Viruses

Kekware is a recent ransomware-type virus. The main symptom of this infection successfully breaching the system is strong encryption of data. As a result, users will no longer be able to access or modify files as they used to do previously. Victims will also see a change in how their data appears - all encrypted samples get renamed according to the following pattern - [random_string].[original_extension][random_string].cyn. To illustrate, a file like 1.pdf may change to something like 7462.jpg7088.cyn and reset its original icon as well. After this part of encryption is done, the virus creates a file called YcynNote.txt, which holds decryption instructions. As said within the note, victims ought to pay a ransom of $500 in bitcoin to the attached cryptocurrency wallet. If victims decide to not follow the demands, cybercriminals say no decryption of data will ever be possible without their involvement. Unfortunately, at the moment of writing this article, this claim should indeed be taken quite seriously. If you do not have backup copies of data saved on external storage devices, you will have a bare chance to decrypt the Kekware data using third-party tools.

NOKOYAWA is a ransomware-classified infection that runs encryption of data and blackmails victims into paying money for its recovery. A report published by Trend Micro featured similar attack traits of NOKOYAWA Ransomware to Hive - a widespread and disruptive group of developers that breached more than 300 organizations in just a few months. Cybercriminals behind NOKOYAWA Ransomware use the .NOKOYAWA extension to rename targetted data. For instance, a file like 1.xlsx will change its name to 1.xlsx.NOKOYAWA and reset the original icon as well. Successful encryption is therefore followed by ransom note creation - the NOKOYAWA_readme.txt file arrives on the desktop. Inside this note, cybercriminals attempt to convince victims into opting for paid decryption. They duplicate information in English and Chinese guiding to contact extortionists through one of their e-mail addresses (brookslambert@protonmail.com or sheppardarmstrong@tutanota.com). Should victims repel their suggestions, the swindlers threaten to publish, as they say, "black shit" to open-access resources. The price for decryption is kept secret until victims establish the contact and it is also likely to be evaluated individually for each victim. In other words, the amount of ransom may range vastly depending on how valuable the captured data is. As a rule, it is not recommended to trust cybercriminals and follow their demands since it can cost you simply a waste of money.

D3adCrypt encrypts system-stored data (with the .d3ad extension) and demands victims to pay a monetary ransom for its return. For instance, a file like 1.pdf will become 1.pdf.d3ad resetting its original icon as well. There is also a ransom note being created (d3ad_Help.txt) explaining to victims how they can return access to files. It is said victims should write an e-mail with their personal ID to the provided d3add@tutanota.com address. In case nobody responds, there is an extra e-mail victim should contact as well (propersolot@gmail.com). Cybercriminals conclude the ransom message with warnings against renaming files, decrypting files on your own, or trying to involve the help of third-party entities. Note that the price for decryption is kept secret until victims establish further communication with cybercriminals. It is also possible for the price to vary depending on how much informational damage victims suffered during encryption. Usually, cyber experts do not recommend paying the ransom - extensive researches show that many extortionists fool their victims and do not provide them with promised decryption tools. Alas, there are no feasible ways to decrypt your data at the moment of writing this article. It may become possible in the future, but no one can say when. You can try some trusted and globally-used tools from our guide below, but there is no guarantee they will be able to actually help. For now, the best way you can avoid paying the ransom and recover your data at the same time - is via backup copies.

Discovered by MalwareHunterTeam, Spark is a ransomware virus designed to keep files at lock and blackmail victims into paying money to return them. This is done through the so-called encryption process when infections of such use strong military-grade algorithms to generate ciphers. As a result, data becomes no longer accessible to users. People attacked by Spark Ransomware will see their files change to something like this 1.pdf.Spark and reset their icons. After rendering all targetted files restricted, the virus displays a pop-up window containing ransom instructions. Cybercriminals say decryption is impossible without a special private key. This is why victims are guided to purchase the key by contacting developers via their e-mail address (notvalidemailadress.ransom@gmail.com). Swindlers also warn against doing modifications to files shutting down the PC, which may result in permanent data loss and system damage as well. There is a timer, within which, victims should contact developers and pay for decryption. However, extortionists do not specify what will happen after the time expires. Based on other ransomware analyses, many frauds threaten the collected data to be permanently deleted or leaked to dark web resources, though, it does not prove this is the case with Spart Ransowmare as well. It is unfortunate to acknowledge, but you are less likely to find a 100% working decryption tool for .Spark files.

