Viruses

While inspecting new submissions to VirusTotal, researchers identified Allock Ransomware, a member of the MedusaLocker ransomware family. It renames files with a specific extension, notably .allock8, which can vary with the virus iteration. The ransomware employs sophisticated RSA+AES encryption, making file recovery difficult without the attackers' involvement. Upon completion of the encryption process, it creates a ransom note named how_to_back_files.html and places it prominently on the desktop. This note informs victims of the data breach and demands payment for the decryption tools, along with the threat of leaking or selling stolen data if payment isn't made.

DEMON Ransomware is a pernicious form of malware discovered by GrujaRS that encrypts users' files using strong encryption algorithms, rendering them inaccessible without a decryption key. Often infiltrating computers through spam campaigns, fake software updaters, and untrusted download sources, it adds the .DEMON extension to each encrypted file. For example, document.docx becomes document.docx.DEMON, clearly marking the files as compromised. After encryption, the ransomware creates a README.txt file in all directories containing encrypted files and displays a ransom note in a pop-up window, demanding a hefty $10,000 in Bitcoins to decrypt the affected files. According to the ransom note, victims have a narrow window of 600 minutes (10 hours) to comply, or their data will be destroyed or sold to third parties.

W64.AIDetectMalware is a detection label used by the antivirus engine Bkav Pro to identify files that exhibit characteristics similar to known malware. Despite its alarming name, this detection often results in false positives, especially when scanning files on platforms like VirusTotal. This occurs because the heuristic algorithms employed by Bkav Pro can be overly broad, flagging benign files as threats based on pattern recognition. Commonly, legitimate executable files such as Setup.exe or plugins for popular software may be incorrectly tagged. While it's not always a cause for immediate concern, multiple antivirus engines flagging the same file should prompt a closer inspection. Users encountering this detection are advised to conduct thorough scans using multiple security tools to confirm the presence of malware. If confirmed, prompt removal of the identified threats is crucial to maintaining system security.

LUCKY Ransomware, discovered as part of the Makop ransomware family, is a malicious program designed to encrypt files and demand ransom from the victims for their decryption. Once infiltrated, it appends each encrypted file's name with a unique ID, the attackers' email address, and a .LUCKY extension. For instance, a file named document.jpg would be renamed to something like document.jpg.[uniqueID].[givebackdata@mail.ru].LUCKY. After file encryption is completed, the ransomware generates a ransom note titled +README-WARNING+.txt, typically found in multiple directories on the infected device. This note informs the victim that their files have been encrypted and provides instructions for contacting the attackers and making the ransom payment, often in cryptocurrency like Bitcoin.

Devil Ransomware is a malicious program and part of the broader Phobos ransomware family. It renames encrypted files by appending the victim's ID, the developer's email address, and the .devil extension to filenames. For instance, a file named image.jpeg would be altered to image.jpeg.id[unique-ID].[email].devil. This ransomware employs strong encryption algorithms, typically AES-256, to lock users' files, making them inaccessible without the unique decryption key held by the attackers. Upon infection, Devil Ransomware generates a ransom note in the form of a text file named info.txt and a pop-up window using info.hta. These notes provide instructions on contacting the cybercriminals and making a ransom payment, usually in Bitcoin, in exchange for the decryption tool.

Saturn Ransomware is a sophisticated type of malware designed to encrypt files on infected systems and demand a ransom for their decryption. It was first identified by MalwareHunterTeam and operates as a Ransomware as a Service (RaaS), allowing cybercriminals to freely distribute the malware in exchange for a cut of the profits. Upon infecting a system, Saturn Ransomware appends the .saturn extension to the filenames of encrypted files, rendering them unusable (e.g., sample.jpg becomes sample.jpg.saturn). While it is currently unclear whether it uses symmetric or asymmetric cryptography, the encryption is robust, creating unique keys for each victim that are stored on a remote server controlled by the attackers. After successfully encrypting files, Saturn Ransomware creates several ransom notes, including #DECRYPT_MY_FILES#.txt, which are placed on the desktop of the infected machine.

Discovered by Jakub Kroustek, 1BTC Ransomware is a malicious variant that stems from the infamous Dharma ransomware family. It operates by encrypting a vast array of files stored on the victim's system using the RSA-1024 encryption algorithm, making them inaccessible without a unique decryption key. Upon successful encryption, 1BTC appends each file with a specific extension that includes the victim's unique ID, the developer's email address, and the .1BTC extension. For example, a file originally named "sample.jpg" might be renamed to sample.jpg.id-{random-ID}.[btcdecoding@foxmail.com].1BTC. Following this, the ransomware creates a ransom note in the form of a pop-up window and a text file named RETURN FILES.txt, which is typically placed on the desktop. These notes instruct the victim to contact the ransomware developers via email and provide details on how to pay the ransom in Bitcoin to receive the decryption key.

MobiDash virus refers to a type of adware specifically designed to target Android devices. This malicious software often comes embedded within legitimate applications that have been repackaged with an Ad SDK, making it easy to introduce into the ecosystem. Once installed, MobiDash exhibits a unique behavior by waiting approximately three days before displaying intrusive pop-up ads, which can lead to user frustration. Commonly distributed through third-party app stores, this adware can be challenging to identify, as it often masquerades as benign applications. Although the primary harm caused by MobiDash is the annoyance of persistent ads, it poses a risk if users click on these advertisements, potentially leading to further infections. To protect against MobiDash, users can rely on security solutions like Malwarebytes for Android, which can detect and remove these unwanted applications. Identifying the offending app may require some diligence, but removing it restores normal device functionality. Awareness and caution in app downloading practices are essential to avoid falling victim to MobiDash and similar threats.