Ransomware

Selena is a disruptive ransomware infection targeting primarily business networks. It encrypts network-stored data and demands victims to pay a monetary ransom for its return. During encryption, Selena alters the way original files appear - no longer accessible files acquire a uniquely generated victim's ID, the e-mail address of cybercriminals, and the .selena extension. To illustrate, a file initially titled as 1.xlsx will change to id[q2TQAj3U].[Selena@onionmail.org].1.xlsx.selena and reset its icon to blank. After this process comes to a close, the ransomware creates a file named selena.txt, which is a text note explaining how to recover the files. It is said there is no way to decrypt the restricted data other than directly negotiating with cybercriminals. To get further information, victims are guided to write to one of the following e-mail addresses (selena@onionmail.org or selena@cyberfear.com) and state their personal ID in the title. In order to get the necessary decoder and private keys, which will unlock access to data, victims are required to pay money (in bitcoins) for it. The price remains unknown and is likely to be calculated individually only after contacting the swindlers. In addition, cybercriminals offer victims to send 2 files containing no valuable information (under 5MB) and get the decrypted for free. This offer works as a guarantee measure proving they are actually able to decrypt your data. Unfortunately, options to decrypt files without the help of cybercriminals are less likely existent.

Pipikaki is a recent devastating ransomware infection reported by victims on forums. Malware of this type is also known as crypto-viruses, designed to encrypt system-stored data and blackmail victims into paying money for its return. Pipikaki does exactly the same renaming targetted files with the victim's ID and .@PIPIKAKI extension during encryption. For instance, a previously named file 1.pdf will change to 2.pdf.[8A56562E].@PIPIKAKI or similarly depending on a victim's ID. Instructions on how to return restricted files are then presented inside of a file named WE CAN RECOVER YOUR DATA.txt. The ransom note guides users to contact developers (via Skype, ICQ Live chat, or pipikaki@onionmail.org e-mail) and negotiate about returning the data. As a rule, many cybercriminals ask their victims to pay a certain amount of monetary ransom (most often in cryptocurrencies). It is also said that noncompliance with what swindlers demand will result in the publication of all sensitive data. They threaten to leak important business-related information (clients' data, bills, annual reports, etc.) which was collected from the encrypted machine/network.

Axxes is a ransomware virus. Infections of this type are designed to prevent users from accessing their personal data. This is done through the so-called encryption process usually followed by attempts to blackmail victims into paying money for data return. After successfully attacking a system, Axxes enciphers targeted files and renames them using the .axxes extension. To illustrate, a regular file like 1.png will change to 1.png.axxes and reset its icon as well. The rest of the data will be renamed based on the same pattern as well. Next, the virus creates two files containing decryption instructions (RESTORE_FILES_INFO.hta and RESTORE_FILES_INFO.txt). Cybercriminals say all business- and employee-related data has been both encrypted and uploaded to external servers. Should victims refuse to collaborate with the developers, the latter claim they hold their right to publish victims' data on specialized resources. To avoid this, victims are guided to open Tor Browser at the attached website address and contact swindlers to pay for decryption. The onion page also displays a number of tabs including what other companies have been compromised by the virus already. It is unfortunate, but for now, there are no free means to decrypt Axxes files completely. Furthermore, cutting all the ends with cybercriminals will definitely motivate them to leak your collected data.

Recently discovered by a malware researcher named Petrovic, GonnaCope is a ransomware infection able to encrypt system-stored data. Research showed that it also deletes and replaces some data with random and pointless files, which appear with the .cope extension. On the other hand, files encrypted by GonnaCope do not change in their appearance and remain exactly the same yet no longer accessible. To get access back to encrypted files, swindlers behind the virus guide victims to complete a 100$ transfer (in Bitcoin) to the crypto-address attached in the ReadMe.txt note. In addition, it also displays a cmd window with almost identical information. After sending the money, ransomware developers promise to provide their victims with a decryption key to return the data. Whether cybercriminals can be trusted or not is never without uncertainty. In general, frauds have a bad reputation since they are able to fool you and not send any promised decryption tools at the end. Either way, they are the only figures who have the ability to decrypt your data at this moment. Victims can avoid paying the ransom only if there are backup copies available on external devices. This way, they can be used to recover encrypted and no longer usable files. If you are not in favor of paying the required ransom and you do not have backups to use, you can still put your hand to using third-party tools - there is a chance they will be able to help under some circumstances.