Titancrypt is a ransomware-type infection. It encrypts system-stored data and demands victims to pay a small ransom of 20 Polish Zlotys (about 4,5 Dollars). During encryption, it adds the new .titancrypt to each encrypted file making it no longer accessible. For instance, a file previously titled as 1.png will change to 1.png.titancrypt and lose its original icon. Insturctions on how to pay the requested money can be found inside of ___RECOVER__FILES__.titancrypt.txt - a text file injected to each folder with encrypted data including your desktop. Along with this, it displays a pop-up window saying how many files have been encrypted. Unlike other infections of this type, the supposedly polish threat actor behind his Titancrypt Ransomware has written short and clear instructions on what victims should do. It is said to contact him via his discord (titanware#1405) and send 20 Polish Zlotys through PaySafeCard. Although the ransomware developer does not elaborate on this, paying the ransom should logically lead to full decryption of data. Many ransomware infections (unlike this) ask for ransoms ranging from hundreds to thousands of dollars. Thus, users victimized by Titancrypt Ransomware got somewhat lucky since 4,5 Dollars is not a lot of money for many. You can pay this amount and get your data decrypted unless there are backup copies available. If you have your encrypted files backed up on external storage, then you can ignore paying the ransom and recover from backups after deleting the virus.

GUCCI is the name of a ransomware infection originating from the so-called Phobos family. What it does is encryption of system-stored data as well as demands to pay money for file decryption. Victims will be able to understand their files are locked through a new file appearance. For instance, a file like 1.xlsx to 1.xlsx.id[9ECFA84E-3208].[tox].GUCCI. The characters inside of the new file names can vary depending on the ID assigned to each victim. GUCCI Ransomware also creates two text files - info.txt and info.hta both of which describe ways of returning access to data. Cybercriminals say victims can decrypt their data by having negotiations with them. In other words, to buy a special decryption tool that will unlock access to restricted data. While the price is kept secret, victims are guided to contact swindlers via the TOX messenger. After this, victims will get further instructions on what to do and how to purchase the tool (in Bitcoins). In addition to this, developers provide an offer of 1 free file decryption. Victims can send a non-valuable encrypted file and receive it back fully operatable for free. Unfortunately, despite meeting the payment demands, some victims of other ransomware variants reported they ended up fooled and left with absolutely no promised decryption.

Black Basta is the name of a ransomware infection aimed more at corporate rather than ordinary users (financial firms, private companies, etc.). It, therefore, uses high-tier encryption standards to encipher data stored on a network making it no longer accessible. Victims infected with this virus will see their data change in the following way - 1.pdf to 1.pdf.basta, 1.xlsx to 1.xlsx.basta, and so forth with other encrypted data. After this, Black Basta creates a text note called readme.txt, which provides instructions on how to recover the data. Default desktop wallpapers will be replaced by the virus as well. As said in the note, victims can start the decryption process by visiting the attached Tor link and logging into the chat with their company ID. Going further, cybercriminals will give the necessary information and instructions on how to develop the process. Some victims reporting their case infection with Black Basta Ransomware showed that cybercriminals require 2 million dollars to pay for decryption. Note that this sum is likely to be variable depending on how big the infected company is and how much value the collected information comprises. In addition to everything mentioned, the extortionists threaten that if victims do not negotiate towards a successful deal or decline the offer intentionally, all gathered data will be subject to ending up published online. Sometimes the bigger danger of being infected is not losing data but rather risking to lose your business reputation.

Selena is a disruptive ransomware infection targeting primarily business networks. It encrypts network-stored data and demands victims to pay a monetary ransom for its return. During encryption, Selena alters the way original files appear - no longer accessible files acquire a uniquely generated victim's ID, the e-mail address of cybercriminals, and the .selena extension. To illustrate, a file initially titled as 1.xlsx will change to id[q2TQAj3U].[Selena@onionmail.org].1.xlsx.selena and reset its icon to blank. After this process comes to a close, the ransomware creates a file named selena.txt, which is a text note explaining how to recover the files. It is said there is no way to decrypt the restricted data other than directly negotiating with cybercriminals. To get further information, victims are guided to write to one of the following e-mail addresses (selena@onionmail.org or selena@cyberfear.com) and state their personal ID in the title. In order to get the necessary decoder and private keys, which will unlock access to data, victims are required to pay money (in bitcoins) for it. The price remains unknown and is likely to be calculated individually only after contacting the swindlers. In addition, cybercriminals offer victims to send 2 files containing no valuable information (under 5MB) and get the decrypted for free. This offer works as a guarantee measure proving they are actually able to decrypt your data. Unfortunately, options to decrypt files without the help of cybercriminals are less likely existent.