Viruses

Jycx Ransomware (in other classification STOP Ransomware or Djvu Ransomware) is harmful malware, that blocks access to user's files by encrypting them and requires a buyout. It was released in the last days of March 2023 and hit tens of thousands computers. The virus uses an unbreakable encryption algorithm (AES-256 with RSA-1024 key) and demands a ransom to be paid in Bitcoins. However, due to some programming mistakes, there are cases when your files can be decrypted. A version of STOP Ransomware, that we are considering today, adds .jycx extensions to encrypted files, and therefore got the name Jycx Ransomware. After the encryption, it presents file _readme.txt to the victim. This text file contains information about the infection, contact details, and false statements about decryption guarantees. The following e-mails are used by malefactors for communication: support@freshmail.top and datarestorehelp@airmail.cc.

Hairysquid is a newly-discovered variant of the Mimic ransomware. After penetration, it modifies the Windows GroupPolicy, deactivates protection by Windows Defender, and disables other Windows features to exclude any deterrence of its malicious activity. The goal of this infection is to encrypt access to system-stored data and demand money for its decryption. During the encryption processes, the virus attaches the .Hairysquid extension to all affected files. Once done, a file like 1.pdf will turn to 1.pdf.Hairysquid and change its icon eventually. Instructions on how to decrypt the blocked data are presented within the READ_ME_DECRYPTION_HAIRYSQUID.txt note, which gets created alongside successful encryption. Overall, it is said victims have been attacked by ransomware, which encrypted their data. In order to reverse the damage and get back the files, victims have to contact the swindlers via one of the provided communication channels (TOX messenger, ICQ messenger, Skype, and email) and pay for decryption in Bitcoins. The price for decryption is said to be calculated based on the number and potential value of encrypted data. In addition, it is also allowed to test decryption for free by sending 3 locked files to cybercriminals. Alas, it is usually impossible to decrypt blocked data without the involvement of cybercriminals themselves.

Jyos Ransomware (a.k.a Djvu Ransomware or STOP Ransomware) encrypts victim's files with Salsa20 (stream encryption system) and appends one of the hundreds of possible extensions, including the latest discovered .jyos. This one appeared in the very end of March 2023 and infected thousand computers worldwide. STOP is one of the most active ransomware today, but they hardly talk about it. The prevalence of STOP is also confirmed by the extremely active forum thread on Bleeping Computer, where victims seek help. The fact is that this malware attacks mainly fans of pirated content, visitors to suspicious sites, and is distributed as part of advertising bundles. There is a possibility for successful decryption, however, to date, there are more than two hundred STOP Ransomware variants that are known to researchers, and such a variety significantly complicates the situation.

Jypo Ransomware is the next generation of STOP Ransomware family from the same authors. The ransomware family is known for its widespread distribution and frequent updates with new variants. Like other members of the Djvu family, Jypo Ransomware is designed to encrypt the victim's files and demand a ransom payment in exchange for the decryption key. The ransom note left by Jypo Ransomware instructs the victim to contact the attackers via email to negotiate the ransom payment.This virus aims important user's files, such as documents, photos, databases, music, mail. Ransomware encodes them with AES encryption and adds .jypo extensions to affected files. All these variations use similar algorithms, that are unbreakable, however, in certain conditions .jypo files, encrypted by the ransomware, can be decrypted using STOP Djvu Decryptor (provided below). This version of STOP Ransomware uses the following e-mail addresses: support@freshmail.top and datarestorehelp@airmail.cc. Jypo Ransomware creates _readme.txt ransom note file.

Jywd is a ransomware infection originating from the Djvu/STOP family. This family is a group of developers responsible for infecting a bunch of users with different file encryptors. Jywd is new, appeared in the end of March 2023, but has traits very similar to its precursors. Jywd Ransomware, like other variants of the STOP/Djvu Ransomware family, uses a combination of AES-256 and RSA-1024 encryption algorithms to encrypt the victim's files. AES-256 is used to encrypt the files themselves, while RSA-1024 is used to encrypt the AES-256 key. This makes it extremely difficult to recover the encrypted files without the decryption key. The virus encrypts personal data while assigning the .jywd extension. To illustrate, a file called 1.pdf will experience a change to 1.pdf.jywd and reset its original icon after successful encryption. In order to decrypt the blocked data, victims are given instructions to follow inside a ransom note (_readme.txt).

@BLOCKED is a ransomware infection that encrypts potentially valuable data and requires victims to perform certain actions in order to restore access to it. After running successful encryption, all filenames will be assigned a custom extension starting with a random string of characters and ending with @BLOCKED. For instance, a file like 1.pdf will change to something like 1.pdf.i34ot23@BLOCKED and become no longer accessible. Afterwards, successful encryption is followed by the creation of a ransom text note - also named with random characters preceding the ".txt" extension (for example, mesgwuibjpdrdum.txt). This note contains instructions on how to recover the encrypted data.

The epidemic of STOP Ransomware still goes on, with its another successor called Tyos Ransomware. This nasty virus hits thousands of computers all over the world, mostly targeting the USA, Canada, Europe, South Africa, Australia and New Zealand. The most recent version, emerged in the end of March 2023, uses .tyos extension, that it adds to the end of encrypted files. As DjVu Ransomware uses AES encryption algorithm, probability of decryption is low, but exists. Tyos Ransomware damages users' important data: photos, videos, documents, and other types of information, victims are ready to pay ransom for. At the same time, it doesn't touch system files to keep Windows operable. The latest generation of this virus creates a ransom note file called _readme.txt. This file provides general information about the infection, ransom amount, and contact details.

Typo Ransomware is a devastating crypto-virus (variation of STOP Ransomware), that uses the AES-256 asymmetrical encryption algorithm to restrict user access to their files without the key. Malware appends .typo extensions to files make them unreadable and extort ransom for decryption. "Typo" variant appeared in March of 2023 and infected tens of thousands of computers wordwide. Unfortunately, due to technical modifications in the newest version file recovery is impossible without backups. However, there are certain standard Windows features and tools, that may help you restore at least some files. File-recovery software may also be useful in this case. In the text box below, there is text message from _readme.txt file, called "ransom note". Below in the textbox you can get acquainted with the sample of such file. In this file, malefactors disclose contact information, the price of the decryption, and ways to pay the ransom.