Viruses

Rans-A is a new file-encryptor variant that belongs to the Xorist family. After successfully infiltrating the system, the ransomware will proceed to encrypt potentially important data and add .Rans-A to the original filename. As a result, a previously accessible file like 1.pdf will change to 1.pdf.Rans-A and become access-restricted. The main goal of ransomware is to extort money from victims for the decryption of files. Thus, the virus displays an error message and creates a text file called HOW TO DECRYPT FILES.txt that both show decryption instructions (in Portuguese). Overall, victims are said the only way to retrieve data in its original condition is to contact cybercriminals within the set deadline. Should victims fail to do so by the end of the deadline, the decryption will supposedly be no longer available. In addition, the note also warns victims against deleting, renaming, or reporting the ransom message to any website/authority. Otherwise, cybercriminals' e-mail may end up blocked and no longer accept requests for data decryption. As a rule, upon reaching out to cybercriminals, they set a price that has to be paid for decryption.

The number of queries related to new ransomware activity is growing each day with new infections. This time around, users are dealing with Tycx Ransomware, which is a new and dangerous piece developed by the Djvu/STOP family. This particular version started infecting computers in the second half of March 2023. Its recent activity has encrypted a lot of personal data with strong algorithms. Despite Tycx Ransomware has not being totally inspected just yet, there are some things that are clear already. For example, the virus reconfigures various types of data (images, documents, databases, etc.) changing original extensions to .tycx. This means that all types of data will save its initial name, but change the main extension to something like this "1.pdf.tycx". Once the encryption process gets to a close, you will no longer be able to access your data. In order to regain it, extortionists have scripted the creation of identical notes dropped into encrypted folders or onto a desktop. The name of the note is usually _readme.txt, which contains detailed instructions on how to recover your data.

Tywd Ransomware (the latest version of STOP or Djvu Ransomware) is extremely harmful and one of the most active encryption viruses. More than half of ransomware submissions to ID-Ransomware (ransomware identification service) are made by victims of STOP Ransomware. Although it has been in circulation for a couple of years, the number of infections caused by Tywd Ransomware continues to increase. It may be somewhat ironic, but most of the victims (at the moment) are users of pirated software. The version of the virus, that is under consideration today, adds .tywd extension to files. The malicious program also creates a text file (called _readme.txt) in each infected folder, which explains to the user that his computer is infected, and he will not be able to access his data until he pays a ransom of $980. If the user pays within 72 hours after infection, the ransom is reduced to 490 US dollars. The example of this ransom note is presented below.

Darj Ransomware is a prevalent encryption virus and blackmailer, that targets valuable personal files. Belongs to STOP/Djvu malware group. After infection and data encoding hackers start extorting the ransom. There have been more than 600 versions of the ransomware, each version gets slightly modified to circumvent the protection, but main footprints remain the same. The malware uses AES-256 in CFB mode. Shortly after launch, the STOP family cryptographer executable connects to C&C, retrieves the encryption key and infection ID for the victim's PC. Data is transmitted over simple HTTP in the form of JSON. If C&C is not available (the PC is not connected to the Internet, the server itself is not working), the cryptographer uses the hard-coded key and ID in it and performs offline encryption. In this case, you can decrypt the files without paying a ransom. Variations of STOP Ransomware can be distinguished from each other by ransom notes and extensions it adds to encrypted files. For STOP Ransomware under research today, extension is: .darj. The ransom note file _readme.txt is presented below in the text box and picture. In the article below we explain how to remove Darj Ransomware completely and ways to decrypt or restore .darj files.

Basn is a ransomware infection that targets various companies. Upon infiltration, it quickly scans the system for potentially important files (e.g., documents, databases, videos, images, etc.) and encrypts access to them. During this process, the virus also assigns its own .basn extension to highlight the blocked data. For instance, a file originally named 1.xlsx will change to 1.xlsx.basn and reset its icon to blank. Following successful encryption, the file-encryptor also drops a text file named unlock your files.txt with decryption instructions inside. Inside the note, it is made clear that the victim's data has been encrypted and extracted to cybercriminals' servers. To unblock the encrypted data and prevent leakage of data to shady resources/figures, extortionists demand victims to pay a ransom in Bitcoin or Monero cryptocurrency. The price is not disclosed in the note as it is likely to vary depending on the amount and value of encrypted data. Unfortunately, unless the virus has severe vulnerabilities that could be exploited, cybercriminals are usually the only figures capable of decrypting access to data completely and safely. For now, no third party is known to be able to bypass the encryption applied by Basn Ransomware. The only available options for data recovery are to either collaborate with ransomware developers or obtain data from existing backup copies. Backups are copies of data stored on external devices such as USB drives, external hard drives, or SSDs. The only downside of self-recovery is that threat actors may indeed publish the collected data and therefore damage the reputation of some companies if they are actually intended to do so.

Dazx Ransomware is a version of the STOP/Djvu ransomware family. It is a type of malware that encrypts the files on a victim's computer and demands a ransom payment in exchange for the decryption key. When the Dazx Ransomware infects a computer, it will encrypt the victim's files using a strong encryption algorithm, making them inaccessible to the victim. Malware uses a symmetric encryption algorithm to encrypt the victim's files. Specifically, it uses the Salsa20 stream cipher to encrypt the data. The encryption key is generated randomly for each victim, and it is stored on the attacker's server. The encrypted files will have a new extension added to their filenames, such as .dazx. The Dazx Ransomware also creates a ransom note file called _readme.txt in every folder that contains encrypted files. This file contains instructions on how to pay the ransom in order to receive the decryption key. The ransom note also warns the victim against attempting to decrypt the files using third-party software, as this can result in permanent data loss.

Code is the name of a new ransomware variant that infects organizations in order to run encryption of data and extort money in return for the decryption key. During encryption, it appends the .code extension and creates a ransom note (called !!!HOW_TO_DECRYPT!!!.txt) with instructions on how to decrypt the blocked data. Here is what an infected file would look like after encryption - 1.pdf.code, 2.png.code, and so forth with other file types targeted by the virus. In the note, cybercriminals try to persuade victims into paying the ransom for decryption. It is said victims have to install the TOX messenger and write to extortionists using the provided TOX ID. Unless victims meet these demands and refuse to purchase decryption, threat actors threaten to start randomly sharing the encrypted data with other parties or leak/sell it on the dark web and other shady resources.

Dapo Ransomware is a variant of the STOP/Djvu Ransomware, which is a type of malware that encrypts files on a victim's computer and demands a ransom payment in exchange for a decryption key to restore the files. During the encryption this malware modifies file extensions to .dapo. After the encryption process is complete, the ransomware drops a ransom note on the victim's desktop and in every folder that contains encrypted files. The note contains instructions on how to pay the ransom in order to receive the decryption key. The attackers usually demand payment in cryptocurrency, such as Bitcoin. It's important to note that there is no guarantee that paying the ransom will result in the decryption of the files. In some cases, victims have paid the ransom but never received the decryption key, while in other cases, the decryption key provided by the attackers has been found to be ineffective. The ransom note file name used by Dapo Ransomware follows the same naming convention. The file is named _readme.txt. The ransom note contains instructions on how to pay the ransom in order to receive the decryption key, and it typically includes an email address, that the victim can use to communicate with the attackers.