Viruses

Glorysprout Stealer is a type of malware, specifically a stealer, that targets a wide range of sensitive information including cryptocurrency wallets, login credentials, credit card numbers, and more. Written in C++, it is based on the discontinued Taurus stealer, with suspicions that Taurus's source code had been sold, leading to the development of Glorysprout. Despite promotional materials suggesting a variety of functionalities, cybersecurity analysts have noted some discrepancies between advertised and observed capabilities. Glorysprout is compatible with Windows OS versions 7 through 11 and supports different system architectures. It is marketed as customizable software with purported virtual machine detection capabilities, although this feature has not been confirmed by analysts. Upon successful infiltration, Glorysprout collects extensive device data, including details about the CPU, GPU, RAM, screen size, device name, username, IP address, and geolocation. It targets a variety of software including browsers, cryptowallets, authenticators, VPNs, FTPs, streaming software, messengers, email clients, and gaming-related applications. From browsers, it can extract browsing histories, bookmarks, Internet cookies, auto-fills, passwords, credit card numbers, and other vulnerable data. Additionally, it can take screenshots. While it advertises grabber (file stealer) and keylogging (keystroke recording) abilities, these functionalities were absent in known versions of Glorysprout.

Remcos RAT (Remote Control and Surveillance) is a Remote Access Trojan that has been actively used by cybercriminals since its first appearance in 2016. Marketed as a legitimate tool for remote administration by its developer, Breaking Security, Remcos has been widely abused for malicious purposes. It allows attackers to gain backdoor access to an infected system, enabling them to perform a variety of actions without the user's knowledge or consent. Remcos RAT is a powerful and stealthy malware that poses significant risks to infected systems. Its ability to evade detection and maintain persistence makes it a formidable threat. However, by following best practices for prevention and employing a comprehensive approach to removal, organizations and individuals can mitigate the risks associated with Remcos and protect their systems from compromise.

Looy Ransomware is a malicious software that belongs to the STOP/DJVU ransomware family, which has been notorious for targeting individual users and businesses alike. It is designed to encrypt files on the infected computer, rendering them inaccessible to the user, and then demands a ransom payment in exchange for the decryption key. Upon encrypting the files, Looy Ransomware appends the .looy extension to the filenames, which is a clear indicator of the infection. Looy Ransomware uses a robust encryption algorithm to lock files. While the specific type of encryption is not detailed in the provided sources, it is common for ransomware like Looy to use AES (Advanced Encryption Standard) or a similar secure method to encrypt files. After encryption, Looy Ransomware creates a ransom note named _readme.txt and places it on the desktop or in folders containing encrypted files. This note contains instructions for the victim on how to contact the attackers and pay the ransom to potentially receive the decryption key.

Vook Ransomware is a malicious software that belongs to the STOP/Djvu ransomware family, known for its widespread impact on personal and organizational data. This ransomware variant encrypts files on the infected systems, rendering them inaccessible to the users, and demands a ransom for decryption. Once Vook Ransomware infects a computer, it employs the Salsa20 encryption algorithm to lock files, appending the .vook extension to each encrypted file. This makes the files inaccessible and easily identifiable as being encrypted by this particular ransomware strain. Following the encryption process, Vook Ransomware generates a ransom note named _readme.txt and places it in folders containing encrypted files. This note contains instructions for the victims on how to contact the attackers via email and the ransom amount, typically demanded in cryptocurrencies. The note may also offer the decryption of a single file for free as a "guarantee" that the attackers can decrypt the files upon payment.

Rocklee Ransomware is a variant of the Makop family of ransomware that targets computers to encrypt data and demand a ransom for the decryption key. Upon infection, Rocklee Ransomware encrypts files and modifies their filenames by appending the victim's ID, the attacker's email address, and the .rocklee extension. For instance, a file named 1.jpg would be renamed to 1.jpg.[random-ID].[cyberrestore2024@onionmail.org].rocklee. The specific encryption algorithm used by Rocklee Ransomware is not detailed in the provided sources. However, ransomware of this nature typically uses strong encryption algorithms that are difficult to crack without the unique decryption key held by the attackers. Rocklee Ransomware drops a ransom note named +README-WARNING+.txt in the directories with encrypted files. This note informs victims that their files have been encrypted and provides instructions on how to pay the ransom to recover the files. It also includes contact information for the attackers and warns against attempting to decrypt files without the proper key, as this could lead to further damage.

Kool Ransomware is a type of malicious software that belongs to the broader category of ransomware. It is designed to infiltrate a user's computer, encrypt files, and demand a ransom for the decryption key. Kool Ransomware is part of the STOP/Djvu ransomware family, which is known for targeting Windows users and encrypting files with various extensions. Once Kool Ransomware has infected a computer, it encrypts files and appends a specific file extension to the encrypted files, which is .kool in this case. The encryption used by Kool Ransomware is generally a symmetric or asymmetric algorithm that makes files inaccessible without the unique decryption key. After encrypting the files, Kool Ransomware generates a ransom note, typically named _readme.txt or similar, and places it in folders containing the encrypted files. This note contains instructions for the victim on how to pay the ransom and often includes a deadline and warnings about the consequences of failing to comply. In this article we show how to remove Kool Ransomware and decrypt .kool files for free in Windows 11, 10, 8, 7.

Proton Ransomware is a malicious software designed to encrypt files on a victim's computer, rendering them inaccessible until a ransom is paid. Proton Ransomware is a type of malware that encrypts files on the infected computer, adding specific extensions to the filenames and demanding a ransom from the victim to restore access to the encrypted files. It has been discovered in various forms, with some variants appending extensions such as .c77l, .ZENEX or .SWIFT extensions to the affected files along with emails (.[decrypt.computer@gmail.com].c77L, [decrypthelp0@gmail.com].ZENEX, .[swift_1@tutamail.com].SWIFT). Basically, SWIFT Ransomware and ZENEX Ransomware are just variations of Proton Ransomware. This variations create following ransom note files: #Zenex-Help.txt, #SWIFT-Help.txt or #Restore-files.txt. The ransomware uses AES (Advanced Encryption Standard) and ECC (Elliptic Curve Cryptography) algorithms to encrypt files, ensuring that the encryption is strong enough to prevent unauthorized decryption without the unique key held by the attackers. This article aims to provide a comprehensive overview of Proton Ransomware, including its infection methods, the file extensions it adds, the encryption algorithms it uses, the ransom note it creates, and the possibilities for decryption.

LockBit 3.0, also known as LockBit Black, is a sophisticated ransomware strain that encrypts data on targeted systems, disrupting access to system and network resources. It is part of a Ransomware-as-a-Service (RaaS) operation, which means it is used by affiliates who deploy it in cyberattacks in exchange for a share of the ransom profits. LockBit 3.0 is known for its fast encryption capabilities and has been active since at least March 2022. During the encryption process, LockBit 3.0 appends a specific extension to encrypted files. This extension can vary, but examples include "HLJkNskOq" and "19MqZqZ0s". The ransomware changes the icons of encrypted files and alters the desktop wallpaper to inform victims of the attack. LockBit 3.0 drops a ransom note, typically named [random_string].README.txt or a similar text file, in every encrypted folder. The note contains instructions for contacting the attackers and paying the ransom, often demanding payment in cryptocurrency.