Ransomware

Based on another ransomware called Jigsaw, Roblox Ransomware is a malicious program that functions as a file encryptor. In other words, it runs encryption of system-stored data and encourages victims to perform some actions. Note that this virus has nothing to do with the official Roblox online video game, despite having references to it. While encryption is underway, the file encryptor assigns the .Encrypted_Roblox@mail.com extension, which makes files no longer accessible. Another ransomware variant was also spotted appending the .fun_VB extension instead. For instance, a file previously named 1.pdf will change to 1.pdf.Encrypted_Roblox@mail.com or 1.pdf.fun_VB and reset its original icon. After successfully restricting access to data, Roblox Ransomware displays an executable pop-up window (Jigsaw.exe) with decryption instructions.

CMLOCKER is a ransomware infection that encrypts system-stored data with RSA cryptographic algorithms and appends the new .CMLOCKER extension. For instance, a file previously named 1.pdf will change to 1.pdf.CMLOCKER and reset its original icon. After all files end up access-restricted, the virus creates a text note called HELP_DECRYPT_YOUR_FILES.txt to blackmail victims into paying money for data decryption.

HARDBIT is a ransomware virus that targets Windows users to encrypt system-stored data and blackmail victims into paying a fee for decryption and non-disclosure of exfiltrated data. While rendering files inaccessible, the file-encryptor assigns some visual changes to highlight the blocked data. For instance, a file originally named 1.pdf will change to something like 1.pdf.[id-GSD557NO60].[boos@keemail.me].hardbit at the end of encryption. This newly-assigned string of symbols consists of the victim's ID, cybercriminals' e-mail address, and .hardbit extension. Immediately after the encryption process approaches its end, HARDBIT changes the desktop wallpapers and drops two files explaining decryption instructions - Help_me_for_Decrypt.hta and How To Restore Your Files.txt.

FBI Ransomware is a file encryptor that restricts access to data and blackmails victims into paying $250 for the recovery. While running encryption, the virus renames all affected files by adding the .fbi extension. For instance, a file like 1.pdf will be renamed to 1.pdf.fbi and reset its original icon as a result of this change. After this, the malicious program creates three totally empty notes (readme.txt, LOCKEDBYFBI.hta, and decryptfiles.html), which contain no information at all. The actual message is displayed in the intractable full-screen window, which opens automatically after the encryption is finished.

JiangLocker is a recent ransomware infection. Alike other malware of this type, it is designed to restrict access to potentially important pieces of data by running secure encryption. During this process, the virus assigns all blocked data with the .jiang extension. To illustrate, a file previously named 1.pdf will change to 1.pdf.jiang and reset its original icon. Following this, JiangLocker changes the desktop wallpapers, displays a pop-up window, and creates a text note called read.ini. The text note duplicates information given inside the pop-up window.

Cyberone is quite a recent ransomware infection that runs encryption of data and asks victims to pay 1 Bitcoin for its decryption. While blocking access to system-stored data, the virus assigns its own .cyberone extension, making all file icons blank. For instance, a file originally named 1.pdf will change to 1.pdf.cyberone and become no longer accessible. Note that most Cyberone versions we have observed can be decrypted for free with the help of a decryption tool released by Avast. You can find more information about it in the article below. After completing encryption, the last piece of the last to start blackmailing victims is the creation of ___RECOVER__FILES__.cyberone.txt and the display of a pop-up window containing decryption guidelines written by cybercriminals.

Diamond Ransomware is a malicious infection designed to encrypt system-stored data and blackmail victims into paying the ransom for its return. While running encryption, the virus renames all targeted files with the .diamond extension. This is simply a visual change meant to highlight the fact that users' system has been infected. Following this, ransomware developers create HOW TO RECOVER ENCRYPTED FILES.TXT - a text file containing decryption instructions.

Wizard is a ransomware virus that encrypts data with the help of AES-256 algorithms to blackmail users into paying the ransom. While restricting access to data, all affected files get renamed with the .wizard extension. For instance, a file previously titled 1.pdf will change to 1.pdf.wizard and reset its original icon. Following this, it was observed that the virus creates a text called decrypt_instructions.txt onto the desktop. This note contains information about what victims should do in order to return their encrypted files.