Viruses

Sorryitsjustbusiness is the name of a ransomware virus. Alike other infections of this type, it encrypts personal data and blackmails victims into paying a ransom. The encryption process may be easily spotted by looking at affected files. Sorryitsjustbusiness changes their original extensions to random characters and resets icons to blank. To illustrate, a file like 1.pdf may change to 1.pdf.ws9y, 1.png to 1.png.kqfb, and so forth with other random extensions and files. Following successful encryption, the virus creates a text note called read_it.txt and installs new desktop wallpapers. Both text note and wallpapers display information on how to recover the data. Victims are said it is necessary to buy an exclusive key to decrypt their files. The cost of this key is whopping 150,000$ to be paid in Bitcoin to the attached crypto address. After the transfer is made, victims should inform the swindlers by sending a message to their e-mail address (sorryitsjustbusiness@protonmail.com). If victims fail to do this within 24 hours after getting infected, the price for decryption will double. It is also mentioned that encrypted files will be deleted after 48 hours of victims' inaction. Based on the demanded amount of ransom, we can then assume that Sorryitsjustbusiness's aim is set on companies with a good level of earnings. As a rule, it is not advised to trust cybercriminals and pay the ransom they want.

Being part of the Babuk family, ANUBIZ LOCKER is a ransomware infection designed to encrypt data. It does so by using secure encryption algorithms and modifying the names of affected data with the .lomer extension. To illustrate, a file called 1.pdf will change to 1.pdf.lomer and reset its original icon to blank. After successfully restricting access to data, the virus then blackmails victims into paying a ransom. This is made through the How To Restore Your Files.txt text file which is created on compromised devices. The file says all valuable files have been encrypted and copied to servers of cybercriminals, all backups were deleted as well. Victims can potentially restore their data by purchasing special decryption software offered by the attackers. It is guided to establish contact with cybercriminals using their e-mail address to get further details on the decryption. Infected users are also allowed to attach one file in their message and get it decrypted for free. Should victims ignore these requests and linger with paying the ransom, cybercriminals threaten to start leaking collected files to dark web resources.

Qmam4 is a high-risk infection categorized as a cryptovirus. The reason why it is named that way lies in its after-attack behavior - the virus demands victims to pay a sum of money in cryptocurrency upon blocking access to data. Such infections are also known as ransomware. They encrypt personal data and blackmail victims into paying the ransom. During encryption, Qmam4 attaches a string of random characters and the new .qmam4 extension to each affected file. For instance, 1.pdf will change to 1.pdf.{random sequence}.qmam4 becoming no longer accessible. Following this, Qmam4 creates a text file called C3QW_HOW_TO_DECRYPT.txt that illustrates how victims can unlock their data. It is said victims can decrypt and prevent important data from being sold on dark web resources. To do this, victims are instructed to contact cyber criminals using the Tor link. After getting in touch with the developers, they will supposedly tell you to send money in cryptocurrency and retrieve a special decryption tool afterward. Should victims refuse to follow instructions, the collected data will be leaked to the hands of third-party figures. Unfortunately, collaboration with cybercriminals might be the only way to decrypt your data and avoid publicly exfiltrated data. It is less likely that some third-party tool will be able to decrypt your data for free without the help of attackers.

ALBASA is a ransomware-type virus designed to encrypt system-stored data and blackmail victims into paying money for its return. During encryption, all files acquire the new .ALBASA extension and reset their original icons to blank. This is also accompanied by the creation of RESTORE_FILES_INFO.txt - a text note containing instructions on how to recover blocked data.

Cantopen is a ransomware infection that was discovered quite recently. It encrypts personal files by adding the .cantopen extension and creating the HELP_DECRYPT_YOUR_FILES.txt text file to blackmail victims into paying the ransom. To illustrate, a file named 1.pdf will be altered to 1.pdf.cantopen and drop its original shortcut icon. Such a change will be applied to all the targeted data making it no longer accessible.

Black is the name of a ransomware infection that was discovered quite recently. It is developed to run data encryption and blackmail victims into paying money for its return. Victims may spot successful decryption simply by looking at their files - the majority of them will be changed using the .black extension and lose the original icons. To give an example, 1.pdf will be altered to 1.pdf.black, 1.png to 1.png.black, and so forth with the rest of the targetted files. Then, as soon as this part of encryption is done, the virus features decryption instructions inside of a text note (read_me.txt).

Cat4er is a ransomware virus that triggers data encryption upon infecting the targetted system. It does so by assigning the .cat4er extension to make encrypted files look like 1.pdf.cat4er, 1.png.cat4er, 1.xlsx.cat4er, and so forth depending on the original name. After running such changes, the virus creates an HTML file called HOW_FIX_FILES.htm and meant to instruct victims through the decryption process. As stated in the HTML note, victims can reaccess all the blocked data by going to the attached TOR link and following instructions on how to purchase special decryption software. Victims are given 10 days to decide on paying the ransom worth 0.08 BTC - around 3300$ at the moment of writing this article. After the payment is made, cybercriminals promise to send the declared tools able to decrypt the files. Unfortunately, ransomware actors are the only figures having the necessary keys to unlock your data. These keys are often strongly secured and almost impossible to crack with the help of third-party tools.

Newexploit is a ransomware virus designed to encrypt PC-stored data and blackmail victims into paying the so-called ransom. Successful encryption is justified after Newexploit changes file extensions to .exploit. For instance, a file like 1.pdf will drop its original icon and change to 1.pdf.exploit. As a result of this, users lose their access to files meaning they are unable to read or edit them anymore. In order to fix it, Newexploit offers its victims to follow instructions written inside of a text note (RECOVERY INFORMATION.txt). This note gets created immediately after successful encryption and contains information on how to recover the data.