Ransomware

Originating from Italy, Giuliano is a ransomware-type program set up with strong cryptographic algorithms (AES-256) to run secure encryption of data. Upon blocking access off to personal files, extortionists try to deceive victims into paying money for the decryption of data. Victims can detect their files have been encrypted simply by looking at the extension - the virus appends the new ".Giuliano" extension to highlight the blocked data. This means a file like 1.pdf will change to 1.pdf.Giuliano and reset its original icon. Information about file recovery can be found inside of a text note called README.txt. Decryption instructions inside of this file are represented in the Italian language. Cybercriminals inform victims about successful infection and encourage them to follow listed instructions. They say you should visit a GitHub page to fill out some forms. After this, malware developers are likely to get in touch with their victims and ask to pay some money-ransom. Usually, it is requested to run the payment in BTC or other cryptocurrency used by developers. Alas, ciphers applied by Giuliano Ransomware are strong and barely decryptable with third-party tools. For now, the best way to recover your files aside from collaborating with swindlers is to use backup copies.

Being a dangerous ransomware virus, Rook targets data encryption and tries to blackmail users into paying the ransom. The virus is easy to distinguish from other versions as it assigns the .rook extension to all blocked data. This means a file like 1.pdf will change to 1.pdf.rook and reset its original icon upon successful encryption. Right after this, Rook Ransomware creates a text note named HowToRestoreYourFiles.txt showing users how they can recover the data. The text note content says you can restore access to the entire data only by contacting swindlers and paying the money ransom. Communication should be established by e-mail (rook@onionmail.org; securityRook@onionmail.org) or TOR browser link attached to the note. While writing a message to cyber criminals, victims are offered to send up to 3 files (no more than 1Mb) and have them decrypted for free. This way cybercriminals prove decryption abilities along with their trustworthiness to some extent. Also, if you contact extortionists within the given 3 days, cybercriminals will provide a 50% discount for the price of decryption. Unless you fit in this deadline, Rook developers will start leaking your files to their network to abuse them on darknet pages afterward. They also say no third-party instruments will help you recover the files.

HarpoonLocker is the name of a recent ransomware infection reported by users on malware forums. The virus runs encryption of data with AES-256 and RSA-1024 algorithms making all restricted data cryptographically secure. As a result of this configuration change, users will be no longer able to access their own data stored on infected devices. HarpoonLocker assigns the .locked extension, which is commonly used by many other ransomware infections. This makes it more generic and sometimes hard to differ from other infections like this. It also creates a text note (restore-files.txt) containing ransom instructions. Developers say all data has been encrypted and leaked to their servers. The only way to revert this and get files back safely is to agree on paying the ransom. Victims are instructed to download the qTOX messenger and contact extortionists there. There is also an option to try decryption of 3 blocked files for free. This is a guarantee given by cybercriminals to prove they can be trusted. Unfortunately, there are no other contacts apart from qTOX that victims could use to get into a discussion with cybercriminals. Many cyber researchers joked that HarpoonLocker should also be called Unnamed qTOX Ransomware since there is nobody victims can talk to. For this and many other reasons, it is highly advised against meeting the listed requirements and paying the ransom. Quite often cybercriminals fool their victims and do not send any decryption tools even after receiving the money.

First found and researched by an independent expert named S!R!, NoCry is a ransomware program designed to run data encryption. It is a very popular scheme employed by ransomware developers to extort money from victims upon successful restriction of data. For now, there are two known versions of NoCry differing by extensions assigned to blocked data. It is either .Cry or .IHA extension that will be appended to encrypted files. For instance, 1.pdf will change its look to 1.pdf.Cry or 1.pdf.IHA and reset its shortcut icon to blank after getting affected by malware. Extortionists behind NoCry Ransomware demand payment for returning the data via an HTML file called How To Decrypt My Files.html. It also force-opens a pop-up window that victims can interact with to send the ransom and decrypt their data. The contents of both are identical and inform victims about the same. NoCry gives about 72 hours to send 100$ in BTC to the attached crypto address. If no money will be delivered within the allocated timeline, NoCry will delete your files forever. This is an intimidation strat meant to hurry up victims and pay the demanded ransom quicker.

