Viruses

Pay2Decrypt is a ransomware-type virus that encrypts personal data and blackmails victims into paying the so-called ransom. A ransom is usually some amount of money cybercriminals demand from users for file decryption. Each file encrypted by the virus will appear with the .PAY2DECRYPT extension and a set of random characters. To illustrate, a sample originally named 1.pdf will be changed to 1.pdf.PAY2DECRYPTRLD0f5fRliZtqKrFctuRgH2 resetting its icon as well. After this, users will no longer be able to open and view the encrypted file. Immediately after successful encryption, the ransom creates hundred text files with identical content - Pay2Decrypt1.txt, Pay2Decrypt2.txt, and so forth until Pay2Decrypt100.txt.

Sojusz is the name of a ransomware infection. It belongs to the Makop ransomware family that designs a number of different file encryptors. Sojusz blocks access to data and demands money for its decryption. The research showed it highlights encrypted files by assigning a random string of characters, ustedesfil@safeswiss.com email address, and the .sojusz extension. Latest versions of Sojusz used following extensions: .bec, .nigra, .likeoldboobs, .[BillyHerrington].Gachimuchi, This means a file like 1.pdf will be changed to 1.pdf.[fd4702551a].[ustedesfil@safeswiss.com].sojusz and become no longer accessible. After all targeted files end up encrypted this way, the virus creates a text file called -----README_WARNING-----.txt (later versions created also: !!!HOW_TO_DECRYPT!!!.txt, Horse.txt, README_WARNING_.txt and #HOW_TO_DECRYPT#.txt ransom notes).

Quite recently, hackers found a new Windows vulnerability to aid the penetration of systems with malware. The exploit is inherently related to MSDT (Microsoft Support Diagnostic Tool) and allows cybercriminals to perform various actions by deploying commands through the PowerShell console. It was therefore called Follina and assigned this tracker code CVE-2022-30190. According to some reputable experts who researched this problem, the exploit ends up successful once users open malicious Word files. Threat actors use Word’s remote template feature to request an HTML file from a remote web server. Following this, attackers get access to running PowerShell commands to install malware, manipulate system-stored data as well as run other malicious actions. The exploit is also immune to any antivirus protection, ignoring all safety protocols and allowing infections to sneak undetected. Microsoft does work on the exploit solution and promises to roll out a fix update as soon as possible. We thus recommend you constantly check your system for new updates and install them eventually. Before that, we can guide you through the official resolution method suggested by Microsoft. The method is to disable the MSDT URL protocol, which will prevent further risks from being exploited until an update appears.

Often mistaken by a separate virus, messages spamming Google Calendar events are actually related to a malicious/unwanted app that might be running on your Android device. Many victims complain that messages usually appear all over the calendar and attempt to persuade users into clicking on deceptive links. It is likely that after an unwanted application was installed, users experiencing spam at the moment granted access to certain features including permissions to modify Google Calendar events. The links may therefore lead to external websites designed to install malware and other types of infections. In fact, whatever information claimed by them ("severe virus detected"; "virus alert"; "clear your device", etc.) is most likely fake and has nothing to do with reality. In order to fix this and prevent your calendar from being cluttered with such spam messages, it is important to find and remove an application causing the issue and reset the calendar to clean up unwanted events.

Also known as R.Ransomware, Rozbeh is a ransomware infection that encrypts system-stored data to blackmail victims into paying money for its recovery. During encryption, it highlights blocked data by assigning random characters consisting of four symbols. For instance, a file like 1.pdf may change to 1.pdf.1ytu, 1.png to 1.png.7ufr, and so forth. Depending on what version of Rozbeh Ransomware made an attack on your system, instructions explaining how data can be recovered may be presented within text notes read_it.txt, readme.txt, or even in a separate pop-up window. It is also worth noting that the most recent ransom infection developed by Rozbeh swindlers is called Quax0r. Unlike other versions, it does not rename encrypted data and also displays its decryption guidelines in Command Prompt. In general, all the ransom notes mentioned above contain identical patterns of guiding victims to pay the ransom - contact malware creators through Discord or, in some cases, by e-mail and send 1 Bitcoin (about $29,000 now) to the crypto address of cybercriminals. After the payment is done, extortionists promise to send a file decryptor along with the necessary key to unlock encrypted data. Unfortunately, in the majority of cases, encryption methods used by cybercriminals to render files inaccessible are complex, making manual decryption near-impossible. You can give it a try using some third-party instruments in our tutorial below, however, we are unable to guarantee they will actually work.

