims by holding their data hostage. Once Watz Ransomware infects a system, it encrypts files and appends the .watz extension to the filenames. For example, a file named document.docx would be renamed to document.docx.watz. Watz Ransomware employs a combination of AES-256 and RSA-2048 encryption algorithms. AES-256 is used to encrypt the files, while RSA-2048 is used to encrypt the AES key. This dual-layer encryption ensures that decrypting the files without the private key held by the attackers is nearly impossible. After encrypting the files, Watz Ransomware creates a ransom note named _readme.txt in each folder containing encrypted files. The ransom note typically includes instructions on how to pay the ransom, the amount demanded (usually in cryptocurrency), and contact information for the attackers. The note may also offer a "discount" if the ransom is paid within a specified timeframe.

Waqa Ransomware is a type of malicious software that belongs to the STOP/DJVU ransomware family. It is designed to encrypt files on the victim's computer, rendering them inaccessible until a ransom is paid. This ransomware is particularly notorious for its ability to cause significant damage by locking down personal photos, documents, and other important files. After successfully encrypting files, Waqa Ransomware appends the .waqa extension to the affected files. For example, a file named document.docx would be renamed to document.docx.waqa. Upon completing the encryption process, Waqa Ransomware generates a ransom note, typically named _readme.txt. This note is placed in every folder containing encrypted files. The ransom note informs the victim that their files have been encrypted and provides instructions on how to pay the ransom to obtain the decryption key. It often includes contact information for the attackers and a demand for payment in cryptocurrency, such as Bitcoin. Waqa Ransomware employs a combination of AES (Advanced Encryption Standard) and RSA (Rivest-Shamir-Adleman) encryption algorithms. AES is used to encrypt the files, while RSA is used to encrypt the AES key, making decryption without the private key extremely difficult.

Anyv Ransomware is a type of malicious software classified under ransomware, specifically designed to encrypt a victim's data and demand a ransom for its decryption. This form of malware renders files inaccessible by appending a unique extension and then coercing the victim to pay for the decryption key. The primary goal of Anyv ransomware, like other ransomware variants, is to extort money from its victims by holding their data hostage. After encrypting files, Anyv ransomware appends a unique extension (.anyv) to the filenames. The format of the new filename is as follows: original_filename.{random_string}.Anyv. Anyv ransomware employs strong encryption algorithms to lock the victim's files. While the specific encryption algorithm used by Anyv is not detailed in the available sources, ransomware typically uses a combination of symmetric (e.g., AES) and asymmetric (e.g., RSA) encryption methods. This dual approach ensures that files are securely encrypted and that decryption is only possible with the private key held by the attackers. Upon completing the encryption process, Anyv ransomware generates a ransom note named README.TXT. This note informs the victim that their files have been encrypted and provides instructions on how to pay the ransom to obtain the decryption tool.

SRC Ransomware is a malicious software variant that belongs to the Makop family of ransomware. It is designed to infiltrate computer systems, encrypt files, and demand a ransom for their decryption. Upon encrypting files, SRC Ransomware appends a unique extension to the filenames, which includes the victim's ID, a contact email address (restoreBackup@cock.li), and the .SRC extension. For example, a file named 1.jpg would be renamed to 1.jpg.[6BH2N0X3].[RestoreBackup@cock.li].SRC. This renaming scheme not only signifies that the file has been encrypted but also provides victims with a means to contact the attackers. The encryption method used by SRC Ransomware is not explicitly detailed in the provided sources. However, ransomware variants, including those from the Makop family, commonly employ robust encryption algorithms such as AES (Advanced Encryption Standard) and RSA (Rivest-Shamir-Adleman). SRC Ransomware generates a ransom note named +README-WARNING+.txt, which is placed on the victim's desktop. This note informs victims that their files have been encrypted and outlines the steps required to pay the ransom for decryption. It provides contact details, including an email address and a TOX ID, for negotiating the ransom payment. The note also warns against using third-party decryption tools or altering encrypted files, as these actions may lead to permanent data loss.

Braodo Stealer is a sophisticated piece of malware classified as an information stealer. Its primary function is to infiltrate computer systems to extract sensitive data for malicious purposes. This type of malware is particularly dangerous due to its ability to remain undetected on the victim's computer, silently harvesting information without any visible symptoms. Braodo Stealer is categorized under various threat types, including Trojans, password-stealing viruses, banking malware, and spyware. It is recognized by several antivirus programs under different detection names, indicating its widespread recognition in the cybersecurity community. To combat Braodo Stealer, a multi-faceted approach is necessary. Utilizing reputable antivirus software to scan and remove the malware is a critical first step. Following the removal, it is imperative to change all passwords to prevent unauthorized access to accounts. Keeping software and operating systems updated with the latest patches is also crucial to close any vulnerabilities that could be exploited by malware. Educating users on the risks associated with opening unknown email attachments, downloading software from unofficial sources, and clicking on suspicious links is essential for preventing future infections. Regular backups of important data are recommended to ensure that data can be restored in the event of a malware attack.