Ransomware

Beijing is a ransomware-classified infection that encrypts access to data and demands that victims pay money for its decryption. This file encryptor is also likely released by the same cybercriminals who previously developed another ransomware named LeakTheMall. During encryption, victims will see their files change visually - it is the new .beijing that will be eventually added to them. For instance, an originally named 1.pdf will change to 1.pdf.beijing and become no longer accessible. After this, the virus creates text instructions in !RECOVER.txt explaining what should be done to recover the data.

Trigona is the name of a ransomware virus that encrypts data of corporate users (e.g., companies) and demands money for file decryption. During encryption, it appends the new ._locked extension (for instance, 1.pdf._locked) and creates a file named how_to_decrypt.hta after successful completion. This file contains instructions with steps on what victims should do to decrypt their data. It is said all critical information, such as documents, databases, local backups, and so forth has been encrypted and leaked. Cybercriminals also mention that file decryption is impossible without their direct involvement. Also, it is mentioned that data of those who refuse to collaborate with cybercriminals will be sold to figures potentially interested in its abuse. To prevent all of this, threat actors guide victims to open a decryption page via the TOR Browser and contact the ransomware developers.

Bazek is a virus infection that features all the traits inherent to ransomware. Put simply, it encrypts access to data (using AES-256 algorithms) and asks victims to contact cybercriminals in order to get a special decryption key. During encryption, the virus also assigns the new .bazek extension to each targeted file. To illustrate, a file named 1.pdf will change to 1.pdf.bazek and lose its original icon as well. Depending on what version of Bazek Ransomware attacked the computer, it will either create a text note called README.txt or display a pop-up window with similar decryption instructions.

Also known as Sullivan, RansomBoggs is a ransomware infection designed to encrypt data and demand payment for decryption afterwards. Recent research showed that this virus has had numerous attacks on various organizations placed in Ukraine. During encryption, RansomBoggs renames all targeted files with the .chsch extension. For example, a file originally titled as 1.pdf will change to 1.pdf.chsch and become no longer accessible. Following this, the ransomware also creates its own note (SullivanDecryptsYourFiles.txt) with decryption instructions.

SEX3 is a computer virus classified as ransomware. Also, it was discovered to be a new version of another file encryptor called SATANA Ransomware. Software of this type is developed to encrypt potentially valuable data and demand file owners to pay money for their decryption. While running encryption, SEX3 Ransomware is programmed to alter targeted files with the .SEX3 extension. This is simply a visual change to highlight blocked data on top of successful encryption. After this, the virus changes the desktop wallpapers and also creates a text note called !satana!.txt that contains short instructions about how to unlock access to files.

Onelock is a ransomware infection developed by the Medusa ransomware family. Its purpose is to encrypt access to potentially important data (using RSA and AES encryption algorithms) and extort money from victims for full decryption. While rendering files inaccessible, the virus adds the new .onelock extension, which would make a file like 1.pdf change to 1.pdf.onelock and reset its original icon. The same pattern applies to other files that get targeted by the infection. After successful completion, Onelock creates the how_to_back_files.html file to feature decryption instructions. Overall, it is said that ransomware developers are the only figures able to decrypt victims' data. For this, victims are therefore instructed to contact cybercriminals using a chat link in Tor Browser (or e-mail) and pay some specified amount of ransom.

Alpha865qqz is a new file encryptor that belongs to the Maoloa ransomware family. While running an investigation concerning this malware, it was spotted that Alpha865qqz mimics some traits of another infection called GlobeImposter. For instance, during encryption, it appends the .Globeimposter-Alpha865qqz extension to targeted files. To illustrate, 1.pdf will change to 1.pdf.Globeimposter-Alpha865qqz, 1.png to 1.png.Globeimposter-Alpha865qqz, and so forth. After completing the encryption process, Alpha865qqz creates an executable file called HOW TO BACK YOUR FILES.exe that lists decryption instructions. Some other versions of Alpha865qqz created the HOW TO BACK YOUR FILES.txt text file instead, and also changed the original icons of files.

Faust is a new ransomware variant developed by the Phobos malware group. Its purpose is to encrypt potentially important pieces of data and make victims pay money for its decryption. Along with encryption, the virus also alters the way files appear - for instance, a file originally named 1.pdf will change to something like 1.pdf.id[9ECFA84E-3421].[gardex_recofast@zohomail.eu].faust and reset its original icon after encryption. This new string of characters that ransomware appends consists of a unique victim's ID, cybercriminals' email address, and the .faust extension. Following the successful completion of the encryption, Faust Ransomware generates a pop-up window (info.hta) and text file (info.txt) that contain decryption guidelines.