Viruses

FindNoteFile is the name of a ransomware infection that started its hunt for business users in June 2021. Just like other malware of this type, developers use AES+RSA algorithms to encrypt victims' data. FindNoteFile has been found distributed in 3 different versions. The only big difference between them is the name of the extension assigned to files after encryption (.findnotefile, .findthenotefile, or .reddot). For example, a file initially called 1.pdf will change its appearance to 1.pdf.findnotefile, 1.pdf.findthenotefile, or 1.pdf.reddot depending on which version attacked your system. Then, as soon as encryption is over, the virus creates a text note called HOW_TO_RECOVER_MY_FILES.txt, which contains ransom instructions. The text written inside is full of mistakes, however, it is still easy to understand what cybercriminals want from their victims.

SLAM is a ransomware-type virus that encrypts personal data to earn money on desperate users. In other words, it restricts access to data and keeps it under lock until victims pay a certain ransom fee. To make users spot the encryption, developers rename the compromised data using the .slam extension. To illustrate, a file like 1.pdf will be retitled to 1.pdf.slam and reset its original icon (in some cases). Then, after this part of encryption is done, SLAM opens a window stating information about the virus. Red text on the black background says that all files have been encrypted. In order to get them back, victims are asked to contact cybercriminals using one of the e-mails attached to the note. Thereafter, you will be given the necessary instructions to perform a transfer of ransom in money. In addition to that, users are warned that shutting down the PC, or using Windows applications (e.g. regedit, task manager, command prompt, etc.) is forbidden. Otherwise, your PC will be locked and denied from getting boot up until the virus is present. The same will happen unless you contact extortionists within 12 hours. At this point of the investigation, cyber experts have not been yet able to find a tool that could provide data decryption for free, without involving the cybercriminals. Paying the ransom is also a risk as there is no guarantee that you will receive your files back. The only best way in this situation is deleting SLAM Ransomware and recovering your data via backup copies. If you do not have them created and stored in a separate location prior to the infection, then it is almost unreal to decrypt your files.

EpsilonRed is another ransomware-type virus that targets personal data on infected systems. Once it finds the range of data it needs (normally it is databases, statistics, documents, etc.), the virus starts running data encryption with AES+RSA algorithms. The entire encryption process is hard to spot out immediately as victims become aware of the infection only after all files have changed their names. To illustrate that, let's take a look at the file named 1.pdf, which therefore changed its appearance to 1.pdf.epsilonred. Such a change means it is no longer permitted to access the file. Besides pursuing sensitive data, it is also known that EpsilonRed alters the extension of executable and DLL files, which may disable them from running correctly. The virus also installs a couple of files that block off protectionary layers, clean Event logs, and affect other Windows features once the infection has snuck into the system. At the end of encryption, EpsilonRed provides ransom instructions presented inside of a note. The name of the file may vary individually, but most users reported about HOW_TO_RECOVER.EpsilonRed.txt and ransom_note.txt text notes getting created after encryption.

Gpay is known as a malicious program that runs secure data encryption over stored data using AES-256, RSA-2048, and CHACHA algorithms. Cybercriminals monetize their software by asking victims to pay money for data decryption. Before doing so, victims are firstly confused about sudden changes in file appearance. This is because Gpay renames all encrypted files with the .gpay extension. To illustrate, a file like 1.pdf will be altered to 1.pdf.gpay after encryption is finished. After spotting this change, victims will also find a file called !!!HOW_TO_DECRYPT!!!.mht within all infected folders. The file leads to a web page displaying ransom instructions. It is said that you can send up to 3 files to test their decryption abilities for free. This can be done by sending your files with personal ID to gsupp@jitjat.org and gdata@msgden.com email addresses. The same should be done to claim payment address and purchase the decryption tools. Unless you do it within 72 hours, cybercriminals will more likely publish the hijacked data on darknet-related platforms. This is why getting trapped by Gpay is extremely dangerous as there is a huge privacy threat. Depending on what will be the price of data decryption, victims can decide whether they need it or not.

Brought to light by MalwareHunterTeam, DarkSide is a malicious program that encrypts valuable data to demand money from victims. All related networks with data that have been exposed to this virus will be scanned and blocked from regular access. Just like other ransomware infections, DarkSide appends a unique extension at the end of each encrypted file. To be more specific, it appends the personal ID randomly generated for each of the victims. To illustrate, you are more likely to see your files change from 1.xlsx to 1.xlsx.d0ac7d95, or similarly depending on what ID has been assigned to you. Then, as soon as this part of the process is done, cybercriminals create a text note with decryption instructions (README.[victim's_ID].TXT).

Developed by the Makop Ransomware family, Mammon is a dangerous virus that runs data encryption for monetary goals. This is because it encrypts personal data with military-grade algorithms and demands money ransom to be paid by victims. To show that your data has been restricted, extortionists append a string of symbols to each file name (including random characters, cybercriminals' e-mail address, and .mammon extension). To illustrate, the original file like 1.pdf will change its look to something like this 1.pdf.[9B83AE23].[mammon0503@tutanota.com].mammon. As a result of this change, users will no longer be able to access the file. In order to get instructions on recovering data, cybercriminals create a text note called readme-warning.txt to each folder with encrypted data.

Being part of the Phobos Ransomware family, Calvo is another malicious program, which encrypts personal data. The way it does it is by using military-grade algorithms to cipher the files. Along with that, the virus also assigns a string of symbols to each of the files. This includes a personal ID of victims, cybercriminals' e-mail, and .calvo extension to finish the string. For example, a file like 1.pdf will be infected and changed to 1.pdf.id[C279F237-3143].[seamoon@criptext.com].calvo. The same change will happen to the rest of the data stored on a PC. As soon as this part of the infection gets to a close, Calvo creates two ransom notes (info.hta and info.txt) to guide you through the decryption process.

Developed by Phobos family, XHAMSTER is a ransomware-type infection, which runs data encryption. Such does not perform one-way encryption, instead, it offers to unblock the infected data in exchange for the money ransom. When it comes to data encryption, cybercriminals are usually the only figures being able to unlock your data. This is why they offer to buy their software that will help you regain access to data. Before getting deep into details, it is important that we mention how XHAMSTER encrypts your data. Apart from blocking the access, it also appends a string of symbols consisting of victims' ID, ICQ Messenger username, and .XHAMSTER extension at the end of each file. To illustrate, a piece of data like 1.pdf will be changed to something like this 1.pdf.id[C279F237-2797].[ICQ@xhamster2020].XHAMSTER at the end of encryption. Finally, once this process is done, the virus gets to creating two files containing ransom instructions. Whilst one of them called info.hta is displayed as a window right in front of the users, the other named info.txt resides on victim's desktop.