Viruses

0xxx is a ransomware infection that encrypts various data using AES+RSA algorithms on NAS devices (Western Digital My Book). This measure is done to force victims into paying the so-called ransom in exchange for the blocked data. Just like other malware of this type, 0xxx uses its own extension (.0xxx) to rename the data. For example, a file piece titled as 1.pdf will change its look to 1.pdf.0xxx after encryption. All of these changes indicate that your data is no longer accessible. In other words, there is no way to open it anymore. In order to fix it, victims are called into following ransom instructions inside of the !0XXX_DECRYPTION_README.TXT text note. This note is dropped into each folder containing encrypted files. It is said that victims can decrypt their data by paying a 300 USD ransom in Bitcoin. At first, users are instructed to contact cyber criminals via e-mail. It is necessary to include your unique ID along with 3 files to test free decryption. As soon as contact with cybercriminals becomes established, victims will get the payment details to perform a transfer of money. Although extortionists claim they have no intention to fool you, there have been multiple cases when users did not receive the decryption tools even after the payment.

Before getting to the removal, it is worth knowing what Redeemer Ransomware actually is. It is classified as a file-encrypting virus that blocks access to data stored on a compromised system. In order to show whether it is encrypted or not, Redeemer developers append the .redeem extension to each of the files. For instance, a file like 1.pdf will change its look to 1.pdf.redeem and reset its original icon. The system will no longer be able to open the files whilst they are encrypted. To return control over your data, it is necessary to buy special decryption software along with a unique key. More detailed information on that can be located inside of the Read Me.TXT note, which is created after encryption is over. Just below the Redeemer logo drawn from numbers, cybercriminals ask users to pay 20 XMR (Monero) cryptocurrency, which is about 4000$ for the decryption of data. Once you will be ready to do so, the next step is to contact extortionists attaching your personal ID key via their e-mail address (test@test.test). This is necessary to obtain the payment address for committing a transfer. As soon as they receive your decryption ransom, you should be given the promised tools to recover your data.

Poteston is classified as a ransomware infection that runs encryption of databases, photos, documents, and other valuable data. The whole encryption process can be easily spotted by users looking at new extensions assigned to files. This virus involves the .poteston extension to rename the stored data. To illustrate, a file named 1.pdf will change its look to 1.pdf.poteston as a result of encryption. As soon as these changes are seen, victims will no longer be able to access the data. As soon as these changes are seen, victims will no longer be able to access the data. To restore it, users are given instructions inside of the readme.txt note. Within the note, victims are greeted with bad news - all data we mentioned above has been encrypted. To redeem it back, victims are instructed to contact cyber criminals using their e-mail address (recovery_Potes@firemail.de). After establishing contact with them, you will be supposedly given the necessary details to perform a money transfer. Before doing so, you are also offered to send one of the blocked files for free decryption. This is a trick used by many extortionists to elevate the trust of victims. In addition to that, Poteston developers also inform against renaming encrypted data as you can potentially damage its configuration.

MANSORY is a ransomware infection that runs vigorous encryption on personal and business data. This process involves cryptographic algorithms along with the appendance of new extensions. MANSORY uses the .MANSORY extension to each file piece that has been restricted. For instance, a file like 1.pdf will be changed to 1.pdf.mansory. After experiencing such changes, the blocked files will be no longer accessible. In order to regain access to them, victims have to pay a certain ransom in money. More information on that is presented inside a text note called MANSORY-MESSAGE.txt, which is created after the encryption is done. The first thing cybercriminals say is that gigabytes of valuable data have been downloaded to a secure location. Extortionists use it as collateral for intimidating users with the publication of data in case they refuse to pay money. Victims have a right to know how much data has been uploaded after contacting the cybercriminals via e-mail (selawilsen2021@tutanota.com; dennisdqalih35@tutanota.com; josephpehrhart@protonmail.com). Therefore, they can analyze the value of data that leaked into the hands of extortionists. As we already mentioned, not contacting cybercriminals will result in the gradual publication of data that has been hijacked from your network. To avoid it, victims are required to purchase the decryption software stored by cyber criminals themselves. This will also allow you to unlock all of the blocked data. Besides that, developers of MANSORY Ransomware offer to try free decryption by sending 2 random files from other computers to their e-mail.

