Ransomware

Axxes is a ransomware virus. Infections of this type are designed to prevent users from accessing their personal data. This is done through the so-called encryption process usually followed by attempts to blackmail victims into paying money for data return. After successfully attacking a system, Axxes enciphers targeted files and renames them using the .axxes extension. To illustrate, a regular file like 1.png will change to 1.png.axxes and reset its icon as well. The rest of the data will be renamed based on the same pattern as well. Next, the virus creates two files containing decryption instructions (RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt). Cybercriminals say all business- and employee-related data has been both encrypted and uploaded to external servers. Should victims refuse to collaborate with the developers, the latter claim they hold their right to publish victims' data on specialized resources. To avoid this, victims are guided to open Tor Browser at the attached website address and contact swindlers to pay for decryption. The onion page also displays a number of tabs including what other companies have been compromised by the virus already. It is unfortunate, but for now, there are no free means to decrypt Axxes files completely. Furthermore, cutting all the ends with cybercriminals will definitely motivate them to leak your collected data.

Recently discovered by a malware researcher named Petrovic, GonnaCope is a ransomware infection able to encrypt system-stored data. Research showed that it also deletes and replaces some data with random and pointless files, which appear with the .cope extension. On the other hand, files encrypted by GonnaCope do not change in their appearance and remain exactly the same yet no longer accessible. To get access back to encrypted files, swindlers behind the virus guide victims to complete a 100$ transfer (in Bitcoin) to the crypto-address attached in the ReadMe.txt note. In addition, it also displays a cmd window with almost identical information. After sending the money, ransomware developers promise to provide their victims with a decryption key to return the data. Whether cybercriminals can be trusted or not is never without uncertainty. In general, frauds have a bad reputation since they are able to fool you and not send any promised decryption tools at the end. Either way, they are the only figures who have the ability to decrypt your data at this moment. Victims can avoid paying the ransom only if there are backup copies available on external devices. This way, they can be used to recover encrypted and no longer usable files. If you are not in favor of paying the required ransom and you do not have backups to use, you can still put your hand to using third-party tools - there is a chance they will be able to help under some circumstances.

PARKER is the name of a ransomware program designed to encrypt users' data and extort money from victims. It is likely to be a product of cybercriminals who developed two other devastating file-encryptors named ZORN and MATILAN. Just like them, PARKER creates the same RESTORE_FILES_INFO.txt text note on how to recover encrypted data. During encryption, the virus changes various types of potentially important files in the following pattern - from 1.pdf to 1.pdf.PARKER and so forth with other files stored on a system. As a result, this change will make files no longer usable without a special decryption tool, which has to be purchased from cybercriminals. Unless victims contact threat actors via written contact addresses and pay the required monetary ransom within 3 given days, the latter threatens to leak the collected data to public resources. This will carry a risk of debunking private company information, which can be abused by competitors or other fraudulent figures. Although it is always advised against collaborating with cybercriminals, they might be the only figures able to provide full data decryption and somewhat guarantee to not publish sensitive information. Unfortunately, there are no third-party tools that could at least decrypt your data for free. The best feasible option available is to recover encrypted files through backups stored on uninfected devices (e.g. USB flashcards, other PCs, Cloud, etc.).

Ransomware is a type of malicious software used to encrypt system-stored data and aid developers in extorting money from victims. ZORN Ransomware does the same trick and locks down all valuable data using the .ZORN extension. This extension is added to all files that ended up being affected by ransomware. For instance, a file named 1.pdf will change to 1.pdf.ZORN and lose its original icon. The virus also creates a text note (RESTORE_FILES_INFO.txt) and displays a black screen with text before logging into the Windows system. After spending some time on investigation, it turned out ZORN shares almost the same traits as MATILAN - another ransomware variant discussed on our website. Thus, it is reasonable to conclude that ZORN is its successor.

HOUSELOCKER is a recent ransomware infection that started its aggressive circulation around the web. Alike other malware of this type, it encrypts important system-stored data and then demands victims to pay the so-called ransom for its return. HOUSELOCKER also breaks the default operation of Master Boot Record (MBR) - this is done to prevent victims from booting up to their desktop. As a result, it is not even possible to view what files have been encrypted. To help users restore access to their data, HOUSELOCKER displays a pink-text message on a black screen. The ransom note says victims should purchase a decryption key. The cost is 130,000 Rosecoins to be sent using the attached crypto address. After this, cybercriminals promise to send the necessary key that activates file decryption. Developers behind HOUSELOCKER Ransomware do not provide any contact information to maintain communication with them. This is already suspicious and raises a lot of questions about how they are going to send you the key. Thus, we have reasonable grounds to assume that HOUSELOCKER is likely to scam its victims and not recover the data as promised. This is why we would advise you to deal with the infection and try to recover the files yourself.

blockZ has shown evident traits of ransomware infections. This type of malware is designed to encrypt system-stored data and demand victims to pay money for its decryption. This ransomware does the same using its own extension (.blockZ) to modify file appearance. To illustrate, a file named 1.pdf will change to 1.pdf.blockZ and lose its original icon. After this, users will no longer be able to access their data. Cybercriminals explain how victims can fix this through the How To Restore Your Files.txt text note. It says victims have one possible way to decrypt the data - contact ransomware developers and pay some amount of ransom in Bitcoin (not specified in the note) to get a unique decryption tool. In addition, victims are allowed to test the decryption abilities of cybercriminals' software by sending 1 encrypted file and getting it back fully accessible for free. It is also said that neglecting instructions may lead to permanent data loss and extra financial costs. As mentioned, the exact amount of ransom is kept secret until victims contact developers.

MATILAN belongs to the category of ransomware infections. It uses strong encryption algorithms to lock privately stored databases. The main target of MATILAN Ransomware is business networks that store important financial, customer, contact, and other types of data subject to getting abused by cybercriminals for reputational damage in the future. Once data encryption occurs, all affected files are changed with the .MATILAN extension. For instance, a file like 1.pdf will change to 1.pdf.MATILAN and lose its original icon as well. Then, ransomware creators urge victims to pay the so-called ransom using instructions presented in the RESTORE_FILES_INFO.txt note. It is said that the only way to decrypt files and avoid the public leakage of important data (which will happen within 3 days of inaction) is to collaborate with cybercriminals. Victims are guided to contact developers via the anonymous qTox messenger and follow guidelines on how and how much should be paid to revert the ransomware damage. Unfortunately, there is no way to avoid all the possible damage should victims refute working with cybercriminals. Although encrypted files may be recovered if there is a backup stored on another machine, it does not ensure the publication of data will not happen eventually.

WINKILLER is a disruptive ransomware infection recently reported by MalwareHunterTeam. Instead of encrypting specific types of data, WINKILLER blocks access to the entire computer making users unable to use it. After successful penetration, the virus starts displaying a console window with instructions on what should be done to restore access. Cybercriminals say performing manual shut down or restart will deliver permanent damage to the Master Boot Record (MBR), which is a sector responsible for loading the system. After this, users will no longer be able to load their system and will most likely lose their entire data stored on a PC. To avoid this and successfully recover the compromised system, developers demand victims to pay a monetary ransom of 100 Renminbi (about 15$). Payment instructions can be obtained by contacting the diskkiller@winkiller.cf e-mail address. Unfortunately, recovering access to the PC might be almost impossible without paying the ransom. The infection makes it difficult due to limited room for action as any misstep can lead to irreversible loss of data. Although paying the ransom is usually not recommended, it could be considered in this case to avoid the above-mentioned effects.