Viruses

Ppvw Ransomware is a file-encrypting malware infection that restricts access to data such as documents, images, and videos by encrypting files with the .ppvw extension. It is a variant of the notorious STOP/DJVU ransomware family. The ransomware attempts to extort money from victims by asking for a "ransom", typically in the form of Bitcoin cryptocurrency, in exchange for access to data. When Ppvw Ransomware infects a computer, it scans for images, videos, and important productivity documents and files such as .doc, .docx, .xls, .pdf. When these files are detected, the ransomware encrypts them. Once the Ppvw Ransomware has encrypted the files on a computer, it displays a ransom note named _readme.txt on the desktop. The note contains instructions on how to contact the authors of the ransomware, typically via email addresses such as support@freshmail.top and datarestorehelp@airmail.cc.

GoPIX is a malicious software specifically engineered to compromise the Pix instant payment platform. This malware functions as a clipper, redirecting transactions conducted through the Pix platform. Additionally, it operates as a conventional clipper, extending its scope to include cryptocurrency transactions. GoPIX has been in circulation since at least December 2022. Given that Pix is a payment platform established and overseen by the Central Bank of Brazil (BCB), its user base predominantly comprises Brazilian citizens. Consequently, GoPIX's activities are primarily confined to the Brazilian landscape. The GoPIX malware is a typical clipboard stealer that steals Pix "transactions" used to identify payment requests and replaces them with a malicious (attacker controlled) one which is retrieved from the C2. The malware also supports substituting Bitcoin and Ethereum wallet addresses. However, these are hardcoded in the malware and not retrieved from the C2. GoPIX can also receive C2 commands, but these are only related to removing the malware from the machine.

Ppvs is a file-encrypting ransomware infection that restricts access to data (documents, images, videos) by encrypting files with the .ppvs extension. It is a variant of the notorious STOP/DJVU ransomware family. The ransomware attempts to extort money from victims by asking for a "ransom", typically in the form of Bitcoin cryptocurrency, in exchange for access to data. Upon infection, the Ppvs Ransomware scans the computer for images, videos, and important productivity documents and files such as .doc, .docx, .xls, .pdf. The Ppvs Ransomware uses a sophisticated encryption scheme that requires a decryption key and recovery program combination to decrypt the files. Once the Ppvs Ransomware has encrypted the files on your computer, it displays a _readme.txt file that contains the ransom note and instructions on how to contact the authors of this ransomware. The ransom note is typically dropped on the desktop of the infected computer.

StripedFly is a highly sophisticated, cross-platform malware platform that has infected over a million Windows and Linux systems over a span of five years. It was initially misclassified as a Monero cryptocurrency miner, but further investigation revealed its true nature as an advanced persistent threat (APT) malware. StripedFly is a modular framework that can target both Windows and Linux systems. It has a built-in Tor network tunnel for communication with its command-and-control (C&C) server and uses trusted services like Bitbucket, GitLab, and GitHub for update and delivery mechanisms. The malware operates as a monolithic binary executable with pluggable modules, giving it operational versatility often associated with APT operations. These modules include configuration storage, upgrade/uninstall, reverse proxy, miscellaneous command handler, credential harvester, repeatable tasks, recon module, SSH infector, SMBv1 infector, and a Monero mining module. The presence of the Monero crypto miner is considered a diversion attempt, with the primary objectives of the threat actors being data theft and system exploitation facilitated by the other modules.

Jarjets is a type of ransomware, a malicious software designed to block access to a computer system or files until a sum of money is paid. It was discovered during a routine investigation of new file submissions to the VirusTotal site. Once the Jarjets ransomware infects a system, it encrypts files and changes their filenames. The original titles are appended with a .Jarjets extension. For example, a file named 1.jpg would appear as 1.jpg.Jarjets, 2.png as 2.png.Jarjets, and so on. The specific encryption algorithm used by Jarjets is not explicitly mentioned in the search results, but ransomware typically uses complex encryption methods, often a combination of symmetric and asymmetric encryption. After the encryption process is completed, Jarjets ransomware creates a ransom note titled Jarjets_ReadMe.txt. This text file informs the victim that their files have been encrypted and urges them to contact the cyber criminals.

BlackDream Ransomware is a type of malware that encrypts data on a victim's computer and demands payment for its decryption. It was discovered by researchers while investigating new malware submissions to VirusTotal. The ransomware appends a unique ID, the cybercriminals' email address, and the .BlackDream extension to the filenames of encrypted files. For example, a file initially named 1.jpg would appear as 1.jpg.[G7H9L6ZA].[Blackdream01@zohomail.eu].BlackDream. After the encryption process is completed, a ransom note titled ReadME-Decrypt.txt is dropped. BlackDream ransomware uses an unspecified file encryption method. The note reassures the victim that their files have not been damaged but have been encrypted. It warns that seeking aid with recovery outside the attackers (i.e., using third-party tools or services) may render the data undecryptable. The note implies that decryption will require paying a ransom in Bitcoin cryptocurrency, although the exact sum is not specified.

Lumar Stealer is a lightweight stealer-type malware written in the C programming language. It is designed to steal information such as Internet cookies, stored passwords, and cryptocurrency wallets. Lumar was first noted being promoted on hacker forums in July of 2023. The malware infiltrates systems and starts gathering relevant device data such as the device name, CPU, RAM, and keyboard layout. It primarily targets information stored on browsers, extracting Internet cookies and login credentials (usernames, IDs, email addresses, passwords, passphrases, etc.). It also targets Telegram Messenger sessions and collects information related to cryptocurrency wallets. Lumar has grabber capabilities, meaning it can download files from victims' desktops. Formats of interest include DOC, TXT, XLS, RDP, and JPG. If you suspect that your computer is infected with Lumar Stealer, it is strongly advised to use a dependable antivirus software to perform regular system scans and to remove detected threats and issues.

Zput is a type of ransomware that belongs to the Djvu ransomware family. It is a malicious program designed to encrypt files and demand ransoms for their decryption. The Zput ransomware targets various types of files, such as videos, photos, documents, and more. It alters the file structure and appends the .zput extension to each file, making them inaccessible and unusable without decryption. For example, a file initially named 1.jpg appears as 1.jpg.zput, 2.png, as 2.png.zput, and so forth. Zput Ransomware uses Salsa20 encryption algorithms to scramble the contents of the targeted files. This robust ciphering method makes it quite difficult, if not impossible, to pick the decryption key without cooperating with the attackers. After encrypting the files, Zput ransomware drops a ransom note titled _readme.txt. This note informs the victim that their data has been encrypted and that recovering the locked files necessitates meeting the attackers' demands – paying a ransom to obtain the decryption key/software.