FindNoteFile is the name of a ransomware infection that started its hunt for business users in June 2021. Just like other malware of this type, developers use AES+RSA algorithms to encrypt victims' data. FindNoteFile has been found distributed in 3 different versions. The only big difference between them is the name of the extension assigned to files after encryption (.findnotefile, .findthenotefile, or .reddot). For example, a file initially called 1.pdf will change its appearance to 1.pdf.findnotefile, 1.pdf.findthenotefile, or 1.pdf.reddot depending on which version attacked your system. Then, as soon as encryption is over, the virus creates a text note called HOW_TO_RECOVER_MY_FILES.txt, which contains ransom instructions. The text written inside is full of mistakes, however, it is still easy to understand what cybercriminals want from their victims.

SLAM is a ransomware-type virus that encrypts personal data to earn money on desperate users. In other words, it restricts access to data and keeps it under lock until victims pay a certain ransom fee. To make users spot the encryption, developers rename the compromised data using the .slam extension. To illustrate, a file like 1.pdf will be retitled to 1.pdf.slam and reset its original icon (in some cases). Then, after this part of encryption is done, SLAM opens a window stating information about the virus. Red text on the black background says that all files have been encrypted. In order to get them back, victims are asked to contact cybercriminals using one of the e-mails attached to the note. Thereafter, you will be given the necessary instructions to perform a transfer of ransom in money. In addition to that, users are warned that shutting down the PC, or using Windows applications (e.g. regedit, task manager, command prompt, etc.) is forbidden. Otherwise, your PC will be locked and denied from getting boot up until the virus is present. The same will happen unless you contact extortionists within 12 hours. At this point of the investigation, cyber experts have not been yet able to find a tool that could provide data decryption for free, without involving the cybercriminals. Paying the ransom is also a risk as there is no guarantee that you will receive your files back. The only best way in this situation is deleting SLAM Ransomware and recovering your data via backup copies. If you do not have them created and stored in a separate location prior to the infection, then it is almost unreal to decrypt your files.

EpsilonRed is another ransomware-type virus that targets personal data on infected systems. Once it finds the range of data it needs (normally it is databases, statistics, documents, etc.), the virus starts running data encryption with AES+RSA algorithms. The entire encryption process is hard to spot out immediately as victims become aware of the infection only after all files have changed their names. To illustrate that, let's take a look at the file named 1.pdf, which therefore changed its appearance to 1.pdf.epsilonred. Such a change means it is no longer permitted to access the file. Besides pursuing sensitive data, it is also known that EpsilonRed alters the extension of executable and DLL files, which may disable them from running correctly. The virus also installs a couple of files that block off protectionary layers, clean Event logs, and affect other Windows features once the infection has snuck into the system. At the end of encryption, EpsilonRed provides ransom instructions presented inside of a note. The name of the file may vary individually, but most users reported about HOW_TO_RECOVER.EpsilonRed.txt and ransom_note.txt text notes getting created after encryption.

Gpay is known as a malicious program that runs secure data encryption over stored data using AES-256, RSA-2048, and CHACHA algorithms. Cybercriminals monetize their software by asking victims to pay money for data decryption. Before doing so, victims are firstly confused about sudden changes in file appearance. This is because Gpay renames all encrypted files with the .gpay extension. To illustrate, a file like 1.pdf will be altered to 1.pdf.gpay after encryption is finished. After spotting this change, victims will also find a file called !!!HOW_TO_DECRYPT!!!.mht within all infected folders. The file leads to a web page displaying ransom instructions. It is said that you can send up to 3 files to test their decryption abilities for free. This can be done by sending your files with personal ID to gsupp@jitjat.org and gdata@msgden.com email addresses. The same should be done to claim payment address and purchase the decryption tools. Unless you do it within 72 hours, cybercriminals will more likely publish the hijacked data on darknet-related platforms. This is why getting trapped by Gpay is extremely dangerous as there is a huge privacy threat. Depending on what will be the price of data decryption, victims can decide whether they need it or not.