Ransomware

AttackNew Ransomware is a malicious software variant belonging to the MedusaLocker ransomware family, which aims to extort money from victims by encrypting files and demanding a ransom for their release. Upon executing this malware on a test system, it was observed that it appended an extension, such as .attacknew1, to the names of the encrypted files. This ransomware uses sophisticated cryptographic algorithms like RSA and AES, making decryption extremely challenging without the unique decryption keys that the attackers possess. After successful encryption, it generates a ransom note named how_to_back.html, which can typically be found on the victim's desktop or within affected directories. This note informs victims that their company's network has been compromised and that their files are encrypted, emphasizing that any attempt to decrypt the files without the attackers' help will lead to data corruption.

Mango Ransomware is a sophisticated type of malware belonging to the Phobos ransomware family, identified during routine security inspections. This malware encrypts files on the infected system and appends a unique file extension to each compromised file, dramatically altering its filename. Specifically, it appends a combination of a unique ID specific to the victim, the cybercriminal’s email address, and the extension .mango to the original filenames. For example, a file initially named picture.jpg would be altered to picture.jpg.id[unique_id].email[mango@onionmail.com].mango. The encryption algorithm employed by Mango Ransomware is complex and highly efficient, making decryption without the proper key extremely challenging. Upon encrypting the files, the ransomware generates two types of ransom notes: one displayed in a pop-up window titled info.hta and another created as a text file named info.txt deposited onto the desktop and within all encrypted directories.

Griffin Ransomware, recognized for its severe impact on victims, is a malicious program designed to encrypt files and extort payments for their decryption. This ransomware primarily changes the names of the encrypted files to a random character string, appending the .griffin extension to each file. It employs robust encryption algorithms, making it difficult for any unauthorized party to access the locked files without the appropriate decryption key held by the attackers. Upon successful encryption, Griffin Ransomware generates a ransom note, typically titled #Recovery.txt, and drops it onto the desktop or into folders containing the infected files. The ransom note informs victims of the encryption, providing contact details for the cybercriminals while also implying a severe financial consequence if the ransom is not paid promptly.

Magniber Ransomware (My Decryptor Ransomware) is a wide-spread crypto-virus, that targets Windows-PCs. Focuses on English and South Korean users. Since June 2018, Magniber attacks have shifted to other countries in the Asia-Pacific region: China, Hong Kong, Taiwan, Singapore, Malaysia, Brunei, Nepal and others. The virus got its name from the combination of the two words Magnitude + Cerber. Here, Magnitude is a collection of exploits, the last for Cerber is the vector of infection. With this threat, the Cerber malware ended its distribution in September 2017. But on the Tor site of the ransomware it is stated: My Decryptor, here is where second part of the name came from. After encryption, Magniber My Decryptor Ransomware can add 5-6-7-8 or 9 random letters as file extension. During the years ransomware used various names for ransom note files: _HOW_TO_DECRYPT_MY_FILES_[random]_.txt, READ_ME_FOR_DECRYPT_[random]_.txt, READ_ME_FOR_DECRYPT.txt. But the most actual is READ_ME.txt.

Qilin Ransomware is a formidable threat that belongs to the Agenda family of ransomware, known for its ability to encrypt various file types including documents, images, and videos, rendering them inaccessible to the user. Upon infection, it appends a unique string in the form of a file extension to each targeted file, which can be represented as *.random_string. This transformation indicates that the file has been compromised, and access has been effectively locked by the attackers. Alongside this encryption, Qilin Ransomware generates a ransom note, titled [random_string]-RECOVER-README.txt, which is placed in every folder containing encrypted files. This document contains critical information regarding the attack, including instructions on how to contact the attackers and details regarding the ransom payment for the decryption key.

Adobe Ransomware, also known as the Adobe virus, is a type of malicious software that belongs to the Dharma ransomware family. This cyber threat predominantly targets Windows operating systems, aiming to encrypt sensitive user files, rendering them inaccessible. Once the system is compromised, Adobe Ransomware appends specific file extensions to the affected files, most commonly .adobe or .adobee, in addition to a unique identifier and an email address of the attackers. As a sophisticated ransomware variant, it typically employs robust encryption methods, often relying on asymmetric encryption algorithms. This means that files are locked with a unique key that is stored on a remote server controlled by the attackers, making unauthorized decryption without their intervention nearly impossible. The attackers usually emphasize the importance of contacting them for decryption, creating a daunting scenario for victims. Upon successful encryption, victims are presented with a ransom note contained within a text file labeled FILES ENCRYPTED.txt, which is generated during the attack. This note includes a message indicating that all files have been locked due to a security issue and instructs victims to contact the cybercriminals at a specified email address to negotiate a ransom payment, typically demanded in Bitcoin.

FridayBoycrazy Ransomware is a significant threat that has emerged recently, designed to encrypt files on infected systems and extort ransom payments from victims. This variant, based on the Chaos ransomware, exhibits a severe level of damage by actively encrypting various file types and making them inaccessible without a decryption key. Once this malicious software is executed, it meticulously renames encrypted files by appending a string of random characters to their original extensions. For example, a file named 1.jpg may be altered to 1.jpg.j3y4, making recovery efforts more challenging for victims. Upon completion of the encryption process, it generates a ransom note named Warning.txt, which is typically placed on the desktop and informs users that their files have been compromised. The perpetrators claim that decryption without their assistance is impossible, thereby fueling fear and urgency in their victims to pay the ransom.

Pomoch Ransomware is a recent variant belonging to the MedusaLocker ransomware family, primarily targeting corporate networks rather than individual users. Once it infiltrates a system, it encrypts various file types and appends a unique extension to the filenames, specifically .pomoch45. The encryption process involves the use of advanced cryptographic algorithms, including RSA and AES, rendering files inaccessible without the decryption key possessed by the attackers. Following the encryption, the ransomware generates a ransom note named How_to_back_files.html, which is dropped on the infected system to notify victims of the attack and provide further instructions. The note emphasizes the seriousness of the breach, stating that sensitive data has been exfiltrated, and threatens to leak this information unless the ransom is paid.