Viruses

Zhong is the name of a ransomware infection that runs encryption of system-stored data and then urges victims to pay money for decryption. While restricting access to data, the virus also assigns its own .zhong extension to highlight the encrypted data. Note that this change is purely visual and does not have anything direct with encryption. Unfortunately, simply removing the added extension will not return access to data. In order to do it, victims are encouraged to follow instructions within the Restore.txt text note that gets created after successful encryption. The message from the text note clarifies that victims have 48 hours to contact threat actors via e-mail and pay for decryption. Otherwise, the affected data will be made public on various resources (supposedly dark web ones). By saying this, cybercriminals attempt to intimidate users and basically force them into paying the ransom. While the decryption cost is unknown, various ransomware extortionists can require from hundreds to even thousands of dollars for complete file decryption.

H3r is a ransomware infection designed to render files inaccessible (using encryption) and demand payment for their recovery afterward. In addition to running secure cryptographic encryption, the virus also modifies affected filenames by appending a new extension that consists of the personal victim's identifier, cybercriminals' email address, and .h3r at the very end. For instance, an original file like 1.pdf after encryption will change to something like 1.pdf.id-9ECFA84E.[herozerman@tutanota.com].h3r and become no longer accessible. Following this, the ransomware will display a pop-up window and create the info.txt file, which present decryption guidelines to victims.

AttackSystem is a ransomware infection that has file-encrypting capabilities. This means that after getting infected by it victims will be restricted from accessing their own data until a ransom payment is made. In addition, the ransomware also alters the file appearance by adding the .attacksystem extension. For instance, a file previously named 1.pdf will change to something like 1.pdf.attacksystem and become no longer usable. Information on how to return the blocked data provided by swindlers in the How_to_back_files.html file that gets created after encryption. It is also worth noting that AttackSystem Ransomware has been discovered to belong to another malware family known as MedusaLocker.

Saba is a ransomware program belonging to the STOP/Djvu malware family. Alike previous ransomware versions released by this family, Saba encrypts personal data and demands victims to pay a ransom for its return. During this process, the virus modifies all restricted files using the .saba extension. For instance, a file named 1.pdf will change to 1.pdf.saba and reset its original icon. Following this, Saba Ransomware creates a text note (_readme.txt) containing instructions on how to recover the files. As said in the note, victims should contact ransomware developers via e-mail communication (support@freshmail.top or datarestorehelp@airmail.cc) and pay 980 dollars for special decryption software. Cybercriminals also offer a 50% discount off the mentioned price if victims write a message to swindlers within 72 hours. In addition to this, infected users are also allowed to send 1 encrypted file to get it unlocked and fully working for free. Whether it is possible to decrypt your data without paying the ransom depends on how it was encrypted. Developers from the STOP family may use both offline and online ways of generating and storing assigned ciphers.

Sato Ransomware is a computer virus-extortioner, with a global impact, that belongs to the largest family of STOP/Djvu Ransomware. It was developed by cyber-racketeers to blackmail users worldwide. Malware blocks access to users' documents, photos, databases, music, mail, archives by encrypting them with an AES encryption algorithm and demands ransom: from $490 to $980 in Bitcoins. The modification of the virus, that we are investigating now adds .sato extensions to affected files and has many other characteristic signs. It appeared in the end of April - beginning of May. For example, all latest versions of STOP Ransomware use _readme.txt ransom note file with typical message. The particular version, under research today, uses the following e-mail addresses: support@freshmail.top and datarestorehelp@airmail.cc.

SethLocker is a recently-discovered ransomware infection. Cybercriminals use it to run encryption of potentially important files and then urge victims into paying money for their decryption. As opposed to many other similar infections that add their own extension to the end of filenames, SethLocker does run any visual alterations and leaves all files and icons in their original look. Despite this, the data is nonetheless encrypted and victims are prevented from accessing it. To return the blocked data, threat actors have written instructions in a text note called HOW_DECRYPT_FILES.txt. It says all essential files have been encrypted due to a vulnerability within the system. In order to redo the malicious changes, victims are obliged to contact the swindlers via one of their e-mail addresses and pay money for decryption. The price for decryption is not disclosed in the message, however, cybercriminals claim it to be "too small". In addition, victims are also allowed to send one non-valuable file and get it decrypted for free. This way cyber-crooks show their ability to decrypt the files and additionally give extra motivation for paying the ransom. Note that paying the ransom is usually not recommended since some extortionists fool their victims and do not send any decryption tools after the payment.

DVN is a ransomware infection that runs strong encryption to hostage potentially important files until a ransom is paid. In addition to encryption, the virus also assigns the .devinn extension to highlight the blocked data; changes the desktop wallpapers; and create the unlock_here.txt text note with recovery instructions. Cybercriminals say they will provide the necessary decryption software only if victims pay 0.0077 BTC (around $200). It is stated the payment can be done only in Bitcoin and to the attached crypto address. Unlike many other ransomware infections, developers behind DVN Ransomware do not include any means of communication with them (e.g., e-mail, various messengers, etc.). Thus, it is very unclear how victims will communicate with the attackers in order to receive the promised decryption tool after making the payment. Paying the ransom is highly not recommended since there is a risk of not getting anything in return. Unfortunately, we have to note that cybercriminals are usually the only figures actually capable of fully decrypting access to data.

Fofd Ransomware (version of STOP Ransomware or DjVu Ransomware) is a high-risk widespread encryption virus, that first appeared near 5 year ago. It experienced several visual and technical changes throughout the time. In this tutorial, we will analyze recent versions of this dangerous malware. In the very end of April 2023, STOP Ransomware started to add following extensions to encrypted files: .fofd. It is because of that, it got the name "Fofd Ransomware" although it is just one of the varieties of STOP crypto-virus. The virus also modifies "hosts" file to block Windows updates, antivirus programs, and sites related to security news or offering security solutions. The process of infection also looks like installing Windows updates, malware shows the fake window, that imitates the update process. A new subtype of STOP Ransomware uses same e-mail addresses, as few previous generations: support@freshmail.top and datarestorehelp@airmail.cc. Fofd Ransomware creates _readme.txt ransom note file.