Viruses

CURATOR is another version of ransomware infections that puts up a lock on victims' data demanding a fee for its return. The basic symptom of CURATOR leaving its traces in your system is the appendance of new extensions onto affected files. For example, a file like 1.mp4 will emerge as 1.mp4.CURATOR after interacting with ransomware. To recover your data, extortionists offer to read instructions in the !=HOW_TO_DECRYPT_FILES=!.txt note that is created soon after encryption. According to the provided note, attackers have encrypted your files with strong algorithms (ChaCha+AES), which restrict attempts to restore files on your own. As a result, the only feasible way appears to buy the decryption key stored on the server of cybercriminals. Once you make a decision, extortionists kindly ask you to contact them via e-mail to get further instructions. You can also take advantage of a special offer - send up to 3 files (not more than 5 MB) for free decryption. Although such a move can instill trust in gullible users, we recommend against paying the ransom. There is always a risk of getting money-naked and not receive any of the promised tools for data recovery.

Being part of the Dharma family, Dharma-BLM is a malicious piece that pursues financial gain by encrypting personal data. It does so by assigning a string of symbols including unique ID, cybercriminals' e-mail, and .blm extension at the end of each file. Here is an example of how infected data will look like 1.mp4.id-C279F237.[blacklivesmatter@qq.com].blm. When the encryption process is done, the virus moves on to the next step and creates a text note (FILES ENCRYPTED.txt) containing ransom instructions. The message justifies that all data has been successfully encrypted and requires action within 24 hours - to contact cybercriminals via e-mail and receive payment details to buy the decryption tools. Victims are also warned that any manipulations with files like name change will lead to permanent loss. Additionally, developers propose you to send a file for free decryption, which has been a trick used by many ransomware creators to instill trust in gullible users and make a deal. Unfortunately, more often than not, the decryption of data without the involvement of developers will give no fruits, unless ransomware contains some bugs or flaws that will allow third-party tools to crack open the assigned cipher.

BitRansomware is known as a file-encrypting virus meant to block user's data and keep it under lock until a ransom is paid. Such malware earns a lot of money on inexperienced users who have been given no choice but to pay a fee because their data is encrypted with unbreakable ciphers. Imagine all of your personal data becomes inaccessible - this is what BitRansomware does. It assigns the new .readme extension at the end of each file to highlight them from the original ones. A sample of encrypted data looks like this 1.mp4.readme. After this process, extortionists will display a text note called Read_Me.txt explaining the decryption process. It is said that all important files have been successfully encrypted and the only possible way to implement full decryption is to pay a fee through a Tor link attached in the note. Usually, this is the truth, because files can be decrypted only if ransomware contains some flaws or bugs overlooked by developers. Whatever the case, we do not recommend paying a ransom, because trusting extortionists is a quite tricky thing.

LockDown is a file-encrypting software created to earn money on unprotected users. The virus acts using AES+RSA algorithms to set up strong encryption on stored data and appends .LockDown extension. Many kinds of data will be changed according to this example 1.mp4.LockDown. After the encryption is done, LockDown creates a text note (HELP_DECRYPT YOUR FILES) containing ransom instructions. Users are said that only a private key held by cybercriminals can lead to successful data decryption. To obtain it, victims have to send approximately 460$ worth of Bitcoin to the attached wallet. Although extortionists ostensibly prove their integrity by allowing users to decrypt 1 file for free, we still advise against paying the ransom, because there is a risk that swindlers will not provide recovery tools eventually. For now, there are no official tools that could guarantee 100% file decryption.

Using a mix of AES and RSA algorithms, Yatron Ransomware encrypts user's data and demands victims to pay a so-called ransom. It is known to be advertised on Twitter as "Ransomware-as-a-Service". There is a bunch of file types that can be affected by this ransomware after penetration. Almost all files stored on your PC will be assigned either with .Yatron or .Down_With_Usa extension. Here are the samples of infected files - 1.mp4.Yatron and 1.mp4.Down_With_Usa. Then, once the encryption process is done, the virus drops a text note (Read@My.txt) in each folder and force-opens a pop-up window that states ransom instructions. The content explains that your data has been encrypted. The only way to revert the consequences is to pay 300$ in BTC to the attached address. Sometimes the required amount can vary depending on which version attacked your system. Additionally, the window shows a clock saying that you have 3 days to make a payment, otherwise, your data will be removed completely. Despite manual decryption is usually impossible, you should not trust cyber criminals and follow their steps. The danger is that there is no guarantee they will fulfill their promises and provide necessary tools for data recovery.

Erica Encoder is a ransomware infection that uses AES algorithms to encrypt user's data. All files that experience a touch of the virus, change their names to a randomly-generated string of symbols. As an example, the original 1.mp4 will lose its initial name and appear as something like this R29vZ24lIENocm9tZS5s3ms9.qgazlb. Then, once all files get assigned with an encryption cipher, Erica Encoder creates a ransom note called HOW TO RESTORE ENCRYPTED FILES.TXT that is supposed to explain how to restore your data.

Encrp is another drastic infection that encrypts personal data and demands victims to pay a ransom. It was discovered by Jirehlov Solace who therefore categorized it as ransomware. During the study, it turned out that Encrp infects stored data assigning the .encrp extension. This means that after encryption, you will see all files look like this 1.mp4.encrp. This is not the end of the process yet, users are then presented with a text note (__READ_ME_TO_RECOVER_YOUR_FILES.txt) which contains information upon decryption. It is said that victims should send approximately 200$ in BTC to the account of cybercriminals. Then, the final step is to send an e-mail message including transfer and computer IDs. If everything works out, you will be given the necessary tools to decrypt files. In other cases, there is a chance that swindlers decide to ignore their promises and leave you nothing, but disappointment.

Ragnarok is a ransomware infection discovered by Karsten Hahn. The consequences of this attack are similar to other threats of such type - encryption of stored data by adding a new extension. Developers of Ragnarok Ransomware may have other versions of the virus, however, this case involves the assignment of .thor or .ragnarok_cry extensions. No additional symbols are included, you will see a file with the malicious extension at the end (1.mp4.ragnarok_cry). Once the encryption process is complete, users receive a note with decryption steps called How_To_Decrypt_My_Files.txt (alternatively, !!Read_me_How_To_Recover_My_Files.html). The text note states that encrypted files can be unlocked only with a special tool, which is held by cybercriminals. In order to get it, people have to contact swindlers and send the required fee of BTC to their address. You can also provide a file (less than 3Mb) for free decryption. This way, extortionists are allegedly proving that they can be trusted. In reality, they can dump you and ignore the fact that you have paid for the recovery. The deletion of Ragnarok Ransomware will not decipher your files, however, this is important to do to prevent further encryption of data.