Viruses

blockZ has shown evident traits of ransomware infections. This type of malware is designed to encrypt system-stored data and demand victims to pay money for its decryption. This ransomware does the same using its own extension (.blockZ) to modify file appearance. To illustrate, a file named 1.pdf will change to 1.pdf.blockZ and lose its original icon. After this, users will no longer be able to access their data. Cybercriminals explain how victims can fix this through the How To Restore Your Files.txt text note. It says victims have one possible way to decrypt the data - contact ransomware developers and pay some amount of ransom in Bitcoin (not specified in the note) to get a unique decryption tool. In addition, victims are allowed to test the decryption abilities of cybercriminals' software by sending 1 encrypted file and getting it back fully accessible for free. It is also said that neglecting instructions may lead to permanent data loss and extra financial costs. As mentioned, the exact amount of ransom is kept secret until victims contact developers.

89N3PDyZzakoH7W6n8ZrjGDDktjh8iWFG6eKRvi3kvpQ is the name of a clipboard hijacker. Such type of malware is quite rare to get infected with due to its recent development. The operation of this malware is simple - it substitutes whatever is copied into the copy-paste buffer with the 89N3PDyZzakoH7W6n8ZrjGDDktjh8iWFG6eKRvi3kvpQ string. In other words, if you try to copy and paste some piece of text, it will be eventually replaced with the aforementioned characters. Luckily, this malware sample does not work exactly as intended. Devastating clipboard hijackers are originally designed to detect when victims perform crypto-related transactions and substitute the recipient's wallet address with one by cybercriminals. This way, victims may overlook the replacement and send cryptocurrencies to the substituted address of cybercriminals. The operation of such clipboard manipulations can be prevented by terminating the AutoIt v3 Script (32 bit) process in Windows Task Manager. Unfortunately, the same symptoms may appear again until a malicious program is present. This is why it is important to detect and remove it as soon as possible. It is also worth checking whether some other malware got installed along with the clipboard hijacker. Run a full analysis of your system and perform the complete removal of detected threats using our guidelines below.

MATILAN belongs to the category of ransomware infections. It uses strong encryption algorithms to lock privately stored databases. The main target of MATILAN Ransomware is business networks that store important financial, customer, contact, and other types of data subject to getting abused by cybercriminals for reputational damage in the future. Once data encryption occurs, all affected files are changed with the .MATILAN extension. For instance, a file like 1.pdf will change to 1.pdf.MATILAN and lose its original icon as well. Then, ransomware creators urge victims to pay the so-called ransom using instructions presented in the RESTORE_FILES_INFO.txt note. It is said that the only way to decrypt files and avoid the public leakage of important data (which will happen within 3 days of inaction) is to collaborate with cybercriminals. Victims are guided to contact developers via the anonymous qTox messenger and follow guidelines on how and how much should be paid to revert the ransomware damage. Unfortunately, there is no way to avoid all the possible damage should victims refute working with cybercriminals. Although encrypted files may be recovered if there is a backup stored on another machine, it does not ensure the publication of data will not happen eventually.

WINKILLER is a disruptive ransomware infection recently reported by MalwareHunterTeam. Instead of encrypting specific types of data, WINKILLER blocks access to the entire computer making users unable to use it. After successful penetration, the virus starts displaying a console window with instructions on what should be done to restore access. Cybercriminals say performing manual shut down or restart will deliver permanent damage to the Master Boot Record (MBR), which is a sector responsible for loading the system. After this, users will no longer be able to load their system and will most likely lose their entire data stored on a PC. To avoid this and successfully recover the compromised system, developers demand victims to pay a monetary ransom of 100 Renminbi (about 15$). Payment instructions can be obtained by contacting the diskkiller@winkiller.cf e-mail address. Unfortunately, recovering access to the PC might be almost impossible without paying the ransom. The infection makes it difficult due to limited room for action as any misstep can lead to irreversible loss of data. Although paying the ransom is usually not recommended, it could be considered in this case to avoid the above-mentioned effects.

Bozon is one of many ransomware infections. This type of malware uses strong encryption algorithms to encipher system-stored data and make victims pay money for its return. To highlight the no longer accessible data, cybercriminals use the .bozon extension added at the end of the files while also making original icons change blank. After the encryption process is done, swindlers start extorting money from users. This is done through the FILE RECOVERY.txt text note.

RED TEAM is a ransomware infection tightly connected with the Babuk malware group. The virus operates like many other file-encryptors - by enciphering data with military-grade algorithms and modifying the names of encrypted files. For instance, a file named 1.pdf will most change to 1.pdf.REDTM and reset its original icon to blank. The .REDTM extension is only used to change the appearance of all encrypted data in the way shown above. Once the process with file encryption is finished, RED TEAM Ransomware creates a text file named HowToDecryptYourFiles.txt to guide victims through the recovery terms.

Unlocker is a ransomware infection capable of encrypting system-stored data. Victims infected with this ransomware variant will also see a visual change in encrypted files according to this pattern .[e-mail of cybercriminals].[personal ID].lock. For instance, a file named 1.pdf will change to something like 1.pdf.[unlocker@onionmail.org].[5MKlY].lock and reset its original icon. Unlocker Ransomware may look similar to another file-encryptor called Unlock, which assigns the .unlock extension instead. Despite this, they are still different ransomware infections and should not be put under the same ceilling. Once file encryption gets to a close, the virus creates a text file named either README_WARNING.TXT or ALL_YOUR_FILES_ARE_ENCRYPTED.TXT. This depends on what version of Unlocker Ransomware penetrated your system. Both ransom notes are almost identical having some minor differences.

DeezNuts Crypter is a type of virus usually categorized as ransomware. It uses the .deeznuts-crypter extension to rename successfully encrypted data. For instance, a file named 1.pdf will change to 1.deeznuts-crypter.pdf becoming no longer accessible. While this is incredibly rare for ransomware attacks, files affected by DeezNuts Crypter can be in fact decrypted for free. Cybercriminals demand literally zero Bitcoin to buy a special decryption key. The key is already publicly known and it is 123. Victims have to simply enter these digits into the pop-up window that opens automatically after users' data ends up encrypted.