Ransomware

Pay2Decrypt is a ransomware-type virus that encrypts personal data and blackmails victims into paying the so-called ransom. A ransom is usually some amount of money cybercriminals demand from users for file decryption. Each file encrypted by the virus will appear with the .PAY2DECRYPT extension and a set of random characters. To illustrate, a sample originally named 1.pdf will be changed to 1.pdf.PAY2DECRYPTRLD0f5fRliZtqKrFctuRgH2 resetting its icon as well. After this, users will no longer be able to open and view the encrypted file. Immediately after successful encryption, the ransom creates hundred text files with identical content - Pay2Decrypt1.txt, Pay2Decrypt2.txt, and so forth until Pay2Decrypt100.txt.

Sojusz is the name of a ransomware infection. It belongs to the Makop ransomware family that designs a number of different file encryptors. Sojusz blocks access to data and demands money for its decryption. The research showed it highlights encrypted files by assigning a random string of characters, ustedesfil@safeswiss.com email address, and the .sojusz extension. Latest versions of Sojusz used following extensions: .bec, .nigra, .likeoldboobs, .[BillyHerrington].Gachimuchi, This means a file like 1.pdf will be changed to 1.pdf.[fd4702551a].[ustedesfil@safeswiss.com].sojusz and become no longer accessible. After all targeted files end up encrypted this way, the virus creates a text file called -----README_WARNING-----.txt (later versions created also: !!!HOW_TO_DECRYPT!!!.txt, Horse.txt, README_WARNING_.txt and #HOW_TO_DECRYPT#.txt ransom notes).

Also known as R.Ransomware, Rozbeh is a ransomware infection that encrypts system-stored data to blackmail victims into paying money for its recovery. During encryption, it highlights blocked data by assigning random characters consisting of four symbols. For instance, a file like 1.pdf may change to 1.pdf.1ytu, 1.png to 1.png.7ufr, and so forth. Depending on what version of Rozbeh Ransomware made an attack on your system, instructions explaining how data can be recovered may be presented within text notes read_it.txt, readme.txt, or even in a separate pop-up window. It is also worth noting that the most recent ransom infection developed by Rozbeh swindlers is called Quax0r. Unlike other versions, it does not rename encrypted data and also displays its decryption guidelines in Command Prompt. In general, all the ransom notes mentioned above contain identical patterns of guiding victims to pay the ransom - contact malware creators through Discord or, in some cases, by e-mail and send 1 Bitcoin (about $29,000 now) to the crypto address of cybercriminals. After the payment is done, extortionists promise to send a file decryptor along with the necessary key to unlock encrypted data. Unfortunately, in the majority of cases, encryption methods used by cybercriminals to render files inaccessible are complex, making manual decryption near-impossible. You can give it a try using some third-party instruments in our tutorial below, however, we are unable to guarantee they will actually work.

ZareuS is the name of a ransomware infection that encrypts files and extorts an amount in crypto from victims. During encryption, the virus alters file appearance using the .ZareuS extension. In other words, if a file like 1.pdf ends up affected by the infection, it will be changed to 1.pdf.ZareuS and reset its original icon as well. Thereafter, to guide victims through the decryption process, cybercriminals create a text file called HELP_DECRYPT_YOUR_FILES.txt to each folder with no longer accessible data. It says the encryption occurred with the use of strong RSA algorithms. Victims are therefore instructed to buy a special decryption key, which costs 980$ and the amount has to be sent to the cybercriminals' crypto address. After doing so, victims have to notify about the completed payment by writing to lock-ransom@protonmail.com (e-mail address provided by the attackers). As an additional measure to incentivize victims into paying the ransom, extortionists propose to decrypt 1 file for free. Victims can do it and receive one file fully unlocked to confirm that decryption actually works. It is unfortunate to say this, but files encrypted by ZareuS Ransomware are almost impossible to decrypt without the help of cybercriminals. It may be only if ransomware is bugged, contains flaws, or other drawbacks alleviating third-party decryption. A better and guaranteed method to get back your data is to recover it using backup copies. If such are available on some non-infected external storage, you can easily substitute your encrypted files with them.

