Viruses

Egregor is ransomware that belongs to Sekhmet family and promotes various versions of malware. This time around, users reported dealing with the virus called Egregor that encrypts private data and demands paid decryption. Depending on which version attacked your system, the encryption process may vary a little bit. For example, Egregor adds .egregor extension to each of the infected files so they look like this 1.mp4.egregor. Alternatively, files can receive a string of randomly-generated characters (1.mp4.WaBuD). After the encryption gets finished, the virus goes further creating a note called RECOVER-FILES.txt that contains step-by-step instructions to recover the compromised data. It is said that victims have to get in touch with cybercriminals no later than 3 days via the attached browser link. If the announced deadline comes to an end, extortionists will publish sensitive data all over the web. Cybercriminals can ask different fees for the recovery. Sometimes the amount can exceed thousands of dollars, especially if data has a significant value to owners. Unfortunately, you will not be able to find any free tools to decrypt the files affected by Egregor. At this moment, the only feasible way to recover data is by using an external backup if one was created prior to the encryption.

RenameX12 is a ransomware infection that encrypts files of different sorts. Unlike similar infections of this type, it does not add any extensions or symbols to identify the blocked files. All data appear original even after the actual attack. This is made by extortionists intentionally to prevent users from detecting the name of the ransomware as well as finding ways to decrypt files. Despite this, cyber experts managed to crack the mystery and established the virus name via the text note (New Text Document) that is created after encryption. This note contains instructions to help you recover the locked data. Swindlers ask victims to contact them via one of the attached e-mails. After you pay the ransom (usually in Bitcoin) you will receive decryption tools to decipher the data. However, this is a huge risk since there is no evidence that could testify their trustworthiness. The best way to decrypt files is to delete the ransomware itself and recover data from external backups if one was created prior to the encryption.

Mount Locker is a file-encrypting program that targets data of business networks. It isolates different kinds of data by appending a new extension that includes ReadManual and a string of random characters. For instance, after encryption, victims will see their file change from 1.mp4 to 1.mp4.ReadManual.5B975F6B. Interesting fact: as one of the victims stated, some files that changed their names after penetration, were not encrypted at all. They were only affected visually. Whatever the case, Mount Locker always drops a note called RecoveryManual.html that explains step-by-step instructions on how to recover the locked files. It says that no files should be attempted to decrypt manually. Otherwise, it can turn out in a permanent loss. To restore your data, cyber criminals ask to follow the Tor browser link and pay the ransom in BTC. Because Mount Locker aims at IT companies, the required fee can boil over the limits. However, this still remains the only feasible way to revive files since there are no free methods to make a recovery. You can only restore them from an external backup if one was created and unplugged prior to the infection.

A long time back in 2017, the world of Mac experienced a new threat - FindZip Ransomware. It was found disguised as cracks for Adobe Premiere Pro and Microsoft Office promoted on piracy websites. When you open the downloaded file, you will be presented with a transparent window. FindZip does not infect users by force. To launch the encryption, you have to click on the "Start" button. Then, the client starts imitating the cracking process, which will turn your desktop into an encrypted mess. All files are getting ciphered using the zip folders to contain files with the .crypt extension. Amazingly, the encryption keys created by FindZip are not stored on the hacker's server. Even after sending 0.25 BTC to purchase the decryption key, you will not receive any promised tools to recover the data. Interestingly, the virus acts uncertainly, it does not touch Time Machine backups and external devices as well. Even though FindZip used strong algorithms at that time, experts from Malwarebytes laboratory found a way to decrypt files without permanent loss.

Tomas is a high-risk threat, classified as ransomware. Using special algorithms, infections of such type encrypt personal data and demand money from victims. Tomas is not an exception, it targets various kinds of data including images, videos, text files, and other valuable sorts. When Tomas appears on your system, it disables protectionary services and activates the encryption of data. During the process, the virus changes the stored files beyond recognition. For instance, a file like 1.mp4 will be changed using a long string of symbols like this 1.mp4.[E3CEFA3F].[tomasrich2020@aol.com].tomas. This model consists of the original filename, personal ID, cybercriminal's email address, and the .tomas extension to finish. After the process is done, Tomas creates a note called readme-warning.txt that states how to decrypt your data. Cybercriminals are trying to wind you down after such a big loss saying that your files can be decrypted. The only thing required to do is buying a decryption key that may cost you over a monthly salary - approximately 3000 dollars, which are accepted only in Bitcoin.

Back in 2016, KeRanger became the very first ransomware that attacked Mac users. Most users were mind-blown when realized that their data is locked because they downloaded a legitimate BitTorrent Client called Transmission. At that time, cybercriminals managed to hack their website and ingrain a file-encrypting virus into a new version that was about to come out. Therefore, users inadvertently caught a malware attack by updating the previously installed application. Unfortunately, laboratories have not identified the appropriate measure to decrypt the inflicted data. Instead, victims offer a paid solution which is buying a decryption program. The transaction has to be made via the Tor browser by paying 1 BTC (around 407 at that time), now Bitcoin accounts for roughly $5,260. Extortionists also claim that they will answer any of your questions if you are really motivated to pay a ransom. You can also decrypt 1 file via the Tor page linked in the note. As mentioned, third-parties tools are currently unable to decipher the locked data.

Whilst most ransomware developers focus on infecting Windows-based systems, AgeLocker targets Mac and Linux, instead. The ransomware positions itself as a business-oriented virus that spreads on corporative companies, however, attacks on regular users happen as well. The encryption process looks pretty similar to Windows, the only difference is using different extensions and file formats. AgeLocker applies its personal command prompt to run the encryption process. Files that have been impacted by AgeLocker get assigned with personalized extensions based on user's names. It is impossible to identify which file was infected because of AgeLocker ciphers the original name and adds a random extension at the end. Some people reported that their files were added with the .sthd2 extension and the name of encrypted files starts with the age-encryption.org URL-address. Once all files get locked successfully, the virus sends a ransom note (security_audit_.eml) to the victim's e-mail.

AESMewLocker Ransomware is a real menace that targets your data by encrypting it with AES File Format algorithms. It is nothing peculiar to the ransomware world. The virus popped up on multiple forums a couple of days ago and raised a big question around its victims - how to decrypt files? For now, there are no viable ways to unlock files that are getting encrypted with the .locked extension after penetration. All of your files become inaccessible and can be unlocked, only if you meet the swindler's requirements and pay for the decryption key. The key itself is not cheap, you have to spend 0.05 BTC and contact extortionists to get decryption instructions. All of this information is stated in a ransom note (READ_IT.txt) created after successful encryption.