Viruses

If you are no longer able to access your files and see them appear like this 1.pdf.acepy, then you are most likely infected with Acepy Ransomware. It is an encryption virus designed to render files inaccessible and blackmail victims into paying the so-called ransom. The infection does so through a ransom note (ACEPY_README.txt) created upon successfully encrypting the targeted data. It also force-opens a Command Prompt window with information identical to the text file we mentioned above. The notes briefly describe how to recover blocked files. Victims have to contact Acepy developers through the AcepyRansom@protonmail.com e-mail address and purchase special decryption software for the price announced after establishing communication with them. While there is no definite information on how much swindlers require to pay, meeting their demands is highly unrecommended. This is because of cybercriminals' tendency to fool their victims and not send any promised decryption tools afterwards. Despite this, the initial virus developers might be the only figures able to fully decrypt your data. Using third-party decryption tools as an attempt to avoid paying the ransom often flows in no anticipated results.

Discovered in 2019, Cerberus is a malicious program categorized as a banking trojan that has been targetting Android users. This application is disguised as Adobe Flash Player Updater and gets downloaded as an .apk file. Alike executable files, .apk extensions are meant to initiate the installation of applications. Whilst users think that it will update the promised software, they inadvertently get infected with a malicious program without consent. Thereafter, cybercriminals can control your device by connecting to a botnet and receiving commands from Command & Control (C2) server. Once extortionists establish contact with your device, they can easily operate it by sending commands remotely. This means that swindlers are able to see and gather sensitive data, credentials, change settings, and run other manipulations that expose your activity to third parties. Note that social networks and bank accounts can be hacked and hijacked for scams and revenue purposes. If you suspect Cerberus infected your device, then you should perform an immediate scan and delete it as soon as possible. We will discuss how to do it a little bit deeper in the article below.

RedLine Stealer is a malicious piece of software that targets computer users in order to steal important data. The virus is publicly available on hacker forums for the price of 150-200$. It is therefore employed to install on unprotected systems and start collecting sensitive information like passwords, logins, banking-related details, and other types of data to access various accounts in social media, banking apps, or cryptocurrency wallets. Among the list of targeted crypto-wallets are AtomicWallet, Armory, BitcoinCore, Ethereum, DashCore, Electrum, Bytecoin, Zcash, Jaxx, Exodus, LitecoinCore, and Monero as well. It was also spotted to disable the operation of VPN clients like ProtonVPN, OpenVPN, and NordVPN - presumably to alleviate the data collection process. In general, RedLine Stealer is designed to capitalize on the gathered data. Cybercriminals may therefore misuse valuable information to generate profits and cause reputational damage. It is also possible that this virus delivers additional malware like trojans or high-risk infections similar to ransomware (file-encryptors). Thus, if you suspect RedLine Stealer to have attacked your system, immediately use our tutorial below to remove the infection and restore a safe computer experience.

Quantum is the name of a ransomware infection. It was purposefully developed to encrypt system-stored data and blackmail victims into paying money for its return. The virus uses military-grade algorithms to restrict users from accessing their own files. It also appends the .quantum extension to highlight access-blocked data. For instance, a file named 1.pdf will change to 1.pdf.quantum and drop its original icon. After this, Quantum Ransomware creates an HTML file called README_TO_DECRYPT.html. The file is meant to show instruction on returning the data.

Pandora is a ransomware infection previously known under the name of Rook Ransomware. The virus uses RSA-2048 algorithms to encrypt system-stored data and demand money for its decryption. In order to show that access to files has been restricted, cybercriminals assign the .pandora extension to each affected sample. For instance, a file named 1.pdf will change to 1.pdf.pandora and reset its original icon. Following this, the ransomware creates a text file (Restore_My_Files.txt) with instructions on how to recover the data. It says victims should contact developers (via contact@pandoraxyz.xyz) and pay for special decryption software. The price depends on how fast you write, as cybercriminals say. In case of refusal to buy the decryption, frauds behind Pandora Ransomware warn they will publish collected data on dark web markets. Victims can view what data has been collected in TOR Browser via a link provided in the note. While contacting cybercriminals, victims are also allowed to attach 3 encrypted files before paying the ransom. Pandora developers promise they will decrypt them for free to prove capabilities of their decoder. The ransom note is concluded with warnings against trying third-party means of decryption as it may cause permanent damage to data. In general, decrypting files without initial developers is almost impossible indeed.

TargetCompany is a new ransomware virus that made its presence known in January 2022. During system infection, the virus terminates a lot of essential Windows processes to prepare the soil for easier encryption of data. The research team made an analysis and concluded that TargetCompany Ransomware uses a combination of Chacha20 and AES-128 algorithms to write strong ciphers over the stored data. It also appends one of 3 different file extensions to each encrypted sample - .devicZz, .consultransom, or .avast. This means a file named 1.pdf can change to 1.pdf.devicZz, 1.pdf.consultransom, or 1.pdf.avast depending on individual cases. TargetCompany also populates each encrypted folder with a text note called RECOVERY INFORMATION.txt (How to decrypt files.txt for previous versions). A copy of the ransom note is also placed into this path C:\HOW TO RECOVER !!.TXT. As said in the note, users should buy a special decryption tool to return their data. To do this, victims are asked to send their personal ID to one of the e-mail addresses (recohelper@cock.li or mallox@tutanota.com). It is also allowed to send a couple of files for free test decryption of them. After this, cybercriminals promise to announce the price for the entire decryption and provide instructions on how to buy the decoder. As a rule, files affected by ransomware infections are almost impossible to be decrypted for free without the help of cybercriminals.

Anime is the name of a cryptovirus. It is designed to render system-stored data inaccessible and no longer operatable. Users infected with ransomware can see the encryption process by looking at the restricted files - all of them end up changed with the .anime extension. For instance, a file like 1.pdf will be altered to 1.pdf.anime and reset its original icon as well. After getting things done with encryption, the virus pitches ransom instructions on how to recover the data. They can be found inside of a text file called I_LOVE_ANIME.txt. As stated in the note, victims have 2 days to contact cybercriminals at zdarovachel@gmx.at and pay for the decryption of files. Should victims fail to meet the allocated deadline, all the encrypted data will be published on dark web resources for future abuse. In addition, ransomware developers also advise against modifying the files or trying to decrypt them without cybercriminals. At the moment of writing this article, there is no guaranteed way to decrypt data for free without the help of initial developers.

Kashima (KashimaWare) is a ransomware program - the type of malicious software designed to encrypt data and demand money for its return. Unlike other infections of this kind, the virus targets specific and quite unusual file formats - .config, .cfg, .js, .NOOB, .lua, .lw, and .tryme as well. It therefore modifies them with the .KASHIMA extension. For instance, a file like 1.js will change to 1.js.KASHIMA, 1.cfg to 1.cfg.KASHIMA and so forth with other affected data. As soon as this process gets done, Kashima displays a pop-up message (KashimaWare WARNING!) accross the whole screen.