LokiLok is the name of a ransom infection. Upon successful installation onto a targeted system, it encrypts important files and blackmails victims into paying money for their decryption. We also discovered that LokiLok was developed on the basis of another ransomware virus called Chaos. Once encryption occurs, victims can see their data change with the .LokiLok extension. To illustrate, a file named 1.pdf will most change to 1.pdf.LokiLok and reset its original icon. After this, victims will no longer be able to access their data and ought to seek decryption instructions in the read_me.txt file. The virus also replaces default wallpapers with a new picture. Cybercriminals want victims to buy a special decryption tool. To do this, victims should contact extortionists using the attached e-mail address (tutanota101214@tutanota.com). Prior to buying the necessary software, it is also offered to send 2 small files - cybercriminals promise to decrypt and send them back to prove decryption abilities. In addition, the message also instructs against trying to use external recovery methods since it may lead to irreversible destruction of data. Whatever guarantees are given by ransomware developers, it is always not recommended to trust them. Many fool their victims and do not send the decryption software even after sending them money.

Pay Ransomware is, in other words, a file-encryptor that prevents users from accessing their own data. A recent investigation confirmed that this virus belongs to a group of ransomware developers known as Xorist. Similar to other infections of this type, the virus changes all encrypted files using the .Pay extension. To illustrate, a file named 1.pdf will change to 1.pdf.Pay and reset its original icon as well. After getting things done with encryption, Pay Ransomware displays a pop-up window and creates a text file titled HOW TO DECRYPT FILES.txt. Both of them contain identical information on how to return access to files. It is said that victims can restore access to files by paying 50$ to the Bitcoin address of cybercriminals. After completion, victims will have to contact extortionists via the qTox client and receive their decryption code. There is also a warning that 5 unsuccessful attempts to enter the right code will result in irreversible destruction of data. Following this, swindlers encourage victims to be more careful while doing the above-mentioned. Additionally, it is also said that no third-party software like antivirus will help, but only prevent further decryption of data. Unfortunately, what they outline in their messages can be true - some cybercriminals set up protection against manual attempts to decrypt blocked data. In such a case, the only option, if you are in burning need of restoring your files, is either to pay the required ransom or use your own backup copies from external storage to compensate for the loss.

CryptBIT encrypts system-stored files making them no longer accessible and also demands victims to pay 400EUR for data decryption. Infections operating this way are therefore categorized as ransomware. During encryption, CryptBIT highlights blocked data by adding new extension (.cryptbit). In other words, a file like 1.pdf will change to 1.pdf.cryptbit and reset its original icon as well. The same change will occur with other file types encrypted by ransomware. The virus also changes desktop wallpapers and creates a text file named CryptBIT-restore-files.txt into each encrypted folder. This file instructs victims on how to decrypt their data. The note displays text that all files have been encrypted and uploaded to external servers. It is, therefore, said that victims can recover their data, but have to send 400EUR (in bitcoins) to the attached crypto address. Cybercriminals also ask to include the victim's e-mail address, to which they promise to send the necessary file decryptor. Unfortunately, it is unclear how victims should do it. While performing cryptocurrency transfers, it is often (if not always) impossible to include additional information like e-mail. Thus, such technical misunderstandings already give strong reasons against trusting cybercriminals behind CryptBIT Ransomware. It is also possible that this ransomware is only a pilot version, and cybercriminals will distribute updated ransomware someday in the future. Whatever it is, paying the ransom is always not recommended.

Kekware is a recent ransomware-type virus. The main symptom of this infection successfully breaching the system is strong encryption of data. As a result, users will no longer be able to access or modify files as they used to do previously. Victims will also see a change in how their data appears - all encrypted samples get renamed according to the following pattern - [random_string].[original_extension][random_string].cyn. To illustrate, a file like 1.pdf may change to something like 7462.jpg7088.cyn and reset its original icon as well. After this part of encryption is done, the virus creates a file called YcynNote.txt, which holds decryption instructions. As said within the note, victims ought to pay a ransom of $500 in bitcoin to the attached cryptocurrency wallet. If victims decide to not follow the demands, cybercriminals say no decryption of data will ever be possible without their involvement. Unfortunately, at the moment of writing this article, this claim should indeed be taken quite seriously. If you do not have backup copies of data saved on external storage devices, you will have a bare chance to decrypt the Kekware data using third-party tools.