Ransomware

While inspecting new submissions to VirusTotal, researchers identified Allock Ransomware, a member of the MedusaLocker ransomware family. It renames files with a specific extension, notably .allock8, which can vary with the virus iteration. The ransomware employs sophisticated RSA+AES encryption, making file recovery difficult without the attackers' involvement. Upon completion of the encryption process, it creates a ransom note named how_to_back_files.html and places it prominently on the desktop. This note informs victims of the data breach and demands payment for the decryption tools, along with the threat of leaking or selling stolen data if payment isn't made.

DEMON Ransomware is a pernicious form of malware discovered by GrujaRS that encrypts users' files using strong encryption algorithms, rendering them inaccessible without a decryption key. Often infiltrating computers through spam campaigns, fake software updaters, and untrusted download sources, it adds the .DEMON extension to each encrypted file. For example, document.docx becomes document.docx.DEMON, clearly marking the files as compromised. After encryption, the ransomware creates a README.txt file in all directories containing encrypted files and displays a ransom note in a pop-up window, demanding a hefty $10,000 in Bitcoins to decrypt the affected files. According to the ransom note, victims have a narrow window of 600 minutes (10 hours) to comply, or their data will be destroyed or sold to third parties.

LUCKY Ransomware, discovered as part of the Makop ransomware family, is a malicious program designed to encrypt files and demand ransom from the victims for their decryption. Once infiltrated, it appends each encrypted file's name with a unique ID, the attackers' email address, and a .LUCKY extension. For instance, a file named document.jpg would be renamed to something like document.jpg.[uniqueID].[givebackdata@mail.ru].LUCKY. After file encryption is completed, the ransomware generates a ransom note titled +README-WARNING+.txt, typically found in multiple directories on the infected device. This note informs the victim that their files have been encrypted and provides instructions for contacting the attackers and making the ransom payment, often in cryptocurrency like Bitcoin.

Devil Ransomware is a malicious program and part of the broader Phobos ransomware family. It renames encrypted files by appending the victim's ID, the developer's email address, and the .devil extension to filenames. For instance, a file named image.jpeg would be altered to image.jpeg.id[unique-ID].[email].devil. This ransomware employs strong encryption algorithms, typically AES-256, to lock users' files, making them inaccessible without the unique decryption key held by the attackers. Upon infection, Devil Ransomware generates a ransom note in the form of a text file named info.txt and a pop-up window using info.hta. These notes provide instructions on contacting the cybercriminals and making a ransom payment, usually in Bitcoin, in exchange for the decryption tool.

Saturn Ransomware is a sophisticated type of malware designed to encrypt files on infected systems and demand a ransom for their decryption. It was first identified by MalwareHunterTeam and operates as a Ransomware as a Service (RaaS), allowing cybercriminals to freely distribute the malware in exchange for a cut of the profits. Upon infecting a system, Saturn Ransomware appends the .saturn extension to the filenames of encrypted files, rendering them unusable (e.g., sample.jpg becomes sample.jpg.saturn). While it is currently unclear whether it uses symmetric or asymmetric cryptography, the encryption is robust, creating unique keys for each victim that are stored on a remote server controlled by the attackers. After successfully encrypting files, Saturn Ransomware creates several ransom notes, including #DECRYPT_MY_FILES#.txt, which are placed on the desktop of the infected machine.

Discovered by Jakub Kroustek, 1BTC Ransomware is a malicious variant that stems from the infamous Dharma ransomware family. It operates by encrypting a vast array of files stored on the victim's system using the RSA-1024 encryption algorithm, making them inaccessible without a unique decryption key. Upon successful encryption, 1BTC appends each file with a specific extension that includes the victim's unique ID, the developer's email address, and the .1BTC extension. For example, a file originally named "sample.jpg" might be renamed to sample.jpg.id-{random-ID}.[btcdecoding@foxmail.com].1BTC. Following this, the ransomware creates a ransom note in the form of a pop-up window and a text file named RETURN FILES.txt, which is typically placed on the desktop. These notes instruct the victim to contact the ransomware developers via email and provide details on how to pay the ransom in Bitcoin to receive the decryption key.

Discovered during a review of new file submissions to the VirusTotal website, RDanger Ransomware is a type of malware that encrypts files on an infected system and demands a ransom for decryption. Upon infection, it appends the filenames of encrypted files with a unique identifier, such as 1.jpg.277-9OL-741, making it evident that the file is compromised. The encryption process concludes with the creation of a ransom note named ATTENTION! ALL YOUR FILES ARE ENCRYPTED!.TXT, which usually appears on the desktop or in various folders containing the encrypted files. The message within the note informs victims that their files have been encrypted and instructs them to pay a ransom in cryptocurrency for a decryption tool that purportedly restores their files. However, this note does not include specific payment details or instructions, suggesting it might still be in development.

Hazard Ransomware is a harmful variant belonging to the MedusaLocker family of ransomware. This malware encrypts files on infected systems, adding unique file extensions to them. Specifically, it appends extensions such as .hazard18 to the filenames, indicating that the affected files have been encrypted. For instance, an original file named document.docx becomes document.docx.hazard18, signaling the encryption process has taken place. The ransomware employs RSA and AES encryption algorithms, which secure files by rendering them inaccessible without a specific decryption key known only to the attackers. Once the encryption occurs, the ransomware leaves a ransom note titled HOW_TO_BACK_FILES.html. This note typically appears in every folder containing encrypted files, informing the victim of the actions taken and providing instructions to contact the attackers for decryption details.