Viruses

HarpoonLocker is the name of a recent ransomware infection reported by users on malware forums. The virus runs encryption of data with AES-256 and RSA-1024 algorithms making all restricted data cryptographically secure. As a result of this configuration change, users will be no longer able to access their own data stored on infected devices. HarpoonLocker assigns the .locked extension, which is commonly used by many other ransomware infections. This makes it more generic and sometimes hard to differ from other infections like this. It also creates a text note (restore-files.txt) containing ransom instructions. Developers say all data has been encrypted and leaked to their servers. The only way to revert this and get files back safely is to agree on paying the ransom. Victims are instructed to download the qTOX messenger and contact extortionists there. There is also an option to try decryption of 3 blocked files for free. This is a guarantee given by cybercriminals to prove they can be trusted. Unfortunately, there are no other contacts apart from qTOX that victims could use to get into a discussion with cybercriminals. Many cyber researchers joked that HarpoonLocker should also be called Unnamed qTOX Ransomware since there is nobody victims can talk to. For this and many other reasons, it is highly advised against meeting the listed requirements and paying the ransom. Quite often cybercriminals fool their victims and do not send any decryption tools even after receiving the money.

First found and researched by an independent expert named S!R!, NoCry is a ransomware program designed to run data encryption. It is a very popular scheme employed by ransomware developers to extort money from victims upon successful restriction of data. For now, there are two known versions of NoCry differing by extensions assigned to blocked data. It is either .Cry or .IHA extension that will be appended to encrypted files. For instance, 1.pdf will change its look to 1.pdf.Cry or 1.pdf.IHA and reset its shortcut icon to blank after getting affected by malware. Extortionists behind NoCry Ransomware demand payment for returning the data via an HTML file called How To Decrypt My Files.html. It also force-opens a pop-up window that victims can interact with to send the ransom and decrypt their data. The contents of both are identical and inform victims about the same. NoCry gives about 72 hours to send 100$ in BTC to the attached crypto address. If no money will be delivered within the allocated timeline, NoCry will delete your files forever. This is an intimidation strat meant to hurry up victims and pay the demanded ransom quicker.

RansomNow is another file-encryptor virus issued by cybercriminals to extort money from desperate victims. It is very similar to the already-discussed Polaris Ransomware as it runs the same encryption pattern with AES and RSA algorithms. Another similarity shared between these ransomware attacks is that they do not attach any new extension to enciphered data. Despite files do not experience any significant visual changes, users will still be unable to open them up. The virus also creates a text file called README TO UNLOCK FILES.txt that features decryption instructions. Developers say victims can restore the data only by purchasing a special key. The price to be paid equals 0.0044 BTC, which is approximately 250$ at the moment of writing this article. Keep in mind that cryptocurrencies rates always change, so there is a chance you will have to pay more or less even tomorrow. After sending the necessary amount of BTC, users should deliver the proof of the transaction to the attached e-mail address (ransomnow@yandex.ru). In addition to that, crooks list a couple of resources where to buy the required cryptocurrency, if you are new to the crypto world. It is also strongly warned against running manipulations with files yourself or with the help of third-party tools.

Discovered by MalwareHunterTeam, AnarchyGrabber is a type of virus designed for Discord users. It is meant to alter the index.js file inside of the Discord directory (%AppData%\Discord\[version]\modules\discord_desktop_core\) and hijack your data. By changing the inner code of the original file, it allows cybercriminals to upload malicious JavaScript files. This file should contain just one line: module.exports = require('./core.asar');. Everything else is from a trojan. To get rid of the malware, uninstall Discord, then check for the %AppData%\Roaming\discord directory (if it exists, delete it), and then reinstall the client. If this does not help, read the full guide below. Thus, when users log in to their Discord account, extortionists receive access to your contacts, account, servers, messages, and other discord-based content. Oftentimes, it is hard to detect AnarchyGrabber since it hides its activity behind Discord files which get ignored by anti-malware software. If you are unable to remove it manually, we will aid you in doing so below.

Decaf is categorized as a ransomware program designed to blackmail victims into paying money for the recovery of blocked data. Its first attacks were registered at the beginning of November 2021 and continue taking place across multiple users. The virus employs its own extension called .decaf which is assigned during encryption. An example of how encrypted files would like after encryption is this "1.pdf.decaf". It is impossible to blink the infection because all files lose their accessibility and icons as well. Upon successful installation of cryptographic ciphers, Decaf creates a text note named README.txt that contains info on how to recover your data. Cybercriminals say all server and PC data has been encrypted with strong algorithms preventing any third-party decryption. The only possible way to restore access to the entire data is to use a special "universal" decryptor stored by the extortionists. To learn further instructions regarding decryption, victims should write to the attached e-mail address (22eb687475f2c5ca30b@protonmail.com). From there, will be likely informed about the price of decryption software and ways to obtain it. As a rule, cybercrooks request their victims to send varying amounts of money in some cryptocurrency to their wallets. The range can fluctuate from hundreds to thousands of dollars for the restoration of data.

Polaris is a ransomware program that uses a combination of AES and RSA algorithms to encrypt users' data. Unlike other infections of this type, Polaris does not add any extension to the encrypted files. The only thing that changes is accessibility to files - victims are no longer eligible to open the stored data. In order to solve this, Polaris developers encourage their victims to read recovery instructions in a file called WARNING.txt. The text note creates at the end of encryption and says you should contact extortionists using e-mail communication (pol.aris@opentrash.com or pol.aris@tutanota.com). There is also an option to add cybercriminals on Discord instead. Whilst writing a message, victims should state the name of the company that got under attack. This is a clue that Polaris targets business networks so they could afford to pay the required ransom. The most common advice you may see on the web regarding ransom payments is to avoid them as much. This is true because many cybercriminals tend to fool their victims and not send any decryption tools eventually.

Also known as Geodo, Emotet is labeled as a banking trojan that was detected to infiltrate Windows systems. It was first researched by cyber experts in 2014 as a virus designed to steal sensitive information from users. The time development went on, Emotet experienced a couple of feature changes. For instance, apart from running surveillance over the data, it acquired the feature of injecting additional malware and other banking trojans to infected machines. Emotet forces its victims to undergo massive privacy issues and deterioration in system performance. Because such malware has to run a lot of non-native processes and send collected data to external servers, it is forced to eat a lot of system resources as well. This is why your PC performance can be affected so much leading to freezes, lags, and various other problems making normal usage simply impossible. Emotet has done a lot of attacks which made Department of Homeland Security write it on the list of the most damaging and costly malware for governments, organizations, and individuals ever existed.

If you found your files have new .hamster extension and no longer accessible, then you are infected with a virus called Hamster Ransomware. Infections of this type hack your PC settings to run through encryption of data. They also apply some visual changes to make victims spot the result of infection. After successful encryption, you will see a file like 1.pdf change to 1.pdf.hamster and reset its default icon to blank. The virus will also create a text note called How To decrypt.txt. As stated in the note, Hamster Ransomware penetrated your network and blocked access to most of the data. In order to get it back, victims are instructed to contact cyber criminals with their assigned ID and purchase the tool for decryption. It is important that victims reach out to malware developers using TOX messenger, which should be installed in case of absence. The frauds also advise you to contact them within 72 hours since the attack. This way, the price for complete data recovery will be reduced. It is also mentioned the attackers will tell how they infiltrated your system and what can be done to fix the existing vulnerability in the future.