Viruses

IceFire is the name of a computer infection classified as ransomware. Cybercriminals behind it target data encryption of business users and then extort money (in Monero cryptocurrency) for file decryption. While analyzing technical reports of the virus, we saw it using a combination of cryptographic AES + RSA algorithms to encipher important pieces of data. Just like other infections of such, IceFire Ransomware uses its own extension - .iFire to highlight the restricted data. To illustrate, a file previously titled 1.pdf will change to 1.pdf.iFire and become no longer accessible. Following successful encryption, cybercriminals lay out instructions on what recovery steps should be taken within the iFire-readme.txt note.

Venus is a ransomware-type virus that was recently discovered by a malware researcher called S!Ri. Its main function is file encryption and also the extortion of money for decryption from victims. While enciphering data with cryptographic algorithms, all the affected files get changed with the .venus extension. To illustrate, if 1.pdf ends up affected by the infection, it will become 1.pdf.venus also and reset its original icon. After this, victims get to familiarize themselves with decryption instructions inside of the README.txt note. Desktop wallpapers get replaced as well.

WildFire Locker is a malicious program categorized as ransomware. It operates by restricting access to data (with AES-256 CBC encryption algorithms) and then demanding money from victims. During the data encryption process, all targeted files acquire this long and written format #WildFire_Locker#[original file name]##.[original extension].wflx. Cybercriminals do so to highlight encryption and make victims spot it. For instance, a file previously named documents.pdf will therefore become something like #WildFire_Locker#documents##.pdf.wflx and reset its original icon as well. Following this, the virus creates three files with .txt, .html, and .bmp extensions providing relevant information about the decryption procedure. Most detailed instructions are given inside the HOW_TO_UNLOCK_FILES_README_(victim's unique ID).txt text note.

PLAY is a ransomware-type virus that runs encryption of important data and extorts money from victims. While rendering files inaccessible, it assigns the .PLAY extension and also creates a text note called ReadMe.txt. For instance, a file previously titled 1.pdf will change to 1.pdf.PLAY and reset it's icon after encryption. Since then, victims lose control over their data and have to read instructions on its recovery in the created text note. It is common for ransomware infections to be distributed via phishing techniques. A virus may be disguised as some legitimate-looking file (e.g., Word, Excel, PDF, EXE, JavaScript, RAR, ZIP, etc.) and be sent inside of an e-mail spam letter. Such a letter may present information explaining the “importance” of opening attached files or links.

Ransomcrow is a ransomware infection designed to encrypt valuable data and blackmail victims into paying money for its retrieval. During encryption, it assigns the .encrypted extension, which is generic to many file-encryptors. To illustrate, a file initially named 1.pdf will change to 1.pdf.encrypted and also drop its icon. After this, the virus creates a text note called readme.txt and also replaces desktop wallpapers. Information within the generated note is meant to guide victims through the recovery process. It is said a payment equivalent to €50 in Bitcoins is necessary for transfer to get special decryption tools and return the data. Victims can also contact swindlers for in-person communication via the given email address (ransomcrow@proton.me). As a rule, decryption without the help of cybercriminals is very complex and even impossible - it may be the opposite if there are some bugs or flaws alleviating third-party interference.

Payt is the name of a ransomware infection that encrypts system-stored data and blackmails victims into paying money for its return. It does so by adding new filenames (consisting of unique victim's ID, cybercriminals' e-mail, and .Payt or .payt extension). For instance, this is how an image file infected by Payt Ransomware will likely appear - 1.png.[MJ-YK7364058912](wesleypeyt@tutanota.com).Payt. After this, a money-demanding note called ReadthisforDecode.txt gets generated onto the desktop. As stated within this message, victims should write an e-mail to wesleypeyt@tutanota.com or wesleypeyt@gmail.com addresses and express their interest in decrypting data. It is also possible to send a test file and get it decrypted for free - this way cybercriminals seek to illustrate that their decryption actually works and can be relied on.

World2022decoding is a recent ransomware infection that was spotted encrypting device-stored data and blackmailing victims to pay money for it. During encryption, all affected files get appended with the victim's personal ID, and the .world2022decoding extension as well. As a result, it acquires a new look similar to this - from previously uninfected 1.png to now restricted 1.png.[9222911A].world2022decoding. This is only an example and it can happen to any piece of data, especially documents and databases. Cybercriminals also create a text note called WE CAN RECOVER YOUR DATA.MHT that entails instructions on how to return the files.

Arai is a malicious program that targets corporate users to encrypt business data and demand victims pay money for its return. While restricting access to data, the virus alters files with the .araicrypt extension, leading to blank icons as well. For instance, a file like 1.pdf would change to 1.pdf.araicrypt and lose its original icon. After this, data becomes inaccessible and no longer usable. The next step Arai does is creating a text note called READ_TO_RESTORE_YOUR_FILES.txt. This note gives clarification on what happened and how victims can recover from it. In short, cybercriminals inform that all important data (databases, customer data, etc.) has been copied and local backups have been deleted. It is also said that in case of non-compliance with the provided instructions, victims will lose a chance to recover the data and also become subject to suffering both financial and reputational - due to potential data publication that may ensue afterward. Otherwise, victims should contact the swindlers using one of the given email addresses and pay for decryption (supposedly expensive and in cryptocurrency). In such a case, the extortionists promise to wipe out the collected data and not publish it, therefore.