Ransomware

WhiteHorse Ransomware is a malicious software designed to encrypt files on an infected system and extort money from victims in exchange for decryption. Once this ransomware infiltrates a computer, it modifies the filenames by appending the .WhiteHorse extension. For instance, if you have a file named document.jpg, it will be renamed to document.jpg.WhiteHorse, rendering it inaccessible without the decryption key. The ransomware utilizes strong encryption algorithms, making it nearly impossible to decrypt the files without a unique decryption key, which is held by the cybercriminals behind the ransomware. After encrypting the files, WhiteHorse Ransomware creates a ransom note named #Decrypt#.txt within each folder containing the encrypted files.

H0rus Ransomware is a malicious software designed to extort money from its victims by encrypting their files and demanding a ransom for the decryption key. Once it infects a system, it scans the victim's computer for specific file types and then encrypts them, making them inaccessible without the unique decryption key possessed by the attackers. The ransomware appends a unique file extension, typically .h0rus13, to the encrypted files, signaling that the victim's data has been taken hostage. This makes it immediately evident to the user that their files have been compromised. The encryption algorithm employed by H0rus Ransomware is often highly sophisticated, using strong cryptographic methods such as AES (Advanced Encryption Standard) or RSA (Rivest-Shamir-Adleman) encryption, ensuring that decrypting the files without the private key is practically impossible. In addition to encrypting files, H0rus Ransomware leaves a ransom note, usually named #Recovery.txt, in each folder that contains the encrypted files.

Key Group Ransomware is a malicious software identified while inspecting new submissions to VirusTotal and belongs to the Xorist ransomware family. After infiltrating a system, Key Group Ransomware encrypts victim files and appends specific extensions such as .keygroup, .keygroup777, or .keygroup777tg, depending on the variant. For instance, a file initially named document.docx would be renamed to document.docx.keygroup777 if compromised by this ransomware. The encryption algorithm used, typically found in Xorist ransomware, is a strong cryptographic method intended to prevent unauthorized access without a decryption key. Once the encryption is complete, the ransomware displays a pop-up window and leaves a text file named HOW TO DECRYPT FILES.txt on the infected system. Both the pop-up and the text file instruct victims to contact the attackers for file decryption, stating that incorrect entry of the decryption code could result in permanent data loss.

Itlock Ransomware is part of the MedusaLocker family, a notorious group of ransomware variants known for disrupting personal and organizational workflows by encrypting essential files. This ransomware appends the extension .itlock20 to the filenames of affected files, rendering them inaccessible without a specific decryption key. The number in the extension can vary, but it consistently follows the "itlock" format. The encryption method employed by Itlock ransomware involves a combination of RSA and AES encryption, which ensures that files are securely locked, and only the attackers possess the decryption keys required to restore the files. Once the encryption process is complete, Itlock ransomware generates a ransom note named How_to_back_files.html, which appears on the infected device. This HTML file states that the user's files are encrypted and safe but modified, emphasizing that only the attackers can resolve the issue. The note warns against using third-party software to restore the files, as this could result in permanent corruption.

CYBORG Ransomware is a type of malicious software identified by the malware researcher GrujaRS. This ransomware is designed to encrypt user data and demand a ransom for decryption tools or software. During its encryption process, CYBORG renames files by appending the .petra extension, among others like .lazareus and .Cyborg1. For instance, an original file named 1.jpg would be renamed to 1.jpg.petra after encryption. Once the process is completed, CYBORG stores a text file named Cyborg_DECRYPT.txt on the desktop and even changes the wallpaper to inform users that their data has been encrypted. The ransom note generally demands a payment of $300 in Bitcoin, providing an email address for further contact. As is the norm with ransomware, meeting these ransom demands is strongly discouraged since there is no guarantee that the perpetrators will provide the necessary decryption tools.

Datablack Ransomware is a malicious software that cybercriminals deploy to encrypt valuable data on infected systems and extort ransom payments from victims. Upon infection, the ransomware identifies and encrypts sensitive files, altering their filenames with a randomly generated string and appending the .Datablack extension. For example, a file named report.docx would be renamed to something like abc123.docx.Datablack. This transformation renders files inaccessible without a decryption key, which the attackers promise to provide in exchange for a ransom. Typically, the ransomware drops a text file named #Recovery.txt on the victim's system, usually on the desktop or within affected directories, to inform users about the breach. The ransom note pressures victims to contact the attackers via designated email addresses and threatens to increase the ransom if payment demands are not met within 48 hours.

Allarich Ransomware is a sophisticated form of ransomware designed to encrypt files on infected systems, rendering them unusable until a ransom is paid. This malware appends the .allarich extension to the filenames of encrypted files, making it easy to identify but challenging to recover without the decryption key. For instance, a file named photo.jpg would be renamed to photo.jpg.allarich once encrypted. Upon successful encryption, the ransomware generates a ransom note named README.txt, typically placed in directories containing encrypted files. This note usually instructs the victim to contact the cybercriminals via a provided email address and warns against using third-party decryption services, albeit without mentioning the exact decryption method or ransom amount, emphasizing that the cost depends on the promptness of the victim’s response.

Hawk Eye Ransomware is a damaging variant of malware derived from the Chaos ransomware family. It operates by infiltrating a system and encrypting valuable data to extort a ransom from the victim. When files are encrypted by Hawk Eye, they are appended with an extension composed of four random characters, such as .z1bg, which is affixed to each file name. This extension marks the files as inaccessible without the proper decryption key. The ransomware employs robust encryption algorithms, typically making decryption impossible without the specific key generated during encryption. Alongside the encryption, Hawk Eye Ransomware drops a ransom note titled read_it.txt on the victim's system. This note not only informs the victim of the encryption but also threatens to leak personal data acquired during the infection if the ransom is not paid.