Ransomware

LockDown is a file-encrypting software created to earn money on unprotected users. The virus acts using AES+RSA algorithms to set up strong encryption on stored data and appends .LockDown extension. Many kinds of data will be changed according to this example 1.mp4.LockDown. After the encryption is done, LockDown creates a text note (HELP_DECRYPT YOUR FILES) containing ransom instructions. Users are said that only a private key held by cybercriminals can lead to successful data decryption. To obtain it, victims have to send approximately 460$ worth of Bitcoin to the attached wallet. Although extortionists ostensibly prove their integrity by allowing users to decrypt 1 file for free, we still advise against paying the ransom, because there is a risk that swindlers will not provide recovery tools eventually. For now, there are no official tools that could guarantee 100% file decryption.

Using a mix of AES and RSA algorithms, Yatron Ransomware encrypts user's data and demands victims to pay a so-called ransom. It is known to be advertised on Twitter as "Ransomware-as-a-Service". There is a bunch of file types that can be affected by this ransomware after penetration. Almost all files stored on your PC will be assigned either with .Yatron or .Down_With_Usa extension. Here are the samples of infected files - 1.mp4.Yatron and 1.mp4.Down_With_Usa. Then, once the encryption process is done, the virus drops a text note (Read@My.txt) in each folder and force-opens a pop-up window that states ransom instructions. The content explains that your data has been encrypted. The only way to revert the consequences is to pay 300$ in BTC to the attached address. Sometimes the required amount can vary depending on which version attacked your system. Additionally, the window shows a clock saying that you have 3 days to make a payment, otherwise, your data will be removed completely. Despite manual decryption is usually impossible, you should not trust cyber criminals and follow their steps. The danger is that there is no guarantee they will fulfill their promises and provide necessary tools for data recovery.

Erica Encoder is a ransomware infection that uses AES algorithms to encrypt user's data. All files that experience a touch of the virus, change their names to a randomly-generated string of symbols. As an example, the original 1.mp4 will lose its initial name and appear as something like this R29vZ24lIENocm9tZS5s3ms9.qgazlb. Then, once all files get assigned with an encryption cipher, Erica Encoder creates a ransom note called HOW TO RESTORE ENCRYPTED FILES.TXT that is supposed to explain how to restore your data.

Encrp is another drastic infection that encrypts personal data and demands victims to pay a ransom. It was discovered by Jirehlov Solace who therefore categorized it as ransomware. During the study, it turned out that Encrp infects stored data assigning the .encrp extension. This means that after encryption, you will see all files look like this 1.mp4.encrp. This is not the end of the process yet, users are then presented with a text note (__READ_ME_TO_RECOVER_YOUR_FILES.txt) which contains information upon decryption. It is said that victims should send approximately 200$ in BTC to the account of cybercriminals. Then, the final step is to send an e-mail message including transfer and computer IDs. If everything works out, you will be given the necessary tools to decrypt files. In other cases, there is a chance that swindlers decide to ignore their promises and leave you nothing, but disappointment.

Ragnarok is a ransomware infection discovered by Karsten Hahn. The consequences of this attack are similar to other threats of such type - encryption of stored data by adding a new extension. Developers of Ragnarok Ransomware may have other versions of the virus, however, this case involves the assignment of .thor or .ragnarok_cry extensions. No additional symbols are included, you will see a file with the malicious extension at the end (1.mp4.ragnarok_cry). Once the encryption process is complete, users receive a note with decryption steps called How_To_Decrypt_My_Files.txt (alternatively, !!Read_me_How_To_Recover_My_Files.html). The text note states that encrypted files can be unlocked only with a special tool, which is held by cybercriminals. In order to get it, people have to contact swindlers and send the required fee of BTC to their address. You can also provide a file (less than 3Mb) for free decryption. This way, extortionists are allegedly proving that they can be trusted. In reality, they can dump you and ignore the fact that you have paid for the recovery. The deletion of Ragnarok Ransomware will not decipher your files, however, this is important to do to prevent further encryption of data.

Solve Ransomware is a malicious piece that specifies in encrypting network storage. Victims who had their NAS storage infected, experienced files change with the new .encrypted extension, so one of them would appear like this 1.mp4.encrypted. This extension is more generic and has been used by many ransomware developers. Solve Ransomware has not had enough examination to provide tools for unlocking the assigned cipher. This is why the extortionists offer to contact them and pay the ransom in BTC via instructions presented in a text note (SOLVE ENCRYPTED FILES.txt) that is created after the encryption process gets done. Unfortunately, this option does not guarantee transparency and honesty of swindlers. You can be fooled and not given any decryption tools even after making payment. This is why we recommend you delete Solve Ransomware and try to decrypt data via some basic instruments provided below.

Egregor is ransomware that belongs to Sekhmet family and promotes various versions of malware. This time around, users reported dealing with the virus called Egregor that encrypts private data and demands paid decryption. Depending on which version attacked your system, the encryption process may vary a little bit. For example, Egregor adds .egregor extension to each of the infected files so they look like this 1.mp4.egregor. Alternatively, files can receive a string of randomly-generated characters (1.mp4.WaBuD). After the encryption gets finished, the virus goes further creating a note called RECOVER-FILES.txt that contains step-by-step instructions to recover the compromised data. It is said that victims have to get in touch with cybercriminals no later than 3 days via the attached browser link. If the announced deadline comes to an end, extortionists will publish sensitive data all over the web. Cybercriminals can ask different fees for the recovery. Sometimes the amount can exceed thousands of dollars, especially if data has a significant value to owners. Unfortunately, you will not be able to find any free tools to decrypt the files affected by Egregor. At this moment, the only feasible way to recover data is by using an external backup if one was created prior to the encryption.

RenameX12 is a ransomware infection that encrypts files of different sorts. Unlike similar infections of this type, it does not add any extensions or symbols to identify the blocked files. All data appear original even after the actual attack. This is made by extortionists intentionally to prevent users from detecting the name of the ransomware as well as finding ways to decrypt files. Despite this, cyber experts managed to crack the mystery and established the virus name via the text note (New Text Document) that is created after encryption. This note contains instructions to help you recover the locked data. Swindlers ask victims to contact them via one of the attached e-mails. After you pay the ransom (usually in Bitcoin) you will receive decryption tools to decipher the data. However, this is a huge risk since there is no evidence that could testify their trustworthiness. The best way to decrypt files is to delete the ransomware itself and recover data from external backups if one was created prior to the encryption.