Ransomware

EpsilonRed is another ransomware-type virus that targets personal data on infected systems. Once it finds the range of data it needs (normally it is databases, statistics, documents, etc.), the virus starts running data encryption with AES+RSA algorithms. The entire encryption process is hard to spot out immediately as victims become aware of the infection only after all files have changed their names. To illustrate that, let's take a look at the file named 1.pdf, which therefore changed its appearance to 1.pdf.epsilonred. Such a change means it is no longer permitted to access the file. Besides pursuing sensitive data, it is also known that EpsilonRed alters the extension of executable and DLL files, which may disable them from running correctly. The virus also installs a couple of files that block off protectionary layers, clean Event logs, and affect other Windows features once the infection has snuck into the system. At the end of encryption, EpsilonRed provides ransom instructions presented inside of a note. The name of the file may vary individually, but most users reported about HOW_TO_RECOVER.EpsilonRed.txt and ransom_note.txt text notes getting created after encryption.

Gpay is known as a malicious program that runs secure data encryption over stored data using AES-256, RSA-2048, and CHACHA algorithms. Cybercriminals monetize their software by asking victims to pay money for data decryption. Before doing so, victims are firstly confused about sudden changes in file appearance. This is because Gpay renames all encrypted files with the .gpay extension. To illustrate, a file like 1.pdf will be altered to 1.pdf.gpay after encryption is finished. After spotting this change, victims will also find a file called !!!HOW_TO_DECRYPT!!!.mht within all infected folders. The file leads to a web page displaying ransom instructions. It is said that you can send up to 3 files to test their decryption abilities for free. This can be done by sending your files with personal ID to gsupp@jitjat.org and gdata@msgden.com email addresses. The same should be done to claim payment address and purchase the decryption tools. Unless you do it within 72 hours, cybercriminals will more likely publish the hijacked data on darknet-related platforms. This is why getting trapped by Gpay is extremely dangerous as there is a huge privacy threat. Depending on what will be the price of data decryption, victims can decide whether they need it or not.

Brought to light by MalwareHunterTeam, DarkSide is a malicious program that encrypts valuable data to demand money from victims. All related networks with data that have been exposed to this virus will be scanned and blocked from regular access. Just like other ransomware infections, DarkSide appends a unique extension at the end of each encrypted file. To be more specific, it appends the personal ID randomly generated for each of the victims. To illustrate, you are more likely to see your files change from 1.xlsx to 1.xlsx.d0ac7d95, or similarly depending on what ID has been assigned to you. Then, as soon as this part of the process is done, cybercriminals create a text note with decryption instructions (README.[victim's_ID].TXT).

Developed by the Makop Ransomware family, Mammon is a dangerous virus that runs data encryption for monetary goals. This is because it encrypts personal data with military-grade algorithms and demands money ransom to be paid by victims. To show that your data has been restricted, extortionists append a string of symbols to each file name (including random characters, cybercriminals' e-mail address, and .mammon extension). To illustrate, the original file like 1.pdf will change its look to something like this 1.pdf.[9B83AE23].[mammon0503@tutanota.com].mammon. As a result of this change, users will no longer be able to access the file. In order to get instructions on recovering data, cybercriminals create a text note called readme-warning.txt to each folder with encrypted data.

Being part of the Phobos Ransomware family, Calvo is another malicious program, which encrypts personal data. The way it does it is by using military-grade algorithms to cipher the files. Along with that, the virus also assigns a string of symbols to each of the files. This includes a personal ID of victims, cybercriminals' e-mail, and .calvo extension to finish the string. For example, a file like 1.pdf will be infected and changed to 1.pdf.id[C279F237-3143].[seamoon@criptext.com].calvo. The same change will happen to the rest of the data stored on a PC. As soon as this part of the infection gets to a close, Calvo creates two ransom notes (info.hta and info.txt) to guide you through the decryption process.

Developed by Phobos family, XHAMSTER is a ransomware-type infection, which runs data encryption. Such does not perform one-way encryption, instead, it offers to unblock the infected data in exchange for the money ransom. When it comes to data encryption, cybercriminals are usually the only figures being able to unlock your data. This is why they offer to buy their software that will help you regain access to data. Before getting deep into details, it is important that we mention how XHAMSTER encrypts your data. Apart from blocking the access, it also appends a string of symbols consisting of victims' ID, ICQ Messenger username, and .XHAMSTER extension at the end of each file. To illustrate, a piece of data like 1.pdf will be changed to something like this 1.pdf.id[C279F237-2797].[ICQ@xhamster2020].XHAMSTER at the end of encryption. Finally, once this process is done, the virus gets to creating two files containing ransom instructions. Whilst one of them called info.hta is displayed as a window right in front of the users, the other named info.txt resides on victim's desktop.

Qlocker is a ransomware infection spotted in attacking and encrypting data on QNAP NAS (Network Attached Storage). The virus squeaks through security problems, encrypts the stored data, and clears the log traces during the process. This, therefore, helps intruders to cover their activity and prevent people from detecting the source of infection. Qlocker uses the short .7z extension to highlight the blocked data. Quite interesting is that Qlocker does not touch media files like videos or music in most cases. Its main target seems to be documents and similar types of data that could be valued by victims. During the encryption, all data will lose its access and change the name to something like 1.pdf.7z. Then, after this process is done, the virus creates a text note called !!!READ_ME.txt and containing ransom instructions. The note says that all files have been encrypted. The only feasible way to recover the files is to purchase the private key (in BTC) stored on cybercriminals' servers. To do this, users are asked to follow the Tor page and enter your so-called "client-key". Once you visit the page, you will be able to process the payment and receive the recovery tools. Different victims reported different costs of the keys, but, on average, this amount can range up to 1000$. Unfortunately, trusting cyber criminals means a huge risk to be taken. They can scam you and do not send any promised tools after committing the transfer. Also, it is not recommended to trust some data recovery services claiming they have a way to decrypt your data. Note that there is no official tool that could unlock access to files encrypted by Qlocker at this moment.

Encrpt3d (a.k.a WhiteBlackCrypt)is classified as a malicious program that targets monetary benefit by decrypting personal data. Ransomware might be the most dangerous malware that can get on your system. Its main purpose is to block access to important files and extort money from desperate users (or companies) that want to decrypt their data. Encrpt3d does exactly the same, it encrypts various kinds of data appending the .encrpt3d extension to each file. For example, a file like 1.pdf will be infected and change to 1.pdf.encrpt3d. Thereafter, Encrpt3d Ransomware displays a full-screen image stating ransom instructions (highlighted with red). It is impossible to remove it unless users delete the malvertising program eventually. In the ransom note, cyber criminals say that your files are encrypted, but still can be accessed again. To do this, developers attach a BTC address pending to receive 10 BTC from victims. You are given a specific deadline to complete the transfer. Then, after successfully making the payment, users have to inform extortionists via whiteblackgroup002@gmail.com or wbgroup022@gmail.com email address.