Viruses

Cyb3r Drag0nz Ransomware is a malicious software designed to encrypt the files on a victim's computer and demand a ransom for their decryption. As part of its signature, it appends a distinct extension, .Cyb3rDrag0nz, to the filenames of the encrypted files. For example, a file named document.pdf becomes document.pdf.Cyb3rDrag0nz once it is encrypted. This ransomware employs strong cryptographic algorithms that are either symmetric or asymmetric, making it extremely difficult to decrypt the files without cooperation from the cybercriminals who distributed it. A unique feature of Cyb3r Drag0nz is its capacity to display a ransom note on the victim's desktop, titled Cyb3rDrag0nz_ReadMe.txt, warning the victim not to attempt manual file decryption and demanding a ransom payment of $1000 in Bitcoin or Tether USDT TR20 for file recovery. Despite its menacing facade, paying the ransom does not guarantee file restoration, as victims often do not receive the decryption key even after meeting the demands.

SKUNK Ransomware is a type of malicious software developed to encrypt a victim's files and disrupt their access, adding a layer of complexity to digital security issues. When it infects a system, it appends a distinctive file extension, .SKUNK, to the names of all encrypted files, thereby marking them as compromised and inaccessible. For instance, a document named report.docx would appear as report.docx.SKUNK after encryption. The ransomware employs robust encryption algorithms, often utilizing either symmetric or asymmetric cryptography to secure the data, thus making the decryption process without the proper key a formidable challenge. Infected systems display a ransom note to the user, commonly found in a text file named READ_THIS.TXT and within desktop wallpaper and pop-up notifications. These notes detail the attacker’s demands and claim the malware attack as a protest against the prosecution laws related to malware development, rather than explicitly demanding a monetary ransom. Despite this, the threat remains as files cannot be accessed without complying with the given conditions.

ZasifrovanoXTT2 Ransomware is a member of the Xorist ransomware family, known for encrypting personal data on victims' computers and demanding a ransom for decryption. Once it infiltrates a system, it appends a distinctive .zasifrovanoXTT2 extension to each encrypted file, effectively rendering them inaccessible unless decrypted. The ransomware employs sophisticated cryptographic algorithms, ensuring that files remain locked without the attackers' decryption key. After completing the encryption process, it delivers its ransom demand through a prompt message and an identical text document titled HOW TO DECRYPT FILES.txt, typically placed in every affected directory, and sometimes, even altering the desktop wallpaper to reinforce the victim's awareness of the breach. This note demands a payment of 0.039 BTC within a set timeframe typically with instructions and threats to permanently lock the files should the demands not be met.

FMLN Ransomware is a malicious program designed to encrypt data on a victim's computer and demand a ransom for its decryption. Upon infecting a system, FMLN renames affected files by appending a distinctive extension in the format .crypt-[original_extension]. For example, a file named photo.jpg would be renamed to photo.crypt-jpg, leaving users unable to access their data. This extension serves as a clear indicator of the infection. FMLN employs robust cryptographic algorithms to lock files, making decryption without the attacker's cooperation extremely challenging and, in many cases, impossible. The ransomware typically modifies the desktop wallpaper to alert the user to the infection, adding a sense of urgency. Simultaneously, FMLN generates ransom notes in a pop-up window and a text file titled README.txt, providing instructions in Spanish on how to proceed for file recovery. Victims are cautioned against removing the malware or using antivirus tools, as this might permanently lock the files.

Craxsrat Ransomware is a malicious software program classified under ransomware, which is notorious for encrypting victims' files and demanding a ransom payment for their decryption. Upon infection, Craxsrat appends a .craxsrat extension to each encrypted file name, altering the structure and rendering them inaccessible. For instance, a file named photo.jpg becomes photo.jpg.craxsrat. This ransomware deploys the RSA cryptographic algorithm, known for its robust encryption capabilities, using separate keys for encryption and decryption, which makes data recovery without the decryption key nearly impossible. After encrypting files, the ransomware creates a ransom note titled HELP_DECRYPT_YOUR_FILES.txt, typically located in every affected folder. The note instructs the victim to pay an amount of $50 in Bitcoin in exchange for a decryption key and allows for the decryption of a single file as proof, although fulfilling ransom demands often does not guarantee data recovery or the development of trustworthy tools.

Nanocrypt Ransomware is a new strain of ransomware that our team detected during security analyses. Much like other ransomware types, it primarily targets and encrypts files on the infected device, rendering them inaccessible to the user. After encryption, it appends the .ncrypt extension to the file names, for instance, turning document.docx into document.docx.ncrypt. The malware employs a combination of RSA and AES encryption, ensuring that without the corresponding decryption key, regaining access to the files is practically impossible. Typically, once the encryption process is complete, it generates a ransom note in a text file named README.txt. The contents of this note inform victims about the encryption, instruct them on how to purchase 50 USD worth of Bitcoin to receive the decryption tool, and caution against trying to recover the files independently or restarting the computer. This kind of manipulation is common in ransomware attacks, aimed at creating urgency and fear to coerce payment.

Lilith RAT is a sophisticated remote access Trojan (RAT) designed to give cybercriminals unauthorized control over infected systems. Written in C++, this malware allows attackers to execute commands remotely, manipulate system functions, and even deploy additional malicious payloads. One of its key features is a built-in keylogger that captures keystrokes, enabling the theft of sensitive information such as passwords and credit card details. Beyond its data-harvesting capabilities, Lilith RAT facilitates large-scale attacks by allowing a single command to be sent to multiple infected devices simultaneously. It achieves persistence by installing itself to run automatically upon system startup and can delete its traces to avoid detection. Commonly distributed through deceptive emails containing malicious attachments or links, Lilith RAT is a potent tool for identity theft and other cybercrimes. Users are advised to employ robust security measures to prevent infection, as this RAT poses significant risks to both privacy and system integrity.

TsarBot Banking Trojan is a sophisticated piece of malware specifically designed to target Android devices, functioning primarily as a banking trojan. This malicious software is capable of infiltrating over 750 finance-related applications, aiming to extract sensitive user data such as login credentials, credit card numbers, and personal identifiable information. TsarBot employs overlay attacks, wherein it creates deceptive screens that mimic legitimate app interfaces, tricking users into entering their private information. By abusing Android’s Accessibility Services, it gains extensive control over the device, allowing it to execute commands, perform fraudulent transactions, and even intercept SMS messages for retrieving one-time passwords. Distribution methods for TsarBot include malicious websites disguised as financial platforms, social engineering tactics, and deceptive applications. The impact of this trojan can lead to severe financial losses, identity theft, and significant privacy issues for affected users. Continuous vigilance and the use of robust security measures are essential to mitigate the risks associated with TsarBot and similar malware threats.