Viruses

Tisc is one of many ransomware versions issued by the STOP/Djvu family. Just like older versions, Tisc Ransomware encrypts PC-stored data and demands crypto ransom for unique decryption software that will unlock this data. Most often, malware like Tisc will scout through the available files and block access to the most valuable ones. The list of such usually consists of images, music, videos, and documents containing important information. After locating these files, the file-encryptor will write strong cryptographic algorithms over the targeted files to prevent users from manually approaching their decryption. Victims infected with this ransomware version will see their data changed with the .tisc extension. This means a compromised file like 1.pdf will change to something like 1.pdf.tisc. Then, Tisc developers set up their virus to create the _readme.txt file that features decryption guidelines.

Gyjeb is a ransomware virus that runs data encryption to extort money from victims. It looks very similar to Keq4p Ransomware, which means they are likely to come from the same malware family. Just like Keq4p, Gyjeb Ransomware assigns a random string of senseless symbols along with its own .gyjeb extension. To illustrate, a file like "1.pdf" will change its look to something like 1.pdf.wKkIx8yQ03RCwLLXT41R9CxyHdGsu_T02yFnRHcpcLj_xxr1h8pEl480.gyjeb and reset its original icon. After all files end up edited this way, the virus creates a text note called nTLA_HOW_TO_DECRYPT.txt which entails decryption instructions. You can familiarize yourself with this note in the screenshot below.

Keq4p is a ransomware infection that encrypts personal data using cryptographic algorithms. These algorithms ensure strong data protection from attempts to decrypt it. Files attacked by ransomware are usually photos, videos, music, documents, and other types of data that could entail some value. Most file-encryptors change all the affected files by assigning their own extension. Keq4p does exactly the same, but also attaches a random string of symbols. For instance, a file like 1.pdf will change to something like 1.pdfT112tM5obZYOoP4QFkev4kSFA1OPjfHsqNza12hxEMj_uCNVPRWni8s0.keq4p or similar. The assigned string is totally random and has no real purpose. Along with visual changes, Keq4p closes its encryption process with the creation of zB6F_HOW_TO_DECRYPT.txt, a text file containing ransom instructions. You can take a closer look at what it contains in the following screenshot.

If you wonder why you are unable to access your data, then this could be because Baseus Ransomware or Harmagedon Ransomware attacked your system. This file-encryptors belong to the Makop ransomware group, which has produced a number of similar infections including Mammon, Tomas, Oled, and more. Whilst encrypting all valuable data stored on a PC, this versions of Makop assigns victims' unique ID, cyber criminals' email address, and the new .baseus or .harmagedon extensions to highlight the blocked files. For instance, 1.pdf, which was previously safe, will change its name to something like 1.pdf.[7C94BE12].[baseus0906@goat.si].baseus or 1.pdf.[7C94BE12].[harmagedon0707@airmail.cc].harmagedon at the end of encryption. Soon after all files end up successfully renamed, the virus goes forward and creates a text file (readme-warning.txt) with ransom instructions.

Hydra is a ransomware infection that makes users' data inaccessible by running thorough encryption. Besides being unable to access the data, users may spot some visual changes as well. Hydra assigns a new string of symbols containing cyber criminals' email addresses, randomly generated ID assigned to each victim, and the .HYDRA extension at the end. To illustrate, a file like 1.pdf will change its look to [HydaHelp1@tutanota.com][ID=C279F237]1.pdf.HYDRA and reset the original icon to blank. As soon as all files end up encrypted, the virus promotes ransom instructions to guide victims through the recovery process. This can be found inside of #FILESENCRYPTED.txt text note, which is created after encryption. Hydra developers say victims can restore their files by writing to the attached e-mail address (HydaHelp1@tutanota.com or HydraHelp1@protonmail.com). After this, cybercriminals should give further instructions to purchase the decryption of files.

Rigd Ransomware (belongs to the family of STOP Ransomware or Djvu Ransomware) is high-risk file-encrypting virus, that affects Windows systems. In September 2021, the new generation of this malware started encoding files using .rigd extensions. Virus targets important and valuable file types such as photos, documents, videos, archives, encrypted files become unusable. Ransomware puts _readme.txt file, that is called "ransom note" or "ransom-demanding note" on the desktop and in the folders with encrypted files. Developers use following e-mails for contact: manager@mailtemp.ch and managerhelper@airmail.cc. Hackers demand $980 for the decryption of your files (the message states, that victims will get a 50% discount if they'll contact cybercriminals within 72 hours after the encryption). According to many reports, malefactors often don't reply to victims, when they receive ransom payment. We strongly do not recommend paying any money. Files encrypted by some versions of Rigd Ransomware can be decrypted with help of STOP Djvu Decryptor.