Ransomware

Lilith is a ransomware infection that encrypts system-stored data and demands payment for file decryption. While rendering files inaccessible, the virus also appends the new .lilith extension to each infected sample. For instance, a file named 1.pdf will change to 1.pdf.lilith and reset its original icon as well. After this, cybercriminals lay out instructions on how to acquire decryption in a text note called Restore_Your_Files.txt. It is said that victims have three full days to contact developers. This should be done using the Tox messenger in Tor Browser. Should victims get late with meeting these demands, cybercriminals threaten to start leaking the collected data, supposedly to dark web resources. Although the price for decryption is calculated on an individual basis depending on how much valuable data has been encrypted, it still might be quite high considering ransomware's tendency to target business organizations.

JENNY is the name of a new file-locker discovered by MalwareHunterTeam. Malware of such is normally designed to restrict access to data and demand victims to pay a ransom in crypto. After successfully infiltrating the system, the virus encrypts important pieces of data and also assigns the .JENNY extension. This means a file like 1.pdf will change to 1.pdf.JENNY and reset its original icon to blank. After this part is done, the ransomware replaces desktop wallpapers and features a pop-up window right on the screen. Unlike other ransomware infections, JENNY developers do not provide any decryption instructions. Victims are left confused with absolutely no contact information to use for reaching the cybercriminals. The reason for that could be because this ransomware is still under development and is likely being tested. This means decryption with the help of developers is impossible and that a complete version of JENNY may be released some day in the future.

BlueSky Ransomware is a devastating file encryptor. It restricts access to data and requests victims to pay a fee for its return. While running encryption of system-stored data, the virus also assigns the .bluesky extension to each affected sample. For instance, a file named 1.pdf will change to 1.pdf.bluesky and reset its original icon. Since then, files will be no longer accessible. To make victims pay the ransom, cybercriminals layout identical decryption instructions in both # DECRYPT FILES BLUESKY #.html and # DECRYPT FILES BLUESKY #.txt text notes, which are created after encryption. Inside, extortionists say the only case when files can be recovered is if victims purchase a special decryption key and software. They also say that any third-party attempts to decrypt files without the help of cybercriminals may result in permanent damage to data. Victims are thereafter instructed to download Tor Browser and visit the provided web link. After following that, victims will be able to see the price for decryption and additional information such as how to create a wallet and purchase cryptocurrencies as well. The decryption price is set at 0.1 BTC ≈ $2,075 and is said to double in 7 days after the ransomware attack. Cybercriminals also offer to test decryption, as victims can send one blocked file and get it decrypted for free. Ransomware developers tend to do this in order to validate their trustworthiness and boost victims' confidence in paying the ransom.

FARGO is a typical file-encryptor that restricts access to data and keeps it locked until the ransom is paid. It was also determined to be a new variant of the TargetCompany family. During encryption, the virus highlights affected files by adding a new .FARGO extension. For instance, a file originally titled 1.pdf will change to 1.pdf and reset its icon to blank. After getting successfully done with file encryption, the ransomware creates a text file called FILE RECOVERY.txt that features decryption instructions. Cybercriminals say that the only path towards recovering data is to buy a special decryption tool. For this, victims are instructed to contact extortionists via their email address (mallox@stealthypost.net). It is also stated victims should include their personally-generated ID in the message. To demonstrate that their decryption software actually works, threat actors offer free decryption of some non-valuable files. After sending these files, extortionists promise to assign the price for decryption and give payment instructions. Unfortunately, we have to let you know that manual decryption without the help of ransomware developers is almost impossible.

