Viruses

Kitz Ransomware (belongs to the family of STOP Ransomware or Djvu Ransomware) is high-risk file-encrypting virus, that affects Windows systems. In the beginning of April 2023, the new generation of this malware started encoding files using .kitz extensions. Virus targets important and valuable file types such as photos, documents, videos, archives, encrypted files become unusable. Ransomware puts _readme.txt file, that is called "ransom note" or "ransom-demanding note" on the desktop and in the folders with encrypted files. Developers use the following e-mails for contact: support@freshmail.top and datarestorehelp@airmail.cc. Hackers demand $980 for the decryption of your files (the message states, that victims will get a 50% discount if they'll contact cybercriminals within 72 hours after the encryption). According to many reports, malefactors often don't reply to victims, when they receive ransom payment. We strongly do not recommend paying any money. Files encrypted by some versions of Kitz Ransomware can be decrypted with help of STOP Djvu Decryptor.

BlackByteNT is a recently-discovered ransomware infection. After the system gets infiltrated with it, all potentially important file types will become inaccessible due to full-fledged encryption. In addition to encrypting access to data, the file encryptor also replaces original filenames with a random string of characters and the .blackbytent extension at the end. For instance, a file like 1.pdf will change to something like dnoJJlc=.blackbytent and lose its original icon as well. The last significant part of the ransomware is BB_Readme_[random_string].txt⁣ – a ransom note that contains decryption guidelines. Cybercriminals say the data has been encrypted and exfiltrated to their servers. In order to return access and prevent data from ending up leaked, victims are demanded to cooperate with the extortionists and follow the information presented through the TOR link provided within the note. Should victims delay communication, the price for decryption will rise higher, and within 4 days of inaction, victims will no longer be able to use the decryption services of cyber criminals. Lastly, cyber-crooks warn victims against using third-party decryption tools assuming there is a risk of damaging them and therefore losing the possibility of ever decrypting them.

STOP Ransomware (Djvu Ransomware) is officially the most common encryption virus in the world. The encryptor operates according to the classical scheme: it encrypts files, adds a new extension to them, and places a ransom note on the infected machine. More than 50% of ransomware-infected computers are infected with STOP Ransomware. It has got second name – ⁣Djvu Ransomware, after the extension .djvu, that was appended to the files on first infected computers. With several minor and major modifications, virus continues its devastating activity in the present days. A recent variation of malware (Kifr Ransomware appeared in April 2023) adds .kifr extension to files. Kifr Ransomware encrypts victims' files using the AES encryption algorithm. AES (Advanced Encryption Standard) is a widely-used symmetric encryption algorithm that is considered to be secure and is used to protect sensitive data in many applications. AES encryption uses a secret key to encrypt and decrypt data, and the strength of the encryption depends on the length of the key used. Of course, affected files become inaccessible without a special "decryptor", which has to be bought from hackers.

Nitz Ransomware is a large family of encryption viruses with over than a year of history. It has undergone multiple visual and technical modifications during the time. This article will describe the peculiar properties of the latest versions of this malware. Since the beginning of April 2023, STOP Ransomware started to add following extensions to encrypted files: .nitz. And after the name of the extension, it is called "Nitz Ransomware". Virus modifies the "hosts" file to block Windows updates, antivirus programs, and sites related to security news. The process of infection also looks like installing Windows updates, the malware generates a fake window and progress bar for this. This version of STOP Ransomware now uses the following e-mail addresses: support@freshmail.top and datarestorehelp@airmail.cc. STOP Ransomware creates ransom note file _readme.txt.

If you landed on this article, you most likely got hit by Niwm Ransomware, that encrypted your files and modified their extensions to .niwm. The name Niwm is only given to this malware to help users find the removal and decryption solution, and according to the suffix it appends. In fact, this is just the 681-th version of STOP Ransomware (sometimes called Djvu Ransomware), that has been active for more than 5 years and became one of the most widespread ransomware families. Niwm was released in the first days of April 2023. Unfortunately, there are low chances for 100% decryption now as it uses strong encryption algorithms, however, with instructions below you will be able to recover some files. uses the combination of RSA and AES encryption algorithms to encrypt the victim's files. The RSA algorithm is used to encrypt the AES key, and the AES algorithm is used to encrypt the victim's files. The AES key is generated randomly for each victim and is stored on the attacker's server. But first you need to remove ransomware files and kill its processes. Below is an example of Niwm Ransomware ransom note, that it leaves on the desktop (_readme.txt). It's quite typical and remains almost the same with minor changes for several years.

