Viruses

Yzqe Ransomware is a file-encrypting virus infection that restricts access to data such as documents, images, and videos by encrypting files with the .yzqe extension. It is a variant of the notorious STOP/DJVU ransomware family. Once the files are encrypted, they are rendered inaccessible, and the ransomware drops a ransom note named _readme.txt on the desktop. The note contains instructions to visit a payment website and submit payment in Bitcoin cryptocurrency in exchange for the decryption key, which can allegedly restore access to encrypted files. The Yzqe Ransomware uses the Salsa20 encryption algorithm, which is almost impossible to "hack" due to the large key length and the vast amount of possible keys. The ransomware makes a copy of your file, removes the original one, encrypts the copy, and leaves it instead of the removed original.

Yzoo Ransomware is a file-encrypting malware that belongs to the STOP/DJVU ransomware family. It restricts access to data by encrypting files with the .yzoo extension and then demands a ransom in the form of Bitcoin cryptocurrency in exchange for a decryption key to restore access to the encrypted files. Yzoo Ransomware targets various file types, such as documents, images, videos, and more. It encrypts these files using the Salsa20 encryption algorithm, rendering them inaccessible. After encrypting the files, Yzoo ransomware drops a ransom note named _readme.txt on the desktop and in every folder containing encrypted files. The ransom note provides instructions on how to contact the attackers and pay the ransom, which ranges from $490 to $980 in Bitcoin. The attackers use the email addresses support@freshmail.top and datarestorehelp@airmail.cc for communication.

Yzaq Ransomware is a type of malicious software designed to extort money from users by encrypting files on their computers. It is a member of the STOP/Djvu ransomware family and uses the Salsa20 encryption mechanism. This cipher has an enormous amount of possible decryption keys, making it virtually impossible to brute force them. The ransomware encrypts only the first 150KB of each file, which means that larger files, such as videos or music, may still be partially accessible. This ransomware is known for appending a specific extension, .yzaq, to each encrypted file and creating a ransom note named _readme.txt in various folders on the infected computer. This note typically informs the victim that their files have been encrypted and that they must pay a ransom to recover them. The ransom demanded can range from $490 to $980, usually in Bitcoins.

BlackHatUP is a variant of ransomware based on the Chaos ransomware. It encrypts data, appends its extension (.BlackHatUP) to filenames, generates a ransom note (read_it.txt), and changes the desktop wallpaper. For instance, it changes 1.jpg to 1.jpg.BlackHatUP, 2.png to 2.png.BlackHatUP, and so forth. BlackHatUP ransomware encrypts files using the AES algorithm. The AES key is then encrypted using the RSA public key contained in the configuration. The ransom note informs the victim that their attempt to execute an unauthorized .exe file has resulted in the permanent loss of their files. It offers a potential solution by suggesting that the files can be recovered if the victim pays a sum of 500 Indian Rupees (INR). The victim is directed to contact "BlackHatUP" on Telegram. To prevent future ransomware infections, it's crucial to maintain good cybersecurity practices. This includes regularly updating and patching software, using reliable security solutions, avoiding suspicious emails or websites, and regularly backing up important data.

CATAKA is a type of ransomware, a malicious software that encrypts files on a victim's computer and demands a ransom for their decryption. It was discovered while examining samples uploaded to the VirusTotal website. Once a computer is infected, CATAKA encrypts files and appends a random extension to filenames. The extension consists of five random characters, making each file's extension unique. For example, it changes 1.jpg to 1.jpg.jslB3, 2.png to 2.png.f7J9a, and so forth. CATAKA ransomware uses a robust encryption algorithm to encrypt the victim's files, making it seemingly impossible to access the files without a specific decryption key held by the attacker. Upon successful encryption, CATAKA changes the victim's desktop wallpaper and provides a ransom note named Readme.txt. The ransom note is designed to convey a message from the attacker, apologizing for encrypting the victim's files and assuring the victim that data recovery is possible by purchasing the decryption key for $1500 in Bitcoin.

Ppvt Ransomware is harmful and dangerous file-encrypting infection that restricts access to data by encrypting files with the “.PPVT” extension. It is a variant of the notorious STOP/DJVU ransomware family. This ransomware targets images, documents, videos, and other important files on infected computers, encrypting them and appending the .ppvt extension to the filenames, rendering them inaccessible. Upon infection, the PPVT ransomware scans the computer for specific file types such as .doc, .docx, .xls, .pdf, and more. When these files are detected, the ransomware encrypts them and makes them inaccessible. The ransomware uses the Salsa20 encryption algorithm, which is a robust ciphering algorithm that provides an overwhelming amount of possible decryption keys. Once the Ppvt Ransomware has encrypted the files on your computer, it drops a ransom note named _readme.txt on the desktop. This note contains instructions on how to contact the authors of the ransomware and demands payment in Bitcoin cryptocurrency in exchange for the decryption key.

Ppvw Ransomware is a file-encrypting malware infection that restricts access to data such as documents, images, and videos by encrypting files with the .ppvw extension. It is a variant of the notorious STOP/DJVU ransomware family. The ransomware attempts to extort money from victims by asking for a "ransom", typically in the form of Bitcoin cryptocurrency, in exchange for access to data. When Ppvw Ransomware infects a computer, it scans for images, videos, and important productivity documents and files such as .doc, .docx, .xls, .pdf. When these files are detected, the ransomware encrypts them. Once the Ppvw Ransomware has encrypted the files on a computer, it displays a ransom note named _readme.txt on the desktop. The note contains instructions on how to contact the authors of the ransomware, typically via email addresses such as support@freshmail.top and datarestorehelp@airmail.cc.

GoPIX is a malicious software specifically engineered to compromise the Pix instant payment platform. This malware functions as a clipper, redirecting transactions conducted through the Pix platform. Additionally, it operates as a conventional clipper, extending its scope to include cryptocurrency transactions. GoPIX has been in circulation since at least December 2022. Given that Pix is a payment platform established and overseen by the Central Bank of Brazil (BCB), its user base predominantly comprises Brazilian citizens. Consequently, GoPIX's activities are primarily confined to the Brazilian landscape. The GoPIX malware is a typical clipboard stealer that steals Pix "transactions" used to identify payment requests and replaces them with a malicious (attacker controlled) one which is retrieved from the C2. The malware also supports substituting Bitcoin and Ethereum wallet addresses. However, these are hardcoded in the malware and not retrieved from the C2. GoPIX can also receive C2 commands, but these are only related to removing the malware from the machine.