Viruses

DarkRace Ransomware, discovered by security researcher S!Ri, poses a significant threat to computer systems and the security of sensitive data. This article delves into the workings of DarkRace, its impact on files, and the implications for victims. By understanding the nature of this ransomware strain, users can better protect themselves against such malicious attacks. DarkRace is a type of ransomware that encrypts files on infected systems, rendering them inaccessible to users. This malware appends a distinct extension, .1352FF327 to filenames and leaves a ransom note in the form of a text file named Readme.1352FF327.txt. Once infected, victims are informed that their data has been stolen and encrypted, and they are threatened with the publication of their sensitive information on a TOR website if the ransom demands are not met.

Weqp is a recent ransomware infection developed by the STOP/Djvu malware group and appeared in the end of May, 2023. Developers behind it have released a number of very similar infections to encrypt users' data and blackmail them into paying money for the recovery. Malware primarily uses a combination of symmetric and asymmetric encryption algorithms to encrypt victims' files. The specific encryption algorithms employed by STOP/Djvu have evolved over time as the malware has undergone several variants and updates. However, the most commonly observed encryption algorithm used by STOP/Djvu is the RSA algorithm for asymmetric encryption. Weqp Ransomware barely differs from other previously developed versions. It encrypts all kinds of important files and alters their appearance with the .weqp extension. To illustrate, a file like 1.pdf will change to 1.pdf.weqp and reset its icon under the virus affection. After this, a text file called _readme.txt ends up created to explain how files can be decrypted.

Weon Ransomware is one of the newest versions developed by the STOP (Djvu) family. It was first spotted in the end of May 2023. This ransomware targets various types of personal data (e.g. images, videos, documents, etc.) using online keys randomly generated for each victim. Once they are applied and data becomes encrypted, users are no longer able to access and interact with it. During the encryption process, all of the files get assigned with .weon extension. This means that files will change their name and reset their icons. For example, a file like 1.pdf will be changed to 1.pdf.weon and lose its initial icon at the end of encryption. Then, just like other recent versions of the STOP (Djvu) family, Weon creates a text note called _readme.txt that contains decryption instructions. No matter which one was dropped on your PC, all of them display the same information.

Jigsaw Ransomware is widely-spread family of ransomware. Ransomware is designed to encrypt files on a victim's computer, rendering them inaccessible, and then demands a ransom payment in exchange for the decryption key needed to restore the files. Jigsaw Ransomware gained attention in April 2016 when it was first discovered. It was named after the iconic character from the movie "Saw" due to its use of an image of the character as its logo. Jigsaw Ransomware targets Windows-based systems and spreads through various methods such as malicious email attachments, infected downloads, or exploit kits. Once a computer is infected with Jigsaw Ransomware, it begins encrypting files on the system, including documents, images, videos, and other important data. It then displays a ransom note on the victim's screen, demanding a payment, usually in Bitcoin, within a specified time frame. If the victim fails to pay the ransom within the given time, Jigsaw Ransomware threatens to delete a portion of the encrypted files as a form of punishment. It also displays a countdown timer, adding a psychological element of urgency.

Alphaware Ransomware, a malicious software, employs a sophisticated combination of algorithms to encrypt the valuable data of its victims. Upon successfully encrypting the files, this ransomware reveals its original name, Alphaware, in a note, while the associated file itself is labeled as Alphaware.exe. The perpetrators behind this insidious threat identify themselves as the Alpha group of hackers. Their modus operandi involves demanding a ransom of $300 in BTC (Bitcoin) in exchange for the decryption key, which is necessary to restore the compromised files back to their original state. Alphaware Ransomware, which first surfaced around mid-May 2023, is primarily targeted at English-speaking users but has the potential to infect systems worldwide. Infected files undergo a transformation in their naming conventions or encoding, accompanied by the addition of the .Alphaware extension. The ransom demand is delivered through a file named readme.txt.

New generation of STOP Ransomware (Djvu Ransomware) started to add .vatq extensions to encrypted files since the end of May 2023. We remind you, that Vatq Ransomware belongs to a family of crypto-viruses, that extort money in exchange for data decryption. The last examples of STOP Ransomware are sometimes categorized as Djvu Ransomware, as they use nearly identical templates of ransom notes since the beginning of 2019, when .djvu extensions were appended. Vatq Ransomware uses same email addresses, used in last dozens of versions: support@freshmail.top and datarestorehelp@airmail.cc. The full decryption is only possible in 1-2% of cases when offline encryption key was used (by means of STOP Djvu Decryptor). In other cases, use instructions and tools offered in this article. Vatq Ransomware creates _readme.txt ransom note file, that looks almost the same.

FAST Ransomware is a type of malware that our research team recently discovered while investigating submissions on the VirusTotal website. This particular malicious program is classified as ransomware, which means it is designed to encrypt data on a victim's computer and demand a ransom in exchange for its decryption. When we tested the ransomware on our own machine, we observed that it encrypted files and modified their filenames. The original file titles were altered by appending the cyber criminals' email address, a unique victim ID, and the .FAST extension. For example, a file named sample.pdf would appear as sample.pdf.EMAIL=[fastdec@tutanota.com]ID=[RANDOM].FAST after encryption. After completing the encryption process, FAST ransomware dropped a ransom note titled #FILEENCRYPTED.txt onto the victim's desktop.

EXISC is a form of malware known as ransomware that came to our attention during our investigation. Its primary purpose is to encrypt data and demand payment in exchange for the decryption key. Upon executing a sample of this ransomware on our test system, we observed that it encrypted files and appended the .EXISC extension to their original filenames. For instance, a file named sample.pdf would appear as sample.pdf.EXISC. The ransomware also created a ransom note titled Please Contact Us To Restore.txt. Based on the message contained in the note, it became evident that EXISC primarily targets large organizations rather than individual home users. Victims often do not receive the promised decryption keys or software, even after complying with the ransom demands. Therefore, we strongly discourage paying the ransom, as it does not guarantee data recovery and only perpetuates criminal activities.