Viruses

Kangaroo is a ransomware infection released by developers behind earlier file-encryptors, such as Apocalypse, Fabiansomware, and Esmeralda. Although this file-encryptor was actively circulating in 2021, some users may still end up penetrated by it these days. The purpose of malware within this category is to encrypt potentially important data and extort money for decryption from victims. The feature that makes Kangaroo stand out among other common ransomware infections is that it configures registry values to display a ransom message prior to entering the Windows log-in screen. Immediately after logging into the system, it also displays a fake screen with the same ransom message but this time with a dedicated field for inserting a password to unlock it. During encryption, Kangaroo also assigns the .crypted_file extension and creates identical ransom messages in form of text notes. Such text notes get created additionally to each encrypted file and are named based on the post-encryption file's name (like here 1.pdf.crypted_file.Instructions_Data_Recovery.txt).

Ioqa Ransomware (a.k.a. STOP Ransomware or Djvu Ransomware) is an extremely dangerous virus that encrypts files using AES-256 encryption algorithm and adds .ioqa extensions to affected files. The infection mostly involves important and valuable files, like photos, documents, databases, e-mails, videos, etc. Ioqa Ransomware does not touch system files to allow Windows to operate, so users will be able to pay the ransom. If the malware server is unavailable (computer is not connected to the Internet, remote hackers' server does not work), then the encryption tool uses the key and identifier that is hard-coded in it and performs offline encryption. In this case, it will be possible to decrypt the files without paying the ransom. Ioqa Ransomware creates _readme.txt file, that contains ransom message and contact details, on the desktop and in the folders with encrypted files. Developers can be contacted via e-mail: support@freshmail.top and datarestorehelp@airmail.cc.

Mikel Ransomware is a malicious infection designed to encrypt personal data and extort money for its decryption. It is also identified as a new variant of another file-encryptor named Proxima. During encryption, Mikel Ransomware assigns the .mikel extension to highlight the change. For instance, a file like 1.pdf will change to 1.pdf.mikel and reset its original icon. Please note that deleting the assigned extension from the encrypted file will not return access to it. Encryption makes data permanently locked and requires decryption keys to unlock it. After the encryption is complete, the virus creates the Mikel_Help.txt text note with instructions regarding decryption.

STOP Ransomware is a sophisticated encryption virus, that uses the Salsa20 algorithm to encode sensitive personal data, such as photos, videos, and documents. The latest version (Iowd Ransomware), appeared in the middle of February 2023, adds .iowd extension to files and makes them unreadable. To date, the family includes about more than 600 representatives, and the total number of affected users is approaching a million. Most of the attacks are in Europe and South America, India, and Southeast Asia. The threat also affected the United States, Australia, and South Africa. Although the Iowd virus is less known than GandCrab, Dharma, and other ransomware trojans, it is this year that accounts for more than half of the detected attacks. Moreover, the next rating participant, the aforementioned Dharma, lags behind him by this indicator by more than four times. A significant role in the prevalence of STOP Ransomware is played by its diversity: in the most active periods, experts found three or four new versions daily, each of which hit several thousand victims.

Crackonosh is the name of a trojan stealthily distributed inside cracked software installers. Upon successful installation, its purpose is to inject the XMRIG miner and start mining Monero cryptocurrency for the threat actors. As of now, statistics show that this miner has helped cybercriminals mine the amount of Monero worth roughly two million dollars. A couple of words on how the trojan does its malicious job: After the installer of cracked software is launched, it places an installer and script onto the targeted system, which then changes the Windows Registry settings to turn off hibernation mode and activate Crackonosh in Safe Mode at the next system start-up. This way, the trojan deactivates Windows Update and Windows Defender and is even able to uninstall third-party antivirus programs (e.g., Avast, Bitdefender, Kaspersky, McAfee, and Norton) in order to reduce the chance of getting detected and blocked. To conceal its presence, it erases system log files, serviceinstaller.msi files, and maintenance.vbs files. As a result, some infected systems may display error messages indicating issues with the aforementioned files. In addition, Crackonosh may also halt Windows Update services and substitute the Windows Security icon with a fake green system tray icon. The main symptoms that should attract your attention and lead you to suspect something is wrong with your system are usually slower and laggy PC performance, increased CPU/GPU/RAM usage, overheating, unexpected crashes, and other related issues. Thus, if any of these symptoms are present, make sure to read our guide below and eliminate the potential crypto-mining trojan from your computer.

Hhoo has been classified as a ransomware-type virus, which encrypts personal data using cryptographic algorithms. Being yet another version of the Djvu/STOP family, Hhoo can target both individuals and organizations to demand high amounts of ransom. It appeared in the middle of February 2023 and hit thousands of users. Ransom is a so-called payment required by cybercriminals in exchange for the blocked data. Extortionists provide detailed information on that inside of a text note (_readme.txt) which is created after Hhoo ends up file encryption. The encryption process can be easily spotted by new extensions that are assigned to each of the files. This virus appends the .hhoo extension so that an encrypted piece ends up looking like this 1.pdf.hhoo.

CRYBrazil is a ransomware variant that was discovered by MalwareHunterTeam in 2018. This virus mainly targets Brazilian and Portuguese users in order to encrypt potentially important files and then demand a ransom for their decryption. While restricting access to files, the file-encryptor has been observed to assign .crybrazil or .hacked depending on what version penetrated the computer. Once the encryption is finished, CRYBrazil changes the desktop wallpapers to display decryption guidelines and also places the SUA_CHAVE.html file (which leads to a fake download page for Adobe Flash Player) in each folder containing encrypted data. This or other fake websites may therefore be used for distributing unwanted software or additional malware infections.

Hacktool:Win32/Keygen is a code-name referred to by anti-malware software when the usage/presence of license-cracking tools gets detected on the system. Such tools allow the fake generation of keys to activate licensed versions of software and therefore bypass paying for it. Although keygen tools are not intended to be harmful to users' safety initially, some threat actors may use them to deliver various malware alongside. While the detection and labeling of the cracking tool as "Hacktool:Win32/Keygen" by your antivirus does not always indicate your system is infected with actual malware, it still might be a good idea to perform a thorough scan of your system. Infections that can be distributed alongside key-generating tools are ransomware (software that encrypts data and demands money from victims), crypto-miners (software that stealthily mines cryptocurrency for cybercriminals), banking trojans, spyware, and other types of potentially devastating infiltrations. Having such malware installed on your system may lead to severe privacy problems, financial losses, downgraded PC performance, and other kinds of threats. Thus, if you recently used a license-cracking tool (Hacktool:Win32/Keygen) and suspect your system could be in danger, make sure to read our guide below and scan your system with effective anti-malware software to detect and eliminate possible threats.