Viruses

Weui Ransomware (subtype of STOP Ransomware) continues its malicious activity in December, 2020, and now adding .weui extensions to encrypted files. The malware aims most important and valuable files: photos, documents, databases, videos, archives and encrypts them using AES-256 algorithms. Encrypted files become unusable and cybercriminals start extorting ransom. If the hacker server is unavailable (the PC is not connected to the Internet, the server itself does not work), then the encrypter uses the key and identifier that is hard-coded in it and performs offline encryption. In this case, it will be possible to decrypt the files without paying the ransom. Weui Ransomware creates _readme.txt file, that is called "ransom note", on the desktop and in the folders with encrypted files. Developers use following e-mails for contact: helpmanager@mail.ch and restoremanager@airmail.cc. Hackers demand $980 for the decryption of your files (the message states, that victims will get a 50% discount if they'll contact cyber criminals within 72 hours after the encryption). According to many reports, malefactors often don't reply to victims, when they receive ransom payment. We strongly do not recommend paying any money. Files encrypted by some versions of Weui Ransomware can be decrypted with help of STOP Djvu Decryptor. Dr.Web specialists decrypted files encrypted with some variants of Weui Ransomware in private.

FileEngineering is an example of ransomware-infection configuring files of victims to restrict access to them. Most of the time, users do not spot malware coming into the systems. Once upon a time, they end up seeing their data changed and locked from regular access. FileEngineering does it this way - by assigning victims' ID, cybercriminal's e-mail address, and .encrypted extension at the of the files. There are two versions of FileEngineering being spread around the web. The only difference is in using different e-mail addresses to contact swindlers. For example, you may see your data appear as 1.mp4.id=[BE38B416] Email=[FileEngineering@mailfence.com].encrypted or id=[654995FE] Email=[FileEngineering@rape.lol].encrypted depending on which version affected your PC. Then, the next step of FileEngineering's activity is creating a note called Get your files back!.txt that contains information regarding decryption. Inside of it, the information is addressed by a so-called security engineer. He says that you should contact him via e-mail and pay some amount of Bitcoin. Then, he will return your files decrypted and give some tips on improving your safety. Before that, you are also allowed to send a small file to prove he can unlock your data. Trusting cybercriminals is always a huge risk, so it is up to you whether you want it or not. If files are not of big value to you, you can simply delete FileEngineering and continue using your PC.

Sun or SunCrypt is classified as cryptovirus attacking systems to encrypt personal data. It started its journey in October 2019 and continues its presence infecting users until these days. The moment SunCrypt can be spotted in your PC is when it changes your files by adding the .sun extension. It was also heard about another version of SunCrypt which applies a string of random symbols instead of extensions. A change to something like this 1.mp4.sun or 1.mp4.G4D3519X58293C283957013M35DC8A2V0748D9845E7A5DBD6590E3F834C4638 means you are no longer allowed to access your data. To recover it back, SunCrypt creates a text notes (DECRYPT_INFORMATION.html or YOUR_FILES_ARE_ENCRYPTED.HTML) that contain ransom instructions. Although SunCrypt is mainly oriented towards English-speaking users, you have a possibility to switch between German, French, and Spanish as well. This by far increases the traffic of victims allowing developers to extend their business. As stated in the note, victims have to install the Tor browser and click on the "Go to our website" to purchase the decryption software. The required fee may vary based on the individual case, however, no matter how low or high it is, we recommend against going for such a risk.

Dharma-259 is a ransomware-type infection belonging to the Dharma family. This group of developers has brought the biggest impact to the malware industry. Having a range of malicious programs, 259 compliments the list, and encrypts personal data with strong algorithms that prevent users from regular access. As a result, all data change its name with a string of digits including personal ID, cybercriminal's e-mail, and .259 extension at the end of each file. For instance, ordinary 1.mp4 will experience a change to something like this 1.mp4.id-C279F237.[259461356@qq.com].259 and reset its default icon. Then, once the encryption process gets to a close, the virus force-opens a pop-up window and creates a text note called FILES ENCRYPTED.txt, both of which contain information upon data recovery. As stated in both pop-up and note, victims have to contact swindlers via e-mail attaching personal ID. In addition to that, you are allowed to send up to 1 file (less than 1 MB) for free decryption. Then, once extortionists receive your message, you will be guided with steps on how to purchase decryption software. Sometimes, the required fee may skyrocket beyond the limits, becoming unaffordable for most of the users. Even if you are ready to enrich cybercriminals buying their software, we recommend you against it, because most users report a high-risk of being fooled and not obtain any tools to restore the data at all.

Developed by a group of Turkish extortionists, SifreCikis is a ransomware infection encrypting personal data and demanding a fee for recovery. It creates a strong cipher on sensitive data using AES and RSA algorithms. As a result, the decryption of files becomes hard to pull off, even with third-party tools. All data encrypted by SifreCikis obtains a new extension based on these patterns: .{random-alphanumerical-sequence}. For example, a file like 1.txt will change to something like this 1.txt.E02F4934FC5A. Then, after the encryption is done, users encounter a note called ***NA*** that contains ransom instructions. Unfortunately, the content of the note is hard to conceive for non-native speakers, however, a group of researchers translated it and outlined some key information. It claims that you should contact cyber criminals via e-mail and attach your personal ID in the message topic. Then, you will receive further instructions to purchase the decryption software (500$ in BTC). If there is no response from the extortionists, you should read the information through the link in the Tor browser. Malware researchers spotted the domain name starting with sifrecikx, which is consonant with sifre cikis (meaning "cipher/password + exit" in Turkish). Also, during the investigation researchers defined that SifreCikis could be a brother of SifreCozucu, as it looks very similar having minor differences.

Lisp Ransomware (a.k.a. STOP Ransomware or Djvu Ransomware) is extremely dangerous virus that encrypts files using AES-256 encryption algorithm and adds .lisp extensions to affected files. The infection mostly involves important and valuable files, like photos, documents, databases, e-mails, videos, etc. Lisp Ransomware does not touch system files to allow Windows to operate, so users will be able to pay the ransom. If the malware server is unavailable (the computer is not connected to the Internet, remote hackers's server does not work), then the encryption tool uses the key and identifier that is hard-coded in it and performs offline encryption. In this case, it will be possible to decrypt the files without paying the ransom. Lisp Ransomware creates _readme.txt file, that contains ransom message and contact details, on the desktop and in the folders with encrypted files. Developers can be contacted via e-mail: helpmanager@mail.ch and restoremanager@airmail.cc.