Ransomware

Velar is a type of malware classified as ransomware. Ransomware is a category of malicious software that operates by encrypting data and extorting money from users via ransom techniques. During the encryption process, all files are getting configured and obtain new extensions. For example, the non-infected file called 1.mp4 will be renamed to 1.mp4.Velar and reset its default icon. Thereafter, users are presented with a text file displaying the ransom information. The ransom note is called readme.txt. It claims that your system was infected by ransomware that ciphered a large number of files by using a hybrid encryption scheme. In order to restore the blocked data, extortionists ask you to contact them via one of the e-mails and attach your personal ID that is listed in the note. Unfortunately, the only option to access your files is buying a decryption key held by cybercriminals because none of the third-parties software is able to decrypt the infected data. However, it is not recommended to follow the instructions of frauds and paying a ransom because most people get fooled and the problem remains unsolved as a result.

If you are no longer able to access your files, then this is because ransomware infected your system. SD (Unlock11) Ransomware is not an exception since it ciphers users' data with RSA + Salsa20 algorithm and adds brand new .[unlock11@protonmail.com].enc extension to each file. As an example, standard 1.mp4 will be renamed to 1.mp4.[unlock11@protonmail.com].enc after the encryption process is done. It is necessary to point out that .enc extension is more generic and has been exploited by several types of ransomware including MOTD, TrueCrypter, and Cryptohasyou. After successful encryption, the program automatically opens a ransom note ReadMeToDecrypte.txt, which contains the details on how to decrypt your data. Some versions of SD replace desktop wallpaper for displaying the ransom information. In both cases, to unlock the affected files, users should reach out to cybercriminals via unlock11@protonmail.com. You are also allowed to attach 3 files (less than 5MB) so that swindlers could prove they can be trusted. After sending a message, you will be presumably required to pay a specific sum to unlock your data. Furthermore, they will give you recommendations on how to protect yourself from further attacks. Unfortunately, there is no other option at this moment to decrypt files configured by SD Ransomware without paying the ransom and getting the private keys.

Being part of the Dharma family, Dharma-Harma is a ransomware program based on AES-256 + RSA algorithms that are meant to encrypt user's data. After the virus gets settled on the system, it blocks multiple files by putting unbreakable ciphers. Once encrypted, files undergo a couple of significant changes. Firstly, the affected files are altered according to such pattern: original_filename.{random-8-digit-alphanumerical-sequence}.[e-mail-address].harma. Note that cybercriminal's e-mail may vary from person to person. Once the encryption is finished, Dharma-Harma generates a text file or image that contains ransom information. It says that your computer is unprotected and needs to be fixed. To restore the lost files, you have to contact them through the attached e-mail. After that, they will supposedly give further instructions and demand a payment in BTC. Unfortunately, those victims who decided to pay a ransom, often get fooled and do not get any decryption keys.

Ouroboros Ransomware (a.k.a. Zeropadypt Ransomware) is an extremely dangerous virus, that forcibly encrypts and blocks off the access to personal data. By doing so, Ransomware developers prompt users to pay a ransom (around 1000$) for getting a unique decrypting key. When infiltrating the device, it immediately starts rushing through files like images, videos, music, text documents and other valuable data that can be stored on your computer and encrypts it by using the AES-256 encryption algorithm. After that, ransomware assigns a unique .odveta extension to each file, therefore, making it impossible to open. For example, if sample.mp4 gets encrypted it will change the file name to sample.mp4.odveta. There are many other versions and variation of Ouroboros Ransomware, that change file extensions to .bitdefender, .harma, .rx99, .Lazarus, .Lazarus+, .James, .lol, .hiddenhelp, .angus, .limbo, or .KRONOS. Some of the recent extensions like .bitdefender, were created as mockery, because BitDefender released decryption tool, that, unfortunately, cannot decode latest Ouroboros Ransomware species.

Ech0raix a.k.a. QNAPCrypt is a type of malware classified as ransomware that uses uncommon methods of penetrating and encrypting user's data. Besides typical system infection, it also spreads across physical network appliances like NAS Synology or QNAP that are meant to ensure high-quality internet connections. After sneaking into the system, intruders get access to your "admin" account by matching the password (if set) and start encrypting vulnerable files as a result. Unlike other ransomware, it infiltrates network devices by violating their settings which therefore leads to its malfunction. Consecutively, users are compelled to update their software or ask for professional help. Of course, likewise Medusalocker or Ouroboros, it involves AES-256 algorithms to lock down the data like images, videos, office documents, and others by assigning .encrypt extension to each file so that it looks like this 1.mp4.encrypt. Once done, users are no longer allowed to access their data and forced to proceed with the ransom note that is created after the encryption.

Zeoticus is file-encrypting ransomware that restricts access to your personal data (images, videos, textfiles, audio files, etc.) by encrypting files with .zeoticus@tutanota.com.zeoticus extension. It covers all versions of Windows involving Windows 7, Windows 8.1 and Windows 10. And once it is initiated on your computer it will rapidly go through your computer folders scanning a certain group of files to encrypt. It primarily focuses on scouting files solely with extensions like .doc, .docx, .pdf, and others. When these files get detected they instantly change their extension name to .zeoticus@tutanota.com.zeoticus concurrently shattering all of the Shadow Volume Copies that were generated on your PC so that you can no longer open them. The only possible way seems to be making a ransom that often varies from 500-1000 dollars and that is just more than a lot. So do not fall into this trap! Even if you pay this amount of money, there is no guarantee that fraud will give you access back. It is just a matter of guessing.

MuchLove is another example of file-encryption viruses classified as ransomware. After installation, it ruthlessly encrypts multiple files like MS Office, PDFs, Music, Images, Video, and others. Users get totally shocked once they realize that their data became inaccessible desperately trying to restore the data. Usually, decryption requires assistance from third-parties tools since all manual attempts are useless. Also, the encrypted data acquires a new extension that is .encrypted, in our case. To illustrate, the default 1.mp4 will be changed to 1.mp4.encrypted and reset its icon. Note that the ".encrypted" extension is more generic since it is used by multiple developers. This makes it a bit harder to match appropriate measures to combat the program because you cannot identify exactly which virus attacked your PC. Although, we can then grasp it according to the content of the ransom note (READ_IT.txt)that is created after encryption.

Data encryption and potential identity threat - all of these can be described as Dharma-Ncov Ransomware. Being part of the Dharma family, it vigorously blocks files stored on victim's PCs and pushes them into paying a ransom to get the files back. Dharma-Ncov targets multiple file formats (e.g. images, videos, music, office documents) that supposedly make up a big value for regular users. It ciphers data by assigning unique ID (appended to each victim), e-mail address and extension at the end. For example, the original 1.mp4 will be changed to 1.mp4.id-1E857D00.[coronavirus@qq.com].ncov and reset its icon as a result. The e-mail address and other details may vary since developers update their virus clearing up different bugs. After successful encryption, the program drops a text file onto a desktop with ransom information. Then, extortionists say that you should send a message with the attached ID to coronavirus@qq.com (or other) to get further instructions. They also inform you that any attempts to decrypt the files are useless and can result in a permanent loss. Unfortunately, this is true because of most of the ransomware use tough-to-decrypt algorithms which make files unrecoverable even with high-tech utilities.