Viruses

Fofd Ransomware (version of STOP Ransomware or DjVu Ransomware) is a high-risk widespread encryption virus, that first appeared near 5 year ago. It experienced several visual and technical changes throughout the time. In this tutorial, we will analyze recent versions of this dangerous malware. In the very end of April 2023, STOP Ransomware started to add following extensions to encrypted files: .fofd. It is because of that, it got the name "Fofd Ransomware" although it is just one of the varieties of STOP crypto-virus. The virus also modifies "hosts" file to block Windows updates, antivirus programs, and sites related to security news or offering security solutions. The process of infection also looks like installing Windows updates, malware shows the fake window, that imitates the update process. A new subtype of STOP Ransomware uses same e-mail addresses, as few previous generations: support@freshmail.top and datarestorehelp@airmail.cc. Fofd Ransomware creates _readme.txt ransom note file.

WannaCry (also referred to as Wcry, Wana Decrypt0r 2.0, WanaDecryptor, and WNCRY virus) is a ransomware infection that encrypts personal files using AES-128 algorithms and demands victims to pay for decryption. The virus was discovered by a security researcher S!Ri and there are a couple of known WannaCry variants. Depending on which variant attacked the system, files affected by encryption will be altered using the .wcry, .wncry, or WNCRYT (for encrypted .bmp files). For instance, a file like 1.pdf will change to 1.pdf.wcry or similarly depending on the ransomware version. Following this, the virus displays decryption instructions in a force-opened pop-up window. One of the variants changes the desktop wallpapers as well. The Wana Decrypt0r 2.0 variant also creates a separate ransom-demanding note called @Please_Read_Me@.txt.

If your files recently got .foty extensions, that means your PC is infected with an encryption virus called Foty Ransomware (part of STOP Ransomware or Djvu Ransomware family, called so because the first versions of the virus of this type appended .djvu extension). This is a very widespread and actively distributed malware. Ransomware initially used the AES-256 encryption algorithm, and there was no way for decryption. However, if during the encryption process the infected PC was out of the internet, or connection with a remote server of hackers was interrupted your files can be decrypted, using methods provided below. STOP Ransomware has a ransom note called _readme.txt. In this text file, malefactors give contact information and details on how to make a payment. The virus copies it on the desktop and in the folders with encrypted files. Hackers provide following contacts, e-mails: support@freshmail.top and datarestorehelp@airmail.cc.

Foza Ransomware is a devastating encryption virus from the series of STOP Ransomware (Djvu Ransomware). Foza Ransomware is a variant of the STOP/Djvu Ransomware family, which is known for using a combination of two encryption algorithms: RSA and AES. RSA is used to encrypt the symmetric AES key that is generated for each file. This means that each file has its own unique AES key, which is used to encrypt and decrypt the file's contents. The RSA key pair is generated by the ransomware on the victim's computer and the public key is sent to the attacker's server, which is then used to encrypt the symmetric AES key. It has got its name from .foza extension, that ransomware adds to the end of encrypted files. From a technical point of view, the virus remains the same as previous versions. Only thing that changes during past couple of years is contact details of malefactors.

Kafan is a new ransomware virus that infects Windows users in order to encrypt personal data and extort money for its decryption from victims. Once installed, the ransomware will run a quick scan of the stored data and start the encryption process using strong cryptographic algorithms. In addition, the malware will also assign its own .kafan extension to distinguish locked files. For instance, a file originally named 1.pdf will change to 1.pdf.kafan and become no longer accessible. Lastly, the file encryptor generates a ransom note called help_you.txt with instructions on how to return the data. The ransom message necessitates victims to send an e-mail message to cybercriminals (PYTHONHAVENONAME@163.COM) and pay for decryption. While sending the message, victims are also asked to write their ID in the message title/subject. The price for decryption is said to depend on how fast victims establish communication with the attackers. Cybercriminals employ such manipulation techniques to put extra pressure on victims and potentially force them into agreeing to pay the ransom.

Recov is a new ransomware variant of the VoidCrypt family. After infiltrating a system, it runs data encryption (to prevent victims from accessing files) and tells victims to pay for a kit of decryption software + RSA key for unlocking the files. Instructions on how to do it are presented inside the Dectryption-guide.txt ransom note. One more thing that this ransomware does is assigning visual changes to encrypted files - a string of characters consisting of the victim's ID, cybercriminals' e-mail address, and the .Recov extension will be added to filenames. For instance, a file originally named 1.pdf will be changed to 1.pdf.[MJ-TN2069418375](Recoverifiles@gmail.com).Recov or similarly. Cybercriminals demand that victims establish contact with them via e-mail (Recoverifiles@gmail.com or Recoverifiles@protonmail.com in case of no answer). While it isn't made clear what extortionists need, it is likely that they will require their victims to pay a certain fee for a decryption tool and RSA key that are available only to the developers.

Kadavro Vector is a ransomware program oriented toward English, Russian, and Norwegian-speaking users. The purpose of this virus is to encrypt potentially important data and extort money from victims for its decryption. While rendering files inaccessible, the malware also appends the .vector_ extension to targeted files. For instance, a file originally named 1.pdf will experience a change to 1.pdf.vector_ and reset its original icon. Very soon after successful encryption, Kadavro Vector force-opens its pop-up window containing decryption guidelines. Additionally, desktop wallpapers get changed as well. The ransom note instructs victims to not turn off the Internet and their computer as it may otherwise lead to damage to encrypted data. To return the data, victims have to purchase Monero (XMR) cryptocurrency worth $250 and send it to the cybercriminals' crypto address. In addition, there is also a timer indicating how much time users have to pay for decryption. Should victims not manage to do so within the allocated time frame, it is said that all files will be deleted using high-edge algorithms, making them permanently unrecoverable in the future. By doing so, threat actors try to put extra pressure on victims and thereby force them to meet the decryption demands.

Coty Ransomware is a part of a large STOP/Djvu Ransomware family. It got its name because the original versions of the malware added the .stop (later .djvu) file extension and encrypted them with a combination of AES and RSA cryptography to make files inaccessible on the infected Windows computer. Coty Ransomware according to its name adds .coty extension. This version appeared in the end of April 2023. Once the Coty/STOP ransomware completes the encryption procedure, the virus creates a ransom note to _readme.txt file. The message of the scammers says that the victims must pay the ransom within 72 hours. The authors of the STOP virus are demanding $490 during the first three days and $980 after this time period. To provide confirmation, hackers allow 1-3 "not very large" files to be sent for free decryption to support@freshmail.top or datarestorehelp@airmail.cc for a test.