Viruses

Wsaz Ransomware is a widespread cipher virus, that encrypts files on a victim's computer, making them inaccessible, and then demands a ransom in exchange for the decryption key. It is part of the Djvu ransomware family and is distributed through spam emails, fake software cracks, or by exploiting vulnerabilities in the operating system and installed programs. Once it infects a system, Wsaz alters the filenames of encrypted files by appending the .wsaz extension. For instance, a file named 1.jpg is renamed as 1.jpg.wsaz, 2.png becomes 2.png.wsaz, and so on. Wsaz Ransomware uses Salsa20 encryption algorithms to scramble the contents of the targeted files. The strong ciphering method employed by the Wsaz virus makes it quite challenging, if not impossible, to find the decryption key without cooperating with the attackers. Wsaz Ransomware generates a ransom note in a file named _readme.txt that is typically dropped in each affected folder.

Kitu Ransomware is an extremely dangerous encryption virus, that encrypts files on a victim's computer, making them inaccessible until a ransom is paid. The ransomware is part of the Djvu ransomware family, which is associated with information stealers like RedLine and Vidar. Kitu Ransomware utilizes file encryption to restrict access to files and appends the .kitu extension to filenames. The ransomware uses a strong AES-256 encryption key algorithm to encrypt the files of an infected computer system. The ransomware creates a ransom note called _readme.txt to communicate with the victim. The note emphasizes that victims have a limited window of 72 hours to contact the attackers if they wish to receive decryption tools (software and key) at a discounted rate. As an additional enticement, the note mentions that the attackers will decrypt one file for free as proof that they can decrypt the rest.

Akira Ransomware is a type of malware that encrypts data and modifies the filenames of all affected files by appending the .akira extension. It is a new family of ransomware that was first used in cybercrime attacks in March 2023. For example, it renames 1.jpg to 1.jpg.akira, 2.png to 2.png.akira, and so forth. Akira Ransomware spreads within a corporate network and targets multiple devices once it gains access. Akira Ransomware uses sophisticated encryption algorithms to encrypt the victim's files. It utilizes Symmetric Encryption with CryptGenRandom() and Chacha 2008 for file encryption. Akira Ransomware creates a ransom note named akira_readme.txt.

Black Hunt 2.0 Ransomware is successor of notorious Black Hunt Ransomware, a type of malware that encrypts data and demands a ransom for its decryption. Belongs to Kronos ransomware family. It appends the .Hunt2 extension to encrypted files and creates a ransom note named #BlackHunt_ReadMe.txt in each directory containing encrypted files. It also displays message before Windows startup, modifies desktop wallpaper and shows pop-up (#BlackHunt_ReadMe.hta). The ransom note warns against renaming the encrypted files, using third-party decryption tools, and seeking aid from middleman services. File renaming template also contains malefactors' e-mail, so file sample.jpg will turn into sample.jpg.[random-16-digit-alphanumerical-sequence].[dectokyo@onionmail.org].Hunt2. To remove Black Hunt 2.0 Ransomware, isolate the infected device from the network and identify the specific malware. Use a reputable anti-virus software to run regular system scans and remove detected threats/issues. You can also use a powerful antimalware scanner, for example Spyhunter 5, to check if the Black Hunt 2.0 virus can be removed.

Kizu Ransomware, also known as .kizu file virus, is a type of malware that encrypts files on a victim’s computer and demands payment in exchange for the decryption key. It is the latest variant of STOP/Djvu Ransomware and is capable of hitting any version of Windows. Once the malware infects a system, it drops a ransom note named _readme.txt in each directory containing encrypted files. This ransom note serves to notify victims that their files have been encrypted and outlines the conditions for obtaining the decryption key. The attackers behind Kizu demand a ransom payment from the victims in exchange for restoring access to the locked files. Kizu Ransomware encrypts victim's files with Salsa20 encryption and appends the .kizu extension to the filenames of all affected files. It targets various types of files, such as videos, photos, documents, and more.

Cactus Ransomware is a type of malware that encrypts all the data on your computer, including images, documents, excel tables, music, videos, and more. It adds its own .CTS1 extension to every file, leaving a ransom note called cAcTuS.readme.txt in each folder with the encrypted files. For instance, an image named photo.jpg will be renamed to photo.jpg.CTS1. Cactus encrypts files twice and adds a new extension after each process (.CTS1.CTS7) when run in both quick and normal modes. Cactus Ransomware exploits known vulnerabilities in VPN appliances to gain initial access to targeted networks. Once inside the network, Cactus actors attempt to enumerate local and network user accounts in addition to reachable endpoints before creating new user accounts and leveraging custom scripts to automate the deployment and detonation of the ransomware encryptor via scheduled tasks. During encryption, Cactus employs OpenSSL’s envelope implementation to encrypt victims’ files with AES and RSA, appending the files with the extension cts\d.

Kiqu Ransomware is a type of malware that encrypts files and demands a ransom in exchange for their decryption. It belongs to the STOP/DJVU ransomware family and uses the Salsa20 encryption algorithm. The virus is usually distributed through dubious programs, such as "free" versions of popular apps, cheat engines, Windows activators, and keygens. Kiqu ransomware adds the .kiqu extension to each encrypted copy of a file. Kiqu Ransomware generates a text file named _readme.txt that contains a ransom note. The ransom note demands a payment of $490 or $980 in Bitcoins and provides an email address for contacting the cybercriminals. The sample of such ransom note is presented below.

SophosEncrypt is a new ransomware-as-a-service (RaaS) that has been disguising itself as the well-known cybersecurity provider Sophos, thus masking its true identity and intentions. The ransomware encrypts files on the infected system using a complex encryption algorithm, making data useless on the infected system. It affects commonly used data such as pictures, documents, videos, databases, and archives. The ransomware appends a unique machine identifier, the email address entered during setup, and the suffix .sophos to every file it encrypts. Cybersecurity researchers have uncovered that the ransomware encryptor is written in Rust and uses the C:\Users\Dubinin path for its crates. However, it is still unclear how the ransomware is being promoted and distributed. Most modern ransomware uses strong encryption methods such as RSA-2048 or AES-128, making it impossible to get your files back unless you have the decryption key. It is still unclear which encryption method SophosEncrypt uses. The ransomware creates a ransom note (information.hta) for every folder with encrypted files, and replaces the impacted device's wallpaper to show a message indicating system-wide data encryption with the Sophos logo.