PARKER is the name of a ransomware program designed to encrypt users' data and extort money from victims. It is likely to be a product of cybercriminals who developed two other devastating file-encryptors named ZORN and MATILAN. Just like them, PARKER creates the same RESTORE_FILES_INFO.txt text note on how to recover encrypted data. During encryption, the virus changes various types of potentially important files in the following pattern - from 1.pdf to 1.pdf.PARKER and so forth with other files stored on a system. As a result, this change will make files no longer usable without a special decryption tool, which has to be purchased from cybercriminals. Unless victims contact threat actors via written contact addresses and pay the required monetary ransom within 3 given days, the latter threatens to leak the collected data to public resources. This will carry a risk of debunking private company information, which can be abused by competitors or other fraudulent figures. Although it is always advised against collaborating with cybercriminals, they might be the only figures able to provide full data decryption and somewhat guarantee to not publish sensitive information. Unfortunately, there are no third-party tools that could at least decrypt your data for free. The best feasible option available is to recover encrypted files through backups stored on uninfected devices (e.g. USB flashcards, other PCs, Cloud, etc.).

Ransomware is a type of malicious software used to encrypt system-stored data and aid developers in extorting money from victims. ZORN Ransomware does the same trick and locks down all valuable data using the .ZORN extension. This extension is added to all files that ended up being affected by ransomware. For instance, a file named 1.pdf will change to 1.pdf.ZORN and lose its original icon. The virus also creates a text note (RESTORE_FILES_INFO.txt) and displays a black screen with text before logging into the Windows system. After spending some time on investigation, it turned out ZORN shares almost the same traits as MATILAN - another ransomware variant discussed on our website. Thus, it is reasonable to conclude that ZORN is its successor.

HOUSELOCKER is a recent ransomware infection that started its aggressive circulation around the web. Alike other malware of this type, it encrypts important system-stored data and then demands victims to pay the so-called ransom for its return. HOUSELOCKER also breaks the default operation of Master Boot Record (MBR) - this is done to prevent victims from booting up to their desktop. As a result, it is not even possible to view what files have been encrypted. To help users restore access to their data, HOUSELOCKER displays a pink-text message on a black screen. The ransom note says victims should purchase a decryption key. The cost is 130,000 Rosecoins to be sent using the attached crypto address. After this, cybercriminals promise to send the necessary key that activates file decryption. Developers behind HOUSELOCKER Ransomware do not provide any contact information to maintain communication with them. This is already suspicious and raises a lot of questions about how they are going to send you the key. Thus, we have reasonable grounds to assume that HOUSELOCKER is likely to scam its victims and not recover the data as promised. This is why we would advise you to deal with the infection and try to recover the files yourself.

blockZ has shown evident traits of ransomware infections. This type of malware is designed to encrypt system-stored data and demand victims to pay money for its decryption. This ransomware does the same using its own extension (.blockZ) to modify file appearance. To illustrate, a file named 1.pdf will change to 1.pdf.blockZ and lose its original icon. After this, users will no longer be able to access their data. Cybercriminals explain how victims can fix this through the How To Restore Your Files.txt text note. It says victims have one possible way to decrypt the data - contact ransomware developers and pay some amount of ransom in Bitcoin (not specified in the note) to get a unique decryption tool. In addition, victims are allowed to test the decryption abilities of cybercriminals' software by sending 1 encrypted file and getting it back fully accessible for free. It is also said that neglecting instructions may lead to permanent data loss and extra financial costs. As mentioned, the exact amount of ransom is kept secret until victims contact developers.