Viruses

Sun or SunCrypt is classified as cryptovirus attacking systems to encrypt personal data. It started its journey in October 2019 and continues its presence infecting users until these days. The moment SunCrypt can be spotted in your PC is when it changes your files by adding the .sun extension. It was also heard about another version of SunCrypt which applies a string of random symbols instead of extensions. A change to something like this 1.mp4.sun or 1.mp4.G4D3519X58293C283957013M35DC8A2V0748D9845E7A5DBD6590E3F834C4638 means you are no longer allowed to access your data. To recover it back, SunCrypt creates a text notes (DECRYPT_INFORMATION.html or YOUR_FILES_ARE_ENCRYPTED.HTML) that contain ransom instructions. Although SunCrypt is mainly oriented towards English-speaking users, you have a possibility to switch between German, French, and Spanish as well. This by far increases the traffic of victims allowing developers to extend their business. As stated in the note, victims have to install the Tor browser and click on the "Go to our website" to purchase the decryption software. The required fee may vary based on the individual case, however, no matter how low or high it is, we recommend against going for such a risk.

Dharma-259 is a ransomware-type infection belonging to the Dharma family. This group of developers has brought the biggest impact to the malware industry. Having a range of malicious programs, 259 compliments the list, and encrypts personal data with strong algorithms that prevent users from regular access. As a result, all data change its name with a string of digits including personal ID, cybercriminal's e-mail, and .259 extension at the end of each file. For instance, ordinary 1.mp4 will experience a change to something like this 1.mp4.id-C279F237.[259461356@qq.com].259 and reset its default icon. Then, once the encryption process gets to a close, the virus force-opens a pop-up window and creates a text note called FILES ENCRYPTED.txt, both of which contain information upon data recovery. As stated in both pop-up and note, victims have to contact swindlers via e-mail attaching personal ID. In addition to that, you are allowed to send up to 1 file (less than 1 MB) for free decryption. Then, once extortionists receive your message, you will be guided with steps on how to purchase decryption software. Sometimes, the required fee may skyrocket beyond the limits, becoming unaffordable for most of the users. Even if you are ready to enrich cybercriminals buying their software, we recommend you against it, because most users report a high-risk of being fooled and not obtain any tools to restore the data at all.

Developed by a group of Turkish extortionists, SifreCikis is a ransomware infection encrypting personal data and demanding a fee for recovery. It creates a strong cipher on sensitive data using AES and RSA algorithms. As a result, the decryption of files becomes hard to pull off, even with third-party tools. All data encrypted by SifreCikis obtains a new extension based on these patterns: .{random-alphanumerical-sequence}. For example, a file like 1.txt will change to something like this 1.txt.E02F4934FC5A. Then, after the encryption is done, users encounter a note called ***NA*** that contains ransom instructions. Unfortunately, the content of the note is hard to conceive for non-native speakers, however, a group of researchers translated it and outlined some key information. It claims that you should contact cyber criminals via e-mail and attach your personal ID in the message topic. Then, you will receive further instructions to purchase the decryption software (500$ in BTC). If there is no response from the extortionists, you should read the information through the link in the Tor browser. Malware researchers spotted the domain name starting with sifrecikx, which is consonant with sifre cikis (meaning "cipher/password + exit" in Turkish). Also, during the investigation researchers defined that SifreCikis could be a brother of SifreCozucu, as it looks very similar having minor differences.

Tripoli classified as a ransomware infection meant to cause encryption of personal data. Usually, the main target is photos, videos, documents, and other files that can store sensitive data. After this virus attacks your system, all files will be affected by the .crypted extension. Some victims reported that extension like .tripoli also exists, meaning that there are two versions of Tripoli Ransomware. In fact, does to matter which one penetrated your PC, because the way they work is almost the same. As a result of encryption, all files will be restricted from regular access, users will no longer be able to open or change them. To fix it, extortionists are offering to run through the steps listed in a text note (HOW_FIX_FILES.htm). The steps oblige victims to install the Tor browser and purchase decryption software following the attached address. The decision on making the payment has to be done within 10 days. We insist against acting on fraudulent steps as there is no guarantee that they will send you the promised tools. A better way is to delete Tripoli Ransomware and restore the lost files from an external backup (USB storage). If you do not have one, try using the guideline below to access your data.

