Ransomware

Discovered by a malware researcher named S!Ri, Artemis belongs to the PewPew ransomware family. Frauds behind this family have spread a number of high-risk infections that run data encryption. Artemis is the most recent variant of file-encryptor that cuts access to most stored data using multi-layer cryptographic algorithms. These algorithms make data thoroughly encrypted, which disables users from opening them. Besides that, encrypted files locked off by Artemis get changed in visual means as well. For instance, a file like 1.pdf will change to something like 1.pdf.id-victim's_ID.[khalate@tutanota.com].artemis and reset its original icon. This string consists of the victims' ID, khalate@tutanota.com email address, and .artemis extension at the end. Then, as soon as encryption gets to a close, Artemis prompts the info-decrypt.hta to appear across the entire screen. Recent versions of the malware use ReadMe-[victim's_ID].txt ransom note name and use .ultimate and .999 extensions (1.pdf.id[victim's_ID].[UltimateHelp@techmail.info].ultimate and 1.pdf.id[victim's_ID].[restoredisscus@gmail.com].999).

GoodMorning is a malicious program classified as ransomware. Its main goal lies in earning money on victims whose data has been encrypted with strong ciphers. Usually, victims end up aware of the infection after GoodMorning assigns a new complex extension to compromised files (ending with .GoodMorning, .LOCKED or .REAL). For example, 1.pdf and other files stored on a system will be changed to this pattern 1.pdf.Id(045AEBC75) Send Email(Goood.Morning@mailfence.com).GoodMorning or .Id = D8CXXXXX Email = John.Muller@mailfence.com .LOCKED. The ID inside of extensions will differ individually as it is unique to each of the victims. Then, once all files end up encrypted and visually changed, the virus creates text notes called either GoodMorning.txt, ReadIt.txt or ReadMe.txt. It is meant to explain broader instructions on how to recover your data.

Pagar is a ransomware program that infects Windows systems to encrypt personal data. It affects the configuration of stored files making them totally inaccessible. This means any attempts to open the files will be denied due to encryption. Besides configuration changes, Pagar Ransomware alters data by visual means as well - by assigning the .pagar40br@gmail.com extension to each file under encryption. For instance, a file like 1.pdf will change to 1.pdf.pagar40br@gmail.com and reset its original icon to blank. After all files end up encrypted, Pagar creates a ransom note called Urgent Notice.txt, which explains how to recover the data. Ransomware developers are being concise and say you have 72 hours to send 0.035 BTC to the attached wallet. Right after completing the payment, victims should contact developers via pagar40br@gmail.com attaching their own wallet address and unique ID (written in the note). Unfortunately, there is zero information on whether Pagar developers can be trusted.

Chaos is a popular ransomware family that spreads a number of malware versions. Upon its infection, most files stored on a system get readjusted becoming no longer accessible. This is done by cybercriminals to extort the so-called ransom from victims in exchange for unblocking data. At the moment, there are 4 most popular versions propagated by Chaos - Axiom, Teddy, Encrypted, and AstraLocker Ransomware. All 4 assign their own extension whilst blocking access to data. For instance, a file like 1.pdf may change to 1.pdf.axiom, 1.pdf.teddy, 1.pdf.encrypted, or 1.pdf.astralocker depending on which version attacked your network. Initially, Chaos used to be called Ryuk .Net Ransomware, but then upgraded and started getting proliferated by the new name. What is more, Ryuk.Net only mimicked encryption with AES+RSA algorithms, but actually used Base64 coding to damage the structure of files. Not excluded the same can be faced in newer versions as well. It is also possible to see a version of Chaos appending a string of random characters to encrypted files - like 1.pdf.us00, 1.pdf.wf1d, and so forth. As soon as encryption (or fake encryption) gets to a close, the virus creates a text note with instructions on how to recover your data. Here are the names as well as the content of each text note created by different versions (README.txt, read_it.txt, READ_ME_NOW.txt.

Tohnichi stands for a ransomware program that changes extensions of files making them all encrypted. .tohnichi is the name of the new extension assigned to each compromised piece. This means all encrypted files will appear like this 1.pdf.tohnichi at the end of the process. The last piece of the puzzle brought by Tohnichi is How to decrypt files.txt, the text file created by malware to explain decryption instructions. First of all, it is stated your network has been hacked, which allowed extortionists to encrypt your data. Then, cybercriminals say they are the only figures able to perform secure and complete decryption of data. For this, victims are asked to establish communication using the Tor browser link and pay for decryption software. The price is kept secret and depends on how fast you contact developers. After completing the payment, developers promise to send a unique decryption tool to regain the data. In addition to that, ransomware developers say they can decrypt several files (that do not contain valuable information) prior to paying the ransom for free. This is a good offer indeed, but still insufficient to trust cyber criminals on an individual basis.

Zeppelin was discovered by GrujaRS, which is a malicious piece that infects computers and encrypts user's data. Programs of such are typically designed to make money on desperate users who got their files locked. As usual, with the encryption, comes a significant change in the file's extension - it renames them using the hexadecimal numeral system to something like this 1.mp4.126-A9A-0E9. In fact, the extension may vary by symbols since the virus can generate random values. Once the encryption is completed, Zepellin creates a text file called !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT on your desktop. In this note, extortionists offend you with ransom abuse calling you to contact them and buy a specific key. Unfortunately, there is no proven method that could decrypt your data for free at this point. The only way to do so is by following their instructions which is a huge risk. Although the decision lies on your shoulders, we recommend you to delete Zeppelin Ransomware in the guide below.

MOSN is categorized as a ransomware infection that demands money from victims after encrypting data. Normally, such infections strike all potentially important files like photos, videos, documents, databases, and more that comprise some value to victims. The encryption can be spotted by new extensions that are assigned to each compromised piece. For instance, a file named 1.pdf will change to 1.pdf.MOSN at the end of encryption. The same will be seen with other data according to this pattern. Then, soon after this, MOSN installs new wallpapers stretched out across the entire screen that displays a short ransom summary. It states victims should contact developers via walter1964@mail2tor.com e-mail address and pay 300$ in Bitcoin for data redemption. Additionally, MOSN Ransomware creates a text file called INFORMATION_READ_ME.txt that explains the same but also mentions the number of encrypted files and unique ID that should be attached whilst contacting extortionists.

Divinity, Matafaka, and Army are three ransomware infections released by the development group known as Xorist. After your system becomes successfully infected, a virus forces most of the stored files to change their names. Depending on which version attacked your PC, any image, video, music, or document file like 1.pdf will change to 1.pdf.divinity, 1.pdf.matafaka, or 1.pdf.army. After each file ends up visually changed, the above-mentioned versions display a text message in pop-up windows or notepad files (HOW TO DECRYPT FILES.txt). The text differs for each version. To illustrate, Matafaka and Army show barely any information about data decryption. They mention your PC is hacked, but provide zero information or payment instructions to restore the data. The reason for that may be that these versions are still in development and testing. Not excluded that there are complete versions with full-fledged instructions already circulating around the web. Divinity is the only version out of the list having contact details to pay for the ransom. For this, users are asked to write a direct message to @lulzed Telegram or @dissimilate on Twitter. Note that the Xorist Ransomware family uses XOR and TEA algorithms to encrypt personal data. Data encrypted by such ciphers are less likely to be decryptable without the involvement of cybercriminals. Despite this, it is expressly advised against meeting the demands of fraudulent figures.