Viruses

Terminator Ransomware is a type of malicious software designed specifically to encrypt data on the victim’s computer and subsequently demand a ransom for decryption. Upon infecting a system, it renames encrypted files by appending the string .terminator to the file names, along with the attacker's email address. For instance, a file named 1.jpg would be renamed to 1.jpg.decryptboss@gmail.com.terminator. This ransomware utilizes advanced cryptographic algorithms that make manual decryption almost impossible without the correct decryption key, which is only provided by the cybercriminals. After the encryption process is complete, a ransom note titled ----Read-Me-----.txt is dropped into various folders containing the encrypted data. This note contains instructions on how to contact the attackers and the payment requirements for the decryption key.

Bixi Ransomware is a malicious program designed to encrypt files on the victim's system, rendering them inaccessible and demanding a ransom for their decryption. It specifically targets various file types, appending a unique .bixi extension to the original filenames, such as transforming 1.jpg into 1.jpg.bixi and 2.png into 2.png.bixi. The ransomware employs advanced cryptographic algorithms, making it exceptionally challenging to decrypt the files without the actual decryption key, which is held by the attackers. After successful encryption, !_INFO.txt, a ransom note, is automatically generated and placed in numerous directories, including the desktop, to notify the victim of the breach and instruct them on how to pay the ransom, typically in cryptocurrencies like Bitcoin. The note usually warns against using third-party decryption tools or attempting to rename the encrypted files, as these actions could lead to permanent data loss.

Originating in the summer of 2024, Cicada 3301 Ransomware is a formidable cyber threat designed to encrypt data and extort victims for payment. Written in the Rust programming language, it is a Ransomware-as-a-Service (RaaS), meaning it is available for use by other cybercriminals through a subscription model. Once activated on a victim’s system, this ransomware employs the ChaCha20 cryptographic algorithm, known for its swift and robust symmetric encryption, making decryption without the correct key an insurmountable challenge. The ransomware appends affected files with a seven-character random extension, drastically altering their original names and rendering them inaccessible. For example, a file named 1.jpg may appear as 1.jpg.f11a46a1 post-encryption. Upon completion of the encryption process, the malware drops a ransom note named RESTORE-[file_extension]-DATA.txt on the victim's system, detailing the attack and outlining the ransom demand.

Trojan:Win32/Fauppod!ml is a machine learning-based detection name assigned by Microsoft Defender to a type of malware primarily identified by its behavior rather than traditional signature methods. This malware is designed to steal sensitive information, particularly targeting online banking credentials. It typically spreads through malicious email attachments or dubious downloads from untrustworthy sources. Once executed, the malware checks for other instances of itself and utilizes process hijacking techniques to evade detection. It disables system defenses by manipulating registry keys and injects itself into legitimate processes like svchost.exe and wmiadap.exe, making its activities difficult to trace. Communication with its command and control (C2) servers often involves both standard and non-standard ports, and it sometimes uses compromised websites to mask its network traffic. Although primarily a serious threat, heuristic detections like Fauppod!ml can occasionally result in false positives, making third-party anti-malware solutions valuable for confirmation and removal.

Trojan:Win32/Leonem is a sophisticated spyware variant that primarily targets sensitive login data on compromised systems. This malware is typically spread through malicious documents or disguised as legitimate software, making it a deceptive threat. Once installed, it can perform keylogging, collect browser passwords, cookies, and cache, and even seek out stored credentials in email clients. Leonem also attempts to disable security software, modify system settings, and ensure persistence by running at each system boot. Beyond its primary data-stealing function, it can also act as a malware dropper, often deploying ransomware or backdoors. The malware uses legitimate processes to detect sandbox environments and virtual machines, which helps it evade detection. Ultimately, Leonem exfiltrates collected data to its command server, often using Discord webhooks for this purpose.

Trojan:Win32/HeavensGate.RPY!MTB is a heuristic detection designed to generically identify a type of Trojan Horse malware. This malicious software can perform a variety of harmful activities once it infiltrates a system. Common behaviors include downloading and installing additional malware, recording keystrokes, and sending sensitive information such as usernames and browsing history to remote attackers. It may also grant unauthorized access to the infected PC, enabling hackers to control it remotely. Some variants inject advertising banners into web pages, engage in click fraud, or even use the system's resources to mine cryptocurrencies. Identifying and removing this Trojan is crucial as it poses significant risks to data security and system integrity. Users should regularly update their antivirus software and remain vigilant when downloading programs or clicking on suspicious links to mitigate such threats.

Discovered during an investigation of new submissions to VirusTotal, BlackZluk Ransomware is a potent ransomware variant that encrypts victims' files and demands a ransom for their decryption. The malware appends an additional extension, .blackZluk, to the filenames of the encrypted files, renaming files such as document.docx to document.docx.blackZluk. The ransomware employs sophisticated encryption algorithms, typically a mix of symmetric and asymmetric encryption to complicate the decryption process without the necessary decryption key. Once the files are encrypted, the ransomware generates a ransom note, titled #RECOVERY#.txt, usually placed in directories containing encrypted files and often displayed on the victim's desktop. This note informs victims of their predicament, detailing how their data has been encrypted and extorted for privacy or financial leverage.

ScRansom Ransomware, designed to encrypt files on its victim's systems, primarily targets small and medium-sized businesses. It operates using sophisticated algorithms to lock data, ultimately extorting victims for money in exchange for decryption keys. This malicious software appends the .Encrypted extension to the filenames of affected documents, pictures, and other essential files, making them inaccessible to their owners. During the encryption process, files like 1.jpg are renamed to 1.jpg.Encrypted, obfuscating the contents and causing significant operational disruption. In addition to encrypting files, ScRansom leaves a ransom note named HOW TO RECOVERY FILES.TXT in the infected directories.