Ransomware

Gyjeb is a ransomware virus that runs data encryption to extort money from victims. It looks very similar to Keq4p Ransomware, which means they are likely to come from the same malware family. Just like Keq4p, Gyjeb Ransomware assigns a random string of senseless symbols along with its own .gyjeb extension. To illustrate, a file like "1.pdf" will change its look to something like 1.pdf.wKkIx8yQ03RCwLLXT41R9CxyHdGsu_T02yFnRHcpcLj_xxr1h8pEl480.gyjeb and reset its original icon. After all files end up edited this way, the virus creates a text note called nTLA_HOW_TO_DECRYPT.txt which entails decryption instructions. You can familiarize yourself with this note in the screenshot below.

Keq4p is a ransomware infection that encrypts personal data using cryptographic algorithms. These algorithms ensure strong data protection from attempts to decrypt it. Files attacked by ransomware are usually photos, videos, music, documents, and other types of data that could entail some value. Most file-encryptors change all the affected files by assigning their own extension. Keq4p does exactly the same, but also attaches a random string of symbols. For instance, a file like 1.pdf will change to something like 1.pdfT112tM5obZYOoP4QFkev4kSFA1OPjfHsqNza12hxEMj_uCNVPRWni8s0.keq4p or similar. The assigned string is totally random and has no real purpose. Along with visual changes, Keq4p closes its encryption process with the creation of zB6F_HOW_TO_DECRYPT.txt, a text file containing ransom instructions. You can take a closer look at what it contains in the following screenshot.

Hydra is a ransomware infection that makes users' data inaccessible by running thorough encryption. Besides being unable to access the data, users may spot some visual changes as well. Hydra assigns a new string of symbols containing cyber criminals' email addresses, randomly generated ID assigned to each victim, and the .HYDRA extension at the end. To illustrate, a file like 1.pdf will change its look to [HydaHelp1@tutanota.com][ID=C279F237]1.pdf.HYDRA and reset the original icon to blank. As soon as all files end up encrypted, the virus promotes ransom instructions to guide victims through the recovery process. This can be found inside of #FILESENCRYPTED.txt text note, which is created after encryption. Hydra developers say victims can restore their files by writing to the attached e-mail address (HydaHelp1@tutanota.com or HydraHelp1@protonmail.com). After this, cybercriminals should give further instructions to purchase the decryption of files.

Delta Plus is a ransomware-type virus that uses cryptographic algorithms to encrypt personal data. It assigns strong ciphers that are hard to decode without special decryption tools held by cybercriminals themselves. To buy these tools, victims are requested to send the equivalent of 6,000 USD in BTC to a crypto address. The price for decryption may be also reduced to 3,000 USD if you manage to complete the payment within the first 72 hours after being infected. All of this information is disclosed inside of the text note called Help Restore Your Files.txt, which is created as soon as the encryption of files is done. Delta Plus appends the .delta extension to all affected files. For instance, a file like 1.pdf will change to 1.pdf.delta and lose its original icon. After these changes, users will no longer be able to access their files until they pay the required ransom.

Discovered by Tomas Meskauskas, Koxic is determined to be a ransomware infection that operates by encrypting PC-stored data. In other words, the majority of files like photos, videos, music, and documents will be blocked by the virus to prevent users from accessing them. All files encrypted also get new .KOXIC or .KOXIC_PLCAW extensions. This means encrypted files like 1.pdf will change to 1.pdf.KOXIC or 1.pdf.KOXIC_PLCAW. The same pattern will be applied to residual data encrypted by ransomware. After getting things done with encryption, the virus creates a text note that explains ransom instructions. These instructions state victims should contact developers via koxic@cock.li or koxic@protonmail.com e-mails with their personal ID. This ID can be found attached to the ransom note. If there is no such being visible, there is a chance some version of Koxic Ransomware that infiltrated your system is still under development and being tested.

Porn is classified as a ransomware infection that targets encryption of personal data. Files like photos, documents, music, and videos are most likely to be under the scope of encryption by Porn Ransomware. To differ encrypted files from regular ones, developers assign the .porn extension to each compromised sample. For instance, a file like 1.pdf will change to 1.pdf.porn and reset its original icon. After this, the virus starts demanding the so-called ransom to recover your data. This information can be seen in a featured pop-up window or text note called RECUPERAR__.porn.txt. Inside of this note and pop-up window, cybercriminals display the number of files they have decrypted. To erase the assigned ciphers, Porn developers ask victims to send 1 BTC to the attached crypto address and e-mail them with the transaction ID afterwards. Unfortunately, not many victims can afford to pay the price of 1 BTC (42,000 USD).

BlackByte is the name of a data-locker that encrypts files stored on a device. Such malware is more known as ransomware because it extorts money from victims for the recovery of data. Even though BlackByte is new and little observed, there are enough details to differ it from other infections. One of them is the .blackbyte extension that is appended to each encrypted file. For instance, a piece like 1.pdf will change its extension to 1.pdf.blackbyte and reset the original icon. The next step after encrypting all available data is ransom note creation. BlackByte generates the BlackByte_restoremyfiles.hta file, which displays recovery details. Within, victims are instructed to contact cyber criminals by e-mail. This action is mandatory to receive further instructions on how to purchase a file decryptor. This decryptor is unique and held only by cybercriminals. The price of ransom can vary from person to person reaching hundreds of dollars. Keep in mind that paying the ransom is always a risk to lose your money for nothing. Many extortionists tend to fool their victims and not send any decryption instruments even after receiving the requested money. Unfortunately, there are no third-party decryptors that can guarantee 100% decryption of BlackByte files.

Ranion is a malware group that develops and spreads ransomware infections. Its recent version is called R44s, which encrypts data using strong cryptographic algorithms and then demands money for its redemption. Victims can spot their files have been encrypted by visual means. First versions of Ranion Ransomware discovered in Novemver, 2017 used .ransom extension. Now the virus assigns the plain .r44s extension to all compromised pieces. Here is a quick example of how files will look after successful encryption - 1.pdf.r44s, 1.jpg.r44s, 1.xls.r44s, and so forth depending on the original file name. Right after this encryption process ends, R44s creates an HTML file named README_TO_DECRYPT_FILES.html.