Ransomware

BitPyLock was discovered by MalwareHunterTeam and therefore categorized as ransomware. The penetration of this kind of malware leads to instant encryption to all of the files stored on your computer. BitPyLock primarily attacks photos, videos, databases and office projects which appear to be most valuable for regular users. The program uses strong military-grade encryption algorithm, RSA-4096 to be exact, thereafter changing each file extension to .bitpy. For example, 1.mp4 will be transformed into 1.mp4.bitpy which makes it impossible to open any of those. There are also other forms of this ransomware that exploit data with .domain_name or .andradegalvao extensions. BitPyLock Ransomware makes everything possible to restrict you from manual recovery by deleting backup files from the system as well. By the end of encryption, it creates an HTML note with ransom payment details.

We have already deconstructed lots of ransomware like Ouroboros, Ako, NEMTY, and others. Today, we are topping up our list with MedusaLocker Ransomware. This dreadful software is known to be encrypting the files of innocent users, therefore, making them unretrievable until a ransom is paid. Virus got its name because of the name of the project file, that says: MedusaLocker.pdb. Also, the "Medusa" section is created in the registry. Once installed on a computer, it rapidly blocks off the access to your data by assigning a unique .encrypted or .readtheinstructions or .readinstructions extensions to each file. This way, 1.jpg changes itself to 1.jpg.readtheinstructions. Unfortunately, any manipulations are useless because of the strong cipher that is hard to break manually. When encrypting files, AES encryption will be used to encrypt each file, and then the AES key will be encrypted with the RSA-2048 public key included in the Ransomware executable. Depending on ransomware edition, extensions may also look like .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet as well. After successful encryption of data, extortionists add an HTML or text file, called ransom note, that contains the necessary information on how to recover your data.

GarrantyDecrypt has taken cemented position around the ransomware category and already deprived a fair amount of nerves and money of its victims. Like other ransomware, it infiltrates your computer by running encryption scripts that scan your device and therefore assign unbreakable cipher to each file. The first versions of this malware used .garrantydecrypt, .decryptgarranty, .protected, .NOSTRO, .odin, .cosanostra, .cammora, .metan, .spyhunter, .tater, .zorin extensions. However, encryption virus gets constantly modified and suffixes are changed too. Most recent extensions used by GarrantyDecrypt Ransomware are: .bigbosshorse, .heronpiston or .horsedeal. To illustrate, after encryption, 1.mp4 will be changed to 1.mp4.bigbosshorse or other abovementioned extensions. Unfortunately, any manual attempts to unlock the data are desperate. Once the encryption is finished, you will be presented with a ransom note created on desktop notifying that your data has been blocked.

The odds of getting hacked are progressively escalating each day because of the wide distribution of malware and other social engineering tricks. NEMTY Ransomware is not an exception either, that was originally revealed in 2019 and revived with a new force with NEMTY 2.5 REVENGE Ransomware in 2020. Like other types of ransomware, it is meant to encrypt files stored on the user's PCs by using the AES-256 encryption algorithm. However, the algorithm is used with a mistake and looks more like AES-128/192. It appends unbreakable code that restricts access to data like .docx, .xlsx, .pptx, .mp3, .mp4, .png and other types of files. Once it has encrypted your data, the virus, therefore, alters the extension name to .NEMTY. The most recent varieties use the complex extension .NEMTY_XXXXXXX, where XXXXXXX is a random 7-digit alphanumerical sequence. After the encryption process is finished NEMTY leaves a note on desktop notifying that your data was encrypted and the only way you to recover it is by paying a ransom (approximately 1000$).

Dharma-Wiki Ransomware is a file-encrypting type of malware designed to deprive the money and nerves of its victims. It belongs to the notorious Dharma/Crysis Ransomware family. It interferes with file extensions by changing them to .id-{random-8-digit-alphanumerical-sequence}.[bitlocker@foxmail.com].wiki and remains encrypted until a ransom is paid. After the blocking process is finished, it will leave a ransom note on your desktop notifying that your data was successfully encrypted and requires action. To encrypt your files, you have got to contact hackers via one of the methods presented in the note and pay a specific fee to get your files back. This kind of frauds is trying to encrypt the most precious data stored on your PC like text documents, videos, images, and others. Therefore, they gamble on the value of your data to push you into paying an equal exchange. Of course, cybercriminals are trying to hurry you up by threatening that if you do not pay within 24 hours, they will raise the price up. If you refuse paying a ransom, they might also begin saying that they will spread your data to third parties and they will make a bad use of it. The ransom must be paid solely in Bitcoin cryptocurrency apparently because of its secure blockchain technology. Unfortunately, there has not been any free tool that could take off the blocking algorithm from files so far.

Paradise Ransomware is file-encryption virus, that encrypts user's files using RSA-1024 encryption algorithm. Latest versions of this threat append .VACv2, .CORP or .xyz extensions. Previously, Paradise Ransomware used .paradise, .sell, .ransom, .logger, .prt and .b29. Among all variations, only last one can be decrypted. Ransomware has many similarities with Dharma Ransomware, as it has very look-a-like design and uses similar patterns for file modifications. Authors of the virus offer e-mail to contact them for decryption negotiation: admin@prt-decrypt.xyz. They demand several thousand dollars for decryption, that have to be paid in BitCoins. It is also stated, that 1-3 useless files can be decrypted for free as a prove, that decryption is possible. However, malefactors cannot be trusted. Instead, we recommend you to try instructions below to restore files encrypted by Paradise Ransomware.

Muhstik Ransomware is nasty cipher virus, that encrypts user data on QNAP NAS network drives using AES-256 (CBC mode) + SHA256 algorithms, and then requires a ransom of 0.045 - 0.09 BTC (currently ~$700) to return the files. According to researchers, this program is not directly related to eCh0raix Ransomware, although there is a certain external similarity. After finishing encryption procedure, malware adds .muhstik extension to affected files. The malware first checks the system language and does not start encryption on systems with Russian, Belorus or Ukranian languages. At the moment, there is a public decryption tool called EmsiSoft Decrypter for Muhstik available. It is able to decrypt files encrypted by most versions of this virus. If it is unable to recover the data, full recovery is only possible with the help of backups.

Sodinokibi Ransomware (a.k.a. BlueBackground Ransomware or REvil Ransomware) is disruptive cryptovirus, that encrypts user data using Salsa20 algorithm with the ECDH-based key exchange method, and then requires a ransom around 0.475–0.950 BTC to return the files. In other words, if the amount is set at $2500, then without paying within 7 days, it doubles to $5000. It appeared in April 2019 for the first time. Inside the JSON configuration file is a list of 1079 domains. Sodinokibi establishes a connection with each domain of this list by generating a URL using a domain generation algorithm, although, they are not Sodinokibi servers. Follow the detailed guide on this page to remove Sodinokibi Ransomware and decrypt your files in Windows 10, 8/8.1, Windows 7.