Sheeva is a recently-discovered ransomware infection that targets Windows systems to encrypt potentially important data and demand payment from victims for its decryption. While executing the virus system on our machine, Sheeva encrypted mostly business-related files which involved accounting, finance, and database information. It also renamed each file according to this pattern id[victim's_ID].[Sheeva@onionmail.org].[original_filename].sheeva. For instance, a file named 1.xlsx was renamed to id[xmrJ9Lve].[Sheeva@onionmail.org].1.xlsx.sheeva and dropped its original icon. After this, the ransomware infection created a text file named sheeva.txt to feature decryption instructions. Cybercriminals say that victims will have to pay some amount of money (unspecified) in Bitcoins to retrieve unique decryption tools. For this, users are instructed to contact swindlers using either Sheeva@onionmail.org or Sheeva@cyberfear.com e-mail addresses and also include their personally-generated ID. It is also allowed to send two files (under 5 MB) and get them decrypted for free. Many cybercriminals use this trick to show their decryption abilities and also motivate victims into further collaboration with them. Since Sheeva Ransomware targets business-related data, it is reasonable to assume that its scope narrows down to corporate rather than home users. This means the further announced price for decryption may be quite high and shy many victims away from decryption. Unfortunately, unless there are serious bugs and underdevelopment inside a ransomware virus, manual decryption without the help of extortionists is almost impossible.

Checkmate is a new ransomware infection that encrypts large volumes of office data and demands victims to pay 15,000 USD for its decryption. The virus uses secure algorithms to encipher important pieces of data (e.g., documents, tables, databases, photos, etc.). During this process, all affected files get visually changed with the .checkmate extension. For instance, a file named 1.xlsx will change to 1.xlsx.checkmate and reset its original icon to blank. As a result, the data will become no longer accessible. Lastly, developers create a text note called !CHECKMATE_DECRYPTION_README.txt to explain how files can be decrypted. The text note states how many files have been encrypted and what can be done to reclaim them. As mentioned above, extortionists require victims to pay an equivalent of 15,000 USD in Bitcoin to their crypto wallet address. Additionally, swindlers also offer to try free decryption - by sending 3 encrypted files (no more than 15 MB each) through the Telegram Messenger. They will afterwards supply the victim with free decrypted samples and provide the wallet address for the ransom payment. After transferring money, cybercriminals promise to respond back with decryption tools to unlock access to data. Unfortunately, at the moment of writing this article, there are no third-party tools that could allow free decryption without the direct help of cybercriminals. Means of encryption used by ransomware are usually very strong, making independent tools oftentimes useless with regard to decryption.

LIZARD and LANDSLIDE are two very similar ransomware infections developed by the same group of extortionists. They both encrypt personal data and create identical text files (#ReadThis.HTA and #ReadThis.TXT) explaining how users can restore access to the restricted data. The two ransomware variants are also identical in how they rename encrypted files with slight differences. Depending on which of the two ransomware affected your system, targetted files will be altered according to [DeathSpicy@yandex.ru][id=victim's_ID]original_filename.LIZARD or [nataliaburduniuc96@gmail.com][id=victim's_ID]original_filename.LANDSLIDE different only in e-mail of cybercriminals and final extension (.LIZARD or .LANDSLIDE) used at the end. After encryption is done, the virus creates text files we mentioned above with identical content. Victims are informed that, in order to decrypt the files, they have to contact swindlers through one of the given e-mail addresses. Cybercriminals say they will set an exact price for decryption to be paid by victims in Bitcoin (BTC). After this, they promise to send the decryption tool that will help affected users unlock the restricted data. In addition to this, cybercriminals offer to send a 100-200 KB size file along with the e-mail message. It will be decrypted for free and returned to victims as proof that ransomware developers are capable of decryption. Although cybercriminals are usually the only figures able to decrypt files completely, many security experts advise against paying the ransom.

If you wonder why you are unable to access your data, then this could be because Mkp Ransomware, Baseus Ransomware or Harmagedon Ransomware attacked your system. These file-encryptors belong to the Makop ransomware group, which has produced a number of similar infections including Mammon, Tomas, Oled, and more. Whilst encrypting all valuable data stored on a PC, this versions of Makop assigns victims' unique ID, cyber criminals' email address, and the new .mkp, .baseus or .harmagedon extensions to highlight the blocked files. For instance, 1.pdf, which was previously safe, will change its name to something like 1.pdf.[10FG67KL].[icq-is-firefox20@ctemplar.com].mkp, 1.pdf.[7C94BE12].[baseus0906@goat.si].baseus or 1.pdf.[90YMH67R].[harmagedon0707@airmail.cc].harmagedon at the end of encryption. Soon after all files end up successfully renamed, the virus goes forward and creates a text file (readme-warning.txt) with ransom instructions.