RansomNow is another file-encryptor virus issued by cybercriminals to extort money from desperate victims. It is very similar to the already-discussed Polaris Ransomware as it runs the same encryption pattern with AES and RSA algorithms. Another similarity shared between these ransomware attacks is that they do not attach any new extension to enciphered data. Despite files do not experience any significant visual changes, users will still be unable to open them up. The virus also creates a text file called README TO UNLOCK FILES.txt that features decryption instructions. Developers say victims can restore the data only by purchasing a special key. The price to be paid equals 0.0044 BTC, which is approximately 250$ at the moment of writing this article. Keep in mind that cryptocurrencies rates always change, so there is a chance you will have to pay more or less even tomorrow. After sending the necessary amount of BTC, users should deliver the proof of the transaction to the attached e-mail address (ransomnow@yandex.ru). In addition to that, crooks list a couple of resources where to buy the required cryptocurrency, if you are new to the crypto world. It is also strongly warned against running manipulations with files yourself or with the help of third-party tools.

Decaf is categorized as a ransomware program designed to blackmail victims into paying money for the recovery of blocked data. Its first attacks were registered at the beginning of November 2021 and continue taking place across multiple users. The virus employs its own extension called .decaf which is assigned during encryption. An example of how encrypted files would like after encryption is this "1.pdf.decaf". It is impossible to blink the infection because all files lose their accessibility and icons as well. Upon successful installation of cryptographic ciphers, Decaf creates a text note named README.txt that contains info on how to recover your data. Cybercriminals say all server and PC data has been encrypted with strong algorithms preventing any third-party decryption. The only possible way to restore access to the entire data is to use a special "universal" decryptor stored by the extortionists. To learn further instructions regarding decryption, victims should write to the attached e-mail address (22eb687475f2c5ca30b@protonmail.com). From there, will be likely informed about the price of decryption software and ways to obtain it. As a rule, cybercrooks request their victims to send varying amounts of money in some cryptocurrency to their wallets. The range can fluctuate from hundreds to thousands of dollars for the restoration of data.

Polaris is a ransomware program that uses a combination of AES and RSA algorithms to encrypt users' data. Unlike other infections of this type, Polaris does not add any extension to the encrypted files. The only thing that changes is accessibility to files - victims are no longer eligible to open the stored data. In order to solve this, Polaris developers encourage their victims to read recovery instructions in a file called WARNING.txt. The text note creates at the end of encryption and says you should contact extortionists using e-mail communication (pol.aris@opentrash.com or pol.aris@tutanota.com). There is also an option to add cybercriminals on Discord instead. Whilst writing a message, victims should state the name of the company that got under attack. This is a clue that Polaris targets business networks so they could afford to pay the required ransom. The most common advice you may see on the web regarding ransom payments is to avoid them as much. This is true because many cybercriminals tend to fool their victims and not send any decryption tools eventually.

If you found your files have new .hamster extension and no longer accessible, then you are infected with a virus called Hamster Ransomware. Infections of this type hack your PC settings to run through encryption of data. They also apply some visual changes to make victims spot the result of infection. After successful encryption, you will see a file like 1.pdf change to 1.pdf.hamster and reset its default icon to blank. The virus will also create a text note called How To decrypt.txt. As stated in the note, Hamster Ransomware penetrated your network and blocked access to most of the data. In order to get it back, victims are instructed to contact cyber criminals with their assigned ID and purchase the tool for decryption. It is important that victims reach out to malware developers using TOX messenger, which should be installed in case of absence. The frauds also advise you to contact them within 72 hours since the attack. This way, the price for complete data recovery will be reduced. It is also mentioned the attackers will tell how they infiltrated your system and what can be done to fix the existing vulnerability in the future.