ZareuS is the name of a ransomware infection that encrypts files and extorts an amount in crypto from victims. During encryption, the virus alters file appearance using the .ZareuS extension. In other words, if a file like 1.pdf ends up affected by the infection, it will be changed to 1.pdf.ZareuS and reset its original icon as well. Thereafter, to guide victims through the decryption process, cybercriminals create a text file called HELP_DECRYPT_YOUR_FILES.txt to each folder with no longer accessible data. It says the encryption occurred with the use of strong RSA algorithms. Victims are therefore instructed to buy a special decryption key, which costs 980$ and the amount has to be sent to the cybercriminals' crypto address. After doing so, victims have to notify about the completed payment by writing to lock-ransom@protonmail.com (e-mail address provided by the attackers). As an additional measure to incentivize victims into paying the ransom, extortionists propose to decrypt 1 file for free. Victims can do it and receive one file fully unlocked to confirm that decryption actually works. It is unfortunate to say this, but files encrypted by ZareuS Ransomware are almost impossible to decrypt without the help of cybercriminals. It may be only if ransomware is bugged, contains flaws, or other drawbacks alleviating third-party decryption. A better and guaranteed method to get back your data is to recover it using backup copies. If such are available on some non-infected external storage, you can easily substitute your encrypted files with them.

LokiLok is the name of a ransom infection. Upon successful installation onto a targeted system, it encrypts important files and blackmails victims into paying money for their decryption. We also discovered that LokiLok was developed on the basis of another ransomware virus called Chaos. Once encryption occurs, victims can see their data change with the .LokiLok extension. To illustrate, a file named 1.pdf will most change to 1.pdf.LokiLok and reset its original icon. After this, victims will no longer be able to access their data and ought to seek decryption instructions in the read_me.txt file. The virus also replaces default wallpapers with a new picture. Cybercriminals want victims to buy a special decryption tool. To do this, victims should contact extortionists using the attached e-mail address (tutanota101214@tutanota.com). Prior to buying the necessary software, it is also offered to send 2 small files - cybercriminals promise to decrypt and send them back to prove decryption abilities. In addition, the message also instructs against trying to use external recovery methods since it may lead to irreversible destruction of data. Whatever guarantees are given by ransomware developers, it is always not recommended to trust them. Many fool their victims and do not send the decryption software even after sending them money.

Pay Ransomware is, in other words, a file-encryptor that prevents users from accessing their own data. A recent investigation confirmed that this virus belongs to a group of ransomware developers known as Xorist. Similar to other infections of this type, the virus changes all encrypted files using the .Pay extension. To illustrate, a file named 1.pdf will change to 1.pdf.Pay and reset its original icon as well. After getting things done with encryption, Pay Ransomware displays a pop-up window and creates a text file titled HOW TO DECRYPT FILES.txt. Both of them contain identical information on how to return access to files. It is said that victims can restore access to files by paying 50$ to the Bitcoin address of cybercriminals. After completion, victims will have to contact extortionists via the qTox client and receive their decryption code. There is also a warning that 5 unsuccessful attempts to enter the right code will result in irreversible destruction of data. Following this, swindlers encourage victims to be more careful while doing the above-mentioned. Additionally, it is also said that no third-party software like antivirus will help, but only prevent further decryption of data. Unfortunately, what they outline in their messages can be true - some cybercriminals set up protection against manual attempts to decrypt blocked data. In such a case, the only option, if you are in burning need of restoring your files, is either to pay the required ransom or use your own backup copies from external storage to compensate for the loss.