FLAMINGO is a malicious piece designed to block access to user's data by running encryption with cryptographic algorithms. Despite the ransomware is relatively new, already known that it uses the .FLAMINGO extension to encrypt data. For example, a file like 1.mp4 will change to 1.mp4.FLAMINGO following successful encryption. After this, users receive decryption steps located in a text note called #READ ME.txt. According to them, victims have to send a test file via e-mail (not more than 3MB) to prove the decryption capabilities of cybercriminals. Then, you will get a reply with instructions to buy (in BTC) a decryption tool. We have to inform you that manipulating files, restarting, or shutting down your PC can be unpredictably dangerous for your data. Usually, ransomware developers create special values that delete data completely if detected attempts to change it. Unfortunately, the 100% way to recover data encrypted by FLAMINGO has not been found just yet. You can only uninstall the virus to prevent further encryption. The decryption may be possible but should be tested individually.

Being developed by the Phobos Ransomware family, Acuff puts up a strong lock on victims' data by running encryption with cryptographic algorithms. This, therefore, restricts any attempts to recover data completely. After the attack has been committed, you may see your files change to something like this 1.mp4.id[C279F237-2275].[unlockfiles2021@cock.li].Acuff, which is a testament that your files have been infected. Acuff Ransomware uses the victim's ID, cybercriminals' email, and .Acuff extension to highlight the encrypted data. In order to help users restore their data, extortionists offer to walk your way through the note listing decryption instructions. The information can be found in two files called info.hta and info.txt that are created after encryption. The first step on the path of decryption is to contact cyber criminals via an e-mail address attaching your personally-generated ID (unlockfiles2021@cock.li or decryfiles2021@tutanota.com). After that, swindlers will respond back with details on how to buy decryption software. Before doing so, you are also offered to send up to 5 files (less than 4MB and non-archived) for free decryption. Despite this activity may seem trustworthy, we recommend you against meeting any requirements set by developers of malware. It would be a risk to pay a large amount of money for the sake of file recovery.

Bondy is a ransomware-type infection that targets various kinds of data by running encryption with potent RSA algorithms. It is usually distributed in two versions: first assigns the .bondy extension whilst another uses .connect to encrypt files of victims. Thus, the infected data will appear as 1.mp4.bondy or 1.mp4.connect depending on which version attacked your system. The last and most important part of ransomware activity is creating a text note (HELP_DECRYPT_YOUR_FILES.txt) to explain decryption instructions. It is claimed that your data has been encrypted with RSA, which is an asymmetric cryptographic algorithm requiring a private key to unlock the data. Such a key is stored on the server of cybercriminals. It can be obtained only by paying 500$ in Bitcoin through the wallet attached in the note. Additionally, extortionists offer to decrypt 1 file for free as evidence that they can be trusted. In fact, everything can go the other way - cybercriminals will fool you and not provide any tools to recover your data. Statistics show that this happens to many users who venture to pay a ransom. Since there are no free tools that could unblock your data, the only and best way is recovering files from an external backup, if it was created before the attack.

Determined by Karsten Hahn, Netflix Login Generator is a malicious program categorized as ransomware. Initially, it is promoted as a tool to create a Netflix account for free, without purchasing a subscription. However, instead of this, the program initiates the setup of ransomware that encrypts personal data (with AES-256 algorithms). It becomes a real surprise for inexperienced users when they see their data locked and no longer accessible. The encrypted data can be clearly seen by the new extension that is assigned to each file. For instance, the original sample like 1.mp4 will get a new look of something like this 1.mp4.se. Then, soon after encryption, the virus drops a note called Instructions.txt changing desktop wallpapers to content included in the generated note. The enclosed information suggests the steps to perform data decryption. To do this, extortionists ask the transaction of 100$ equal to Bitcoin. An interesting and peculiar fact is that Netflix Login Generator can self-terminate if your system is not based on Windows 7 or 10. Whatever the case, if this malware persists in your system, you have to delete it and recover the data using an external copy of files.