Ransomware

Discovered during an investigation of new submissions to VirusTotal, BlackZluk Ransomware is a potent ransomware variant that encrypts victims' files and demands a ransom for their decryption. The malware appends an additional extension, .blackZluk, to the filenames of the encrypted files, renaming files such as document.docx to document.docx.blackZluk. The ransomware employs sophisticated encryption algorithms, typically a mix of symmetric and asymmetric encryption to complicate the decryption process without the necessary decryption key. Once the files are encrypted, the ransomware generates a ransom note, titled #RECOVERY#.txt, usually placed in directories containing encrypted files and often displayed on the victim's desktop. This note informs victims of their predicament, detailing how their data has been encrypted and extorted for privacy or financial leverage.

ScRansom Ransomware, designed to encrypt files on its victim's systems, primarily targets small and medium-sized businesses. It operates using sophisticated algorithms to lock data, ultimately extorting victims for money in exchange for decryption keys. This malicious software appends the .Encrypted extension to the filenames of affected documents, pictures, and other essential files, making them inaccessible to their owners. During the encryption process, files like 1.jpg are renamed to 1.jpg.Encrypted, obfuscating the contents and causing significant operational disruption. In addition to encrypting files, ScRansom leaves a ransom note named HOW TO RECOVERY FILES.TXT in the infected directories.

Colony Ransomware is a type of malware designed to encrypt data on the victim's computer and demand a ransom for its decryption. It first surfaced on VirusTotal, where researchers discovered its modus operandi. Once infiltrated, the malware encrypts files and appends a unique file extension, such as including the attackers' email address and a variable string, most commonly seen as .colony96. For instance, a file initially named photo.jpg may be renamed to photo.jpg.[support2022@cock.li].colony96. These extensions can vary based on the specific variant of the ransomware. Upon completing the encryption process, Colony Ransomware creates and displays ransom notes through various visible means: a full-screen message preceding the user login screen, desktop wallpaper, and a text file labeled #Read-for-recovery.txt. These notes urge the victim to contact the attackers for decryption instructions, laying out specific communication steps to avoid their message getting lost.

Ior Ransomware is a malicious cryptovirus that belongs to the Dharma family, discovered during malware sample inspections on VirusTotal. It encrypts a victim's data, appending the victim's ID, a specific email address, and the .ior extension to filenames. Encrypted files are renamed systematically; for example, 1.jpg becomes 1.jpg.id-12345.[email].ior. The attack is identified through a pop-up window and a text file named manual.txt, informing the victim that their files have been locked and demanding ransom for decryption. The ransom note emphasizes the urgency, instructing victims to contact either jasalivan@420blaze.it or ja.salivan@keemail.me within 12 hours, and it promises free decryption of up to three small files to build trust.

XiN Ransomware is a type of malicious software designed to encrypt a victim's data and demand payment for the decryption key. Belonging to the Xorist ransomware family, this malware appends the .XiN extension to the filenames of the encrypted files, making them inaccessible without the decryption key. For example, if the original file was named document.txt, it would appear as document.txt.XiN after encryption. The ransomware uses a sophisticated encryption algorithm that is often very difficult to break without the specific keys that are generated during the encryption process. This cryptographic technique ensures that the victim is compelled to pay the ransom to regain access to their files. Once the files are encrypted, XiN Ransomware creates a ransom note to inform the victim of the situation. This note appears both as a pop-up window and as a text file named HOW TO DECRYPT FILES.txt.

Trial_recovery Ransomware is a malicious software designed to encrypt valuable files on an infected computer and demand a ransom for their decryption. This ransomware specifically targets various file types, locking them behind a complex encryption process and renaming them with a distinctive pattern. Files affected by this malware will be renamed following the trial-recovery.[random_string].[random_string].-encrypted pattern, drastically altering their original names and extensions, so .-encrypted extension is one of the signs of infection with this particular threat. The encryption uses a strong cryptographic algorithm that is often unbreakable without the unique decryption key held by the attackers. Victims will notice that their files, once accessible, are now inaccessible and are presented with a changed extension and name. Upon successful encryption, Trial_recovery Ransomware generates a ransom note titled how_to_decrypt.txt, which is typically placed on the infected system's desktop.

Luxy Ransomware is a severe form of malware designed to encrypt a victim’s files and demand a ransom payment in exchange for their decryption. It performs its malicious operations by appending the .luxy extension to the names of all encrypted files, thereby changing an original file like photo.jpg to photo.jpg.luxy. Once the encryption process is complete, Luxy creates a ransom note named [random_string].README.txt and places it in every folder containing encrypted files. The note informs the victim that their data has been encrypted using strong cryptographic algorithms, specifically AES256 encryption. The attackers demand a ransom of $980, offering a discount price of $490 if contacted within the first 72 hours. Victims are instructed to join the attackers' Discord server to receive further instructions on how to obtain the decryption tool and key.

Ownerd Ransomware is a malicious software identified for encrypting data on infected systems and demanding a ransom for decryption. This ransomware renames the encrypted files by appending each with the attacker’s email address and a .ownerd extension. For example, a file named document.jpg would be renamed to document.jpg.[ownerde@cyberfear.com].ownerd after encryption. The attackers use sophisticated cryptographic algorithms to ensure that the victims cannot access their files without paying the demanded ransom. Once the encryption process is complete, Ownerd Ransomware changes the desktop wallpaper and drops a ransom note titled #Read-for-recovery.txt, instructing the victim to email the attackers for data recovery.