Viruses

DataBankasi is the name of a ransomware program designed to extort money from victims off of data encryption. After the encryption occurs, all affected files get changed with the .databankasi extension becoming no longer accessible. To illustrate it with an example - a file previously named 1.pdf will change to 1.pdf.databankasi and lose its original icon as well. Following successful blockage of data, the virus creates a text file containing decryption guidelines (---BILGILENDIRME----NOTU---.txt). The text of decryption instructions is presented in the Turkish language.

TeamDarkAnon is a ransomware infection that encrypts system-stored data and extorts money from victims for its decryption. After successfully penetrating the system, TeamDarkAnon renames all encrypted files with the .anon extension. For instance, a previously working file called 1.pdf will change to 1.pdf.anon and reset its original icon. After the encryption of data is complete, the virus changes desktop wallpapers and creates a text file named HOW TO RECOVER ENCRYPTED FILES.TXT to illustrate decryption guidelines.

Cyber_Puffin is almost identical to another ransomware infection called Exploit6. Thus, it is very likely these two infections are promoted by the same group of developers. Likewise, Cyber_Puffin encrypts personal files and blackmails victims into paying money for their return. While restricting access to data, the virus assigns the custom .Cyber_Puffin extension to all affected files. For instance, a file previously named 1.pdf will experience a change to 1.pdf.Cyber_Puffin and become no longer accessible. Alike to Exploit6 Ransomware, the Cyber_Puffin variant creates a text file that displays decryption guidelines after successfully completing encryption. In addition, desktop wallpapers get replaced as well.

Exploit6 is a ransomware infection that encrypts personal files and blackmails victims into paying money for their return. During the encryption process, the file-encryptor changes the file appearance by adding the custom .exploit6 extension. To illustrate, a file previously titled 1.pdf will turn into 1.pdf.exploit6 and become no longer accessible. Alike in other malware of this kind, developers create a text file (READMI.txt) to explain decryption instructions. As said in this note, victims have to establish contact with cybercriminals by sending a message to their Telegram account (@root_exploit6). Although there is no further information about decryption inside the note, developers will more likely give it after reaching out to them. As a rule, collaborating with swindlers and paying money to them is not recommended - this is because there is a chance they will fool you and not give any decryption tool/codes even after completing the payment.

Polis is a recent ransomware infection. Alike other malware within this category, it renders files inaccessible and demands victims to pay a monetary ransom. During encryption, the virus assigns its own .polis extension to highlight the blocked data. For instance, an innocent file previously named 1.pdf will change its name to 1.pdf.polis and reset the original icon as well. Following this, Polis Ransomware creates a text note (Restore.txt) to instruct what victims should do. It is said victims have 2 days to establish contact with cybercriminals (via e-mail) and pay money to them for decryption. Otherwise, if the deadline will not be met, extortionists promise to publish the uploaded copies of locked data on special public domains. By posing such threats, cybercriminals try to make victims act immediately and follow what the guidelines say.

Moisha is a ransomware virus developed and promoted by the PT_MOISHA Hacking Team. This group of developers targets files of business-related users. After infiltrating the system and running strong encryption of data, the cybercriminals demand $10,000 in ransom for file decryption and a guarantee to not publish the collected information. All of this information is presented in more detail within the !!!READ TO RECOVER YOUR DATA!!! PT_MOISHA.html text note created after successful encryption. Unlike other ransomware infections, Moisha does not add any custom extensions to the affected files.

If your files became no longer accessible and now appear with the new .MEOW extension (then .PUTIN, .KREMLIN and .RUSSIA extensions), then you are most likely infected with Meow Ransomware (a.k.a. MeowCorp2022 Ransomware and ContiStolen Ransomware). This file-encryptor blocks access to practically all types of system-stored data using the ChaCha20 algorithm and demands victims to establish contact with its developers (presumably to pay for decryption). In addition, it was also determined that this ransomware works on code stolen from another popular file-encryptor named Conti-2 Ransomware. Information about contacting swindlers can be found inside a text note called readme.txt, which the virus drops into each folder with encrypted files.

Loplup is a file-encrypting virus that was determined to be part of the ZEPPELIN ransomware family. While restricting access to system-stored data, it renames attacked files by adding the custom .loplup.[victim's_ID] extension. This means a file previously called 1.pdf will change to something like 1.pdf.loplup.312-A1A-FD7. Note that the victim's ID is variable so it can be different in your case. Following successful encryption of data, Loplup creates a text file (!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT) that contains decryption guidelines.