Cylance is the name of a ransomware infection that targets Windows and Linux users. Users infected with this type of malware will no longer be able to access their data due to encryption. In addition, victims will also see the affected files modified with the .Cylance extension. After this, they will be no longer accessible and victims will have to follow decryption instructions in the generated ransom note (named CYLANCE_README.txt). Please note that Cylance Ransomware has nothing to do with Cylance by BlackBerry – legitimate enterprise cybersecurity solutions. In general, the ransom note says the victim's data has been encrypted and cybercriminals are the only holders of private keys that are able to decrypt it. To obtain this key and presumably software for running decryption, victims are instructed to contact the swindlers via e-mail and transfer money to them. The price is undisclosed and most likely calculated for each victim separately. Additionally, cybercriminals also offer to test decryption for free by sending one encrypted file. No matter how trustworthy cybercriminals seem, it is always advised against collaborating with them and paying the ransom. Many victims end up fooled and do not receive promised decryption tools. While this has not been reported to be the case with Cylance Ransomware, the risk exists nonetheless.

Nifr Ransomware, being a part of STOP Ransomware (DjVu Ransomware) family, is an elaborate encryptor virus, that encrypts user's files and makes them inaccessible. Malware uses an unbreakable AES (Salsa20) encryption algorithm, and decryption is only possible in 2-3% of cases. It first generates a unique AES-256 encryption key for each file it encrypts, which is used to encrypt the file's contents. This process is known as symmetric encryption, as the same key is used to encrypt and decrypt the file. After encrypting the file with the AES-256 key, Nifr Ransomware then encrypts the AES-256 key with an RSA-1024 public key, which is included in the ransomware's code. This process is known as asymmetric encryption, as it uses different keys for encryption and decryption.Recent version of STOP Ransomware adds following suffix or extension: .nifr. Corresponding virus variation received names: Nifr Ransomware. After encrypting, the ransomware creates _readme.txt file, that specialists call "ransom note", and below you can get acquainted with the contents of this file. The note contains instructions on how to contact the ransomware operators and pay the ransom in order to receive the decryption key. The ransomware is typically distributed through spam emails, fake software updates, and software cracks/keygens. It is important to note that paying the ransom is not recommended, as it encourages the criminals and there is no guarantee that the decryption key will be provided.

D7k is the name of a recently-discovered ransomware infection. Alike other infections within this category it is designed to encrypt system-stored data and extort money for its decryption from victims. During encryption, all targeted files will get .D7k extension and reset their icons to blank. As a result, users will no longer be able to access their files, even after manually removing the newly assigned extension. Once successful encryption gets to its finish, the virus creates a text file called note.txt, which contains decryption guidelines. The note contains a short text demanding 500$ dollars for file decryption. This amount is to be sent to the bitcoin wallet attached by cybercriminals. The message does not include any communication channels, which makes the decryption process ambiguous. Paying the ransom is not recommended because many cybercriminals fool their victims and do not send promised decryption means in return. However, in this case, it appears to be even riskier due to the lack of any communication channels to contact the extortionists. Despite this, cybercriminals are usually the only figures able to unlock access to data completely and safely. The moment this article was written, no public third-party tools are known to bypass the ciphers assigned by D7k Ransomware. Decryption using third-party tools or windows shadow copies using is possible only in rare cases when the ransomware is flawed or accidentally faulted during its operation for whatever reason. Otherwise, the only ways to recover your data are either by collaborating with ransomware developers or retrieving data from existing backup copies. Backups are copies of data stored on external devices such as USB drives, external hard drives, or SSDs.