Viruses

Being developed by the Phobos Ransomware family, Acuff puts up a strong lock on victims' data by running encryption with cryptographic algorithms. This, therefore, restricts any attempts to recover data completely. After the attack has been committed, you may see your files change to something like this 1.mp4.id[C279F237-2275].[unlockfiles2021@cock.li].Acuff, which is a testament that your files have been infected. Acuff Ransomware uses the victim's ID, cybercriminals' email, and .Acuff extension to highlight the encrypted data. In order to help users restore their data, extortionists offer to walk your way through the note listing decryption instructions. The information can be found in two files called info.hta and info.txt that are created after encryption. The first step on the path of decryption is to contact cyber criminals via an e-mail address attaching your personally-generated ID (unlockfiles2021@cock.li or decryfiles2021@tutanota.com). After that, swindlers will respond back with details on how to buy decryption software. Before doing so, you are also offered to send up to 5 files (less than 4MB and non-archived) for free decryption. Despite this activity may seem trustworthy, we recommend you against meeting any requirements set by developers of malware. It would be a risk to pay a large amount of money for the sake of file recovery.

Recently, experts have observed the epidemic of the virus Vvoa Ransomware (also known as STOP Ransomware or Djvu Ransomware). It is encryption virus, that uses strong AES-256 encryption algorithm to encrypt user files and makes them unavailable for the uses without decryption key. Latest versions of this pest add .vvoa extensions to affected files. Vvoa Ransomware creates special text file, that is called "ransom note" and named _readme.txt. In this text file, malefactors provide contact details, overall information about encryption and options for decryption. Virus copies it on the desktop and in the folders with encrypted files. Malefactors can be contacted via e-mails: helpmanager@mail.ch and restoremanager@airmail.cc. Using anonymous TOR servers and cryptocurrency to receive ransom payments makes hackers almost invulnerable, however, due to their own mistakes they get caught from time to time. The price of decryption of this ransomware is set to $980, but it can be reduced by half if paid within 72 hours. This is done to increase the conversion of users, who are ready to pay for the return of their files. Cybercriminals can even decrypt one file for free, to prove to you, that they will send decryptor and it will work. We strongly advise not to pay any money to them, as there is no guarantee that such dubious personalities will keep promises. Mention also, that there is a special utility called STOP Djvu Decryptor, that can decrypt (or will be able to decrypt in nearest future) files encrypted by Vvoa Ransomware for free.

Bondy is a ransomware-type infection that targets various kinds of data by running encryption with potent RSA algorithms. It is usually distributed in two versions: first assigns the .bondy extension whilst another uses .connect to encrypt files of victims. Thus, the infected data will appear as 1.mp4.bondy or 1.mp4.connect depending on which version attacked your system. The last and most important part of ransomware activity is creating a text note (HELP_DECRYPT_YOUR_FILES.txt) to explain decryption instructions. It is claimed that your data has been encrypted with RSA, which is an asymmetric cryptographic algorithm requiring a private key to unlock the data. Such a key is stored on the server of cybercriminals. It can be obtained only by paying 500$ in Bitcoin through the wallet attached in the note. Additionally, extortionists offer to decrypt 1 file for free as evidence that they can be trusted. In fact, everything can go the other way - cybercriminals will fool you and not provide any tools to recover your data. Statistics show that this happens to many users who venture to pay a ransom. Since there are no free tools that could unblock your data, the only and best way is recovering files from an external backup, if it was created before the attack.

Agho Ransomware (aliases: Djvu Ransomware, STOP Ransomware) is extremely dangerous file-encrypting virus, that extorts money in exchange for decrypter. Ransomware utilizes a strong AES-256 encryption algorithm and makes files unusable without a decryption master key. Particular malware in this review appends .agho extensions to files. As a result, file example.jpg converts to example.jpg.agho. Agho Ransomware creates a special text file, that is called _readme.txt, where hackers give contact details, overall information about encryption, and options for decryption. Threat places it on the desktop and in the folders with encrypted files. Cyber-criminals can be contacted via e-mail: helpmanager@mail.ch and restoremanager@airmail.cc. All latest versions of STOP Ransomware, including Agho RAnsomware, use typical behavioral patterns. They use anonymous TOR servers and cryptocurrency to receive ransom payments and that prevents police from tracking them. The cost of decryption is $980, but it can be $490 if victims pay within 72 hours. Cybercriminals even offer to decrypt one file for free, as proof, that files can actually be decrypted. In most cases, Agho Ransomware encrypts files of each victim with a unique key, however, sometimes when the computer is not connected to the internet (or lost connection) or the hacker's server is not responding, the malware creates an "offline key". In this situation, a utility called STOP Djvu Decryptor, developed by EmsiSoft may be able to decode your data for free.

Determined by Karsten Hahn, Netflix Login Generator is a malicious program categorized as ransomware. Initially, it is promoted as a tool to create a Netflix account for free, without purchasing a subscription. However, instead of this, the program initiates the setup of ransomware that encrypts personal data (with AES-256 algorithms). It becomes a real surprise for inexperienced users when they see their data locked and no longer accessible. The encrypted data can be clearly seen by the new extension that is assigned to each file. For instance, the original sample like 1.mp4 will get a new look of something like this 1.mp4.se. Then, soon after encryption, the virus drops a note called Instructions.txt changing desktop wallpapers to content included in the generated note. The enclosed information suggests the steps to perform data decryption. To do this, extortionists ask the transaction of 100$ equal to Bitcoin. An interesting and peculiar fact is that Netflix Login Generator can self-terminate if your system is not based on Windows 7 or 10. Whatever the case, if this malware persists in your system, you have to delete it and recover the data using an external copy of files.

CURATOR is another version of ransomware infections that puts up a lock on victims' data demanding a fee for its return. The basic symptom of CURATOR leaving its traces in your system is the appendance of new extensions onto affected files. For example, a file like 1.mp4 will emerge as 1.mp4.CURATOR after interacting with ransomware. To recover your data, extortionists offer to read instructions in the !=HOW_TO_DECRYPT_FILES=!.txt note that is created soon after encryption. According to the provided note, attackers have encrypted your files with strong algorithms (ChaCha+AES), which restrict attempts to restore files on your own. As a result, the only feasible way appears to buy the decryption key stored on the server of cybercriminals. Once you make a decision, extortionists kindly ask you to contact them via e-mail to get further instructions. You can also take advantage of a special offer - send up to 3 files (not more than 5 MB) for free decryption. Although such a move can instill trust in gullible users, we recommend against paying the ransom. There is always a risk of getting money-naked and not receive any of the promised tools for data recovery.