Viruses

Discovered by our team of researchers, Hudson Ransomware is a malicious software that encrypts files on infected systems and demands a ransom for their decryption. This ransomware appends filenames with the extension .{victim's_ID}.hudson, rendering files inaccessible without the decryption key provided only upon payment. Victims will typically notice their files, once named something like example.docx, appearing as example.docx.{victim's_ID}.hudson. The encryption methods employed by Hudson Ransomware are highly sophisticated, likely utilizing a combination of asymmetric and symmetric algorithms to ensure that decryption is impossible without the unique private key. Following encryption, Hudson Ransomware leaves a ransom note named README.TXT on the infected device. This file contains instructions on how to recover the encrypted data, typically warning users not to rename files or attempt third-party decryption, as these actions could result in permanent data loss.

Trojan:Win32/PShellDlr.SF!MTB is a sophisticated piece of malware designed to compromise the security of Windows systems. This Trojan works by infiltrating a computer system under the guise of legitimate software, often through malicious downloads or email attachments. Once inside, it can perform a variety of harmful actions, such as modifying system settings, altering the Windows registry, and disabling essential security features. This malicious software not only exposes the system to further threats but also acts as a gateway for additional malware, including spyware, ransomware, and backdoors. Cybercriminals use this Trojan to gather sensitive information, such as login credentials and financial data, to sell on the dark web or exploit for financial gain. The unpredictable nature of its behavior makes it particularly dangerous, as it can adapt its actions based on the system it infects. For users, the presence of this Trojan is a serious security concern that requires immediate attention and removal using reliable anti-malware software.

Trojan:PowerShell/DownInfo.A is a sophisticated piece of malware designed to compromise a computer system by exploiting the PowerShell scripting environment. This Trojan is adept at masquerading as a legitimate application or embedding itself within seemingly harmless files, making its detection challenging. Once executed, it can open a backdoor for additional malware, potentially leading to severe security breaches. Its primary objective is to weaken system defenses, alter configurations, and facilitate the download of other malicious components, thus posing a significant threat to personal data and system integrity. The unpredictability of its behavior makes it particularly dangerous, as it can vary its actions based on the instructions received from its operators. Often associated with data theft, ad injection, and unauthorized access, this malware underscores the importance of maintaining up-to-date security measures. Users are strongly advised to employ comprehensive anti-malware solutions and exercise caution when downloading or executing unknown programs to mitigate the risk posed by such threats.

Hero Ransomware is a malicious program that belongs to the Proton ransomware family, designed to encrypt user files and demand ransom for decryption. During an attack, it appends infected files with the extension .hero77, which also includes the attacker’s email address. For example, a file named document.docx would be renamed to document.docx.[hero77@cock.li].hero77. This encryption process is sophisticated, as it employs strong cryptographic algorithms that are difficult to break without the decryption key, which is uniquely generated for each victim. Once the encryption is complete, the ransomware displays a ransom note in a text file named #Read-for-recovery.txt, along with altering the desktop wallpaper with instructions to contact the attacker. The note lacks specific details about the encryption or ransom demands, only providing email addresses for contact.

PayForRepair Ransomware is a malicious program part of the notorious Dharma ransomware family. Designed to encrypt user data and demand a ransom for decryption, it appends a distinct file extension, .P4R, to encrypted files. Additionally, it includes a unique victim ID and the attacker's email address in the filename of each compromised file. For example, an original file named document.docx would be renamed to document.docx.id-[uniqueID].[attacker's email].P4R. By utilizing robust encryption algorithms typical of higher-end ransomware, it ensures that files remain inaccessible without decryption. This malware generates ransom notes in two formats: a pop-up window and a text file named info.txt. The latter is deposited into every affected directory. The instructions inform victims about the encryption and guide them to contact the attackers via email to negotiate file recovery terms. Despite offering to decrypt a few files as proof before payment, the ransom note warns users against altering encrypted files or using third-party decryption tools, citing potential data loss risks.

Neptune RAT is a sophisticated Remote Access Trojan (RAT) designed to give attackers full control over infected devices. Written in the Visual Basic (.NET) programming language, it is a multi-functional malware with capabilities ranging from data theft to ransomware operations. Upon infiltration, Neptune RAT gathers extensive system information, including hardware details, installed software, and network data, all while employing advanced anti-detection techniques to evade security measures. One of its alarming features is the ability to bypass User Account Control (UAC), granting itself administrative privileges to manipulate system settings. This malware is adept at conducting chain infections by executing various PowerShell commands, which can lead to additional malicious software being downloaded and executed. Beyond data exfiltration, Neptune RAT can engage in spyware activities, such as recording audio and video or capturing keystrokes, posing severe privacy risks. Its ransomware functionality encrypts files, appending them with a ".ENC" extension, and demands a Bitcoin ransom for decryption, further demonstrating its potential for causing financial and data loss.

DarkMystic (BlackBit) Ransomware is a malicious software within the BlackBit ransomware family, known for encrypting users' data and demanding payment for decryption. Upon infecting a system, it transforms file names by prepending the attackers' email address and a victim-specific ID, then appends them with a .darkmystic extension. For example, a file named image.jpg might be altered to look like [darkmystic@onionmail.com][123456]image.jpg.darkmystic. Employing strong cryptographic algorithms, typically either symmetric or asymmetric encryption, this ransomware renders files inaccessible without a decryption key—often withheld by the attackers until a ransom is paid, usually in Bitcoin. Victims are directly informed via a ransom note generated in multiple formats—a pop-up window entitled info.hta and a text file named Restore-My-Files.txt, strategically placed on the desktop and within encrypted folders.

Jackalock Ransomware exemplifies a sophisticated type of malware that belongs to the MedusaLocker family, designed to encrypt a user’s files with the intent of demanding a ransom for their release. Once it infiltrates a system, it encrypts the files with strong RSA and AES cryptographic algorithms, rendering them inaccessible to victims who lack the decryption key. An observable characteristic of this ransomware is its tendency to append the .jackalock extension to encrypted files, transforming a file such as image.jpg to image.jpg.jackalock. This alteration of the file extension serves as a marker of encryption and prevents users from opening their files ordinarily. Coupled with encryption, Jackalock leaves a digital ransom note, titled READ_NOTE.html, on affected devices. This message serves as a grim notification to victims, informing them that personal or confidential data has been encrypted and exfiltrated, threatening to leak the data unless a ransom is paid. Victims are encouraged to act within 72 hours to avoid an increased ransom fee, with cyber criminals giving a semblance of assurance by offering to decrypt a few non-important files for free.