Ransomware

Gunra Ransomware is a type of malicious software designed to encrypt digital data and demand ransom payments for access restoration. This ransomware appends the file extension .ENCRT to each encrypted file, transforming filenames like document.docx to document.docx.ENCRT, thereby locking users out of their own data. It employs sophisticated encryption algorithms, making decryption without the necessary keys virtually impossible. Once the ransomware has completed the encryption process, it creates a note, the R3ADM3.txt, which is typically placed in affected directories and prominently displayed on the victim's desktop. This ransom note explains the encryption situation, claims the theft of sensitive business data, and outlines the process of contacting the cybercriminals via the Tor network to potentially regain access to compromised files. Victims are often lured into contacting the attackers by the incentive of decrypting some files for free as proof of capabilities, along with a stern warning that delays or non-cooperation will lead to public data exposure.

Krypt Ransomware is a malicious program that operates as a file-locking Trojan, demanding a ransom from its victims in exchange for the decryption of their compromised data. Once it infiltrates a system, it utilizes sophisticated encryption algorithms to lock files and render them inaccessible. A distinctive characteristic of this ransomware is its renaming mechanism; it alters the original file names to a random character string and appends them with the .helpo extension. For instance, a file initially named photo.jpg might be transformed into Gs2Rt9e.helpo after encryption. The encryption deployed by Krypt Ransomware is typically complex, often involving robust algorithms that significantly limit the chances of decryption unless the attackers' private decryption key is procured. This level of encryption ensures that files remain securely locked, amplifying the pressure on victims to comply with the ransom demands. After encrypting the files on a victim's machine, Krypt Ransomware creates a ransom note in a text file named HowToRecover.txt, placed conspicuously on the desktop and potentially other locations to maximize visibility.

PetyaX Ransomware is a malicious software variant akin to other ransomware strains designed to encrypt user data, making it inaccessible until a ransom is paid. This ransomware operates by appending the .petyax extension to each file it encrypts, thereby altering the original file extensions and effectively rendering the files unusable in their encrypted state. For example, a file named document.pdf would be renamed to document.pdf.petyax after encryption. PetyaX utilizes the AES-256 encryption algorithm, a robust and virtually unbreakable form of encryption when correctly implemented, making its decryption without the designated key exceptionally difficult. Once encryption is completed, the ransomware creates a ransom note to inform victims of their circumstances. This note, saved as an HTML file named note.html, usually appears on the desktop or within the directory of encrypted files, instructing victims on how to make payment, typically 300 USD in Bitcoin, to allegedly receive decryption software or keys.

HexaCrypt Ransomware represents a new threat in the digital landscape, maliciously designed to encrypt victim files and extort payment for their decryption. After infiltrating a system, this ransomware appends a string of random characters to affected files, which alters their extensions, leaving them unopenable without the decryption key. For instance, a file named example.jpg could be renamed to example.jpg.8s43uq12, rendering it inaccessible. The attackers leverage advanced encryption algorithms, making it nearly impossible for victims to regain access to their data without a decryption tool provided by the cybercriminals themselves. Alongside the file encryption, HexaCrypt drops a ransom note file named [random_string].READ_ME.txt in various directories, presenting the victim with instructions on how to proceed with the ransom payment. The note often demands a specific amount in Bitcoin and provides a limited timeframe for compliance, under the threat of permanent data loss or public release of the stolen files.

Qilra Ransomware represents a formidable cyber threat, encrypting victims' files and appending the distinctive .qilra extension. Upon executing, it stealthily infiltrates the system, scanning for sensitive data before launching its encryption routine. Though the precise encryption method isn't publicly disclosed by its developers, ransomware of this nature typically implements robust cryptographic algorithms like AES or RSA, making unauthorized decryption nearly impossible without the unique decryption key held by the attackers. After encrypting the files, it generates a ransom note named RESTORE-MY-FILES.TXT, strategically placing it on the victim’s desktop. This note informs the user of the encryption and demands a ransom for file recovery, often pushing the victim to contact the attackers through a provided email address.

CrypteVex Ransomware is a malicious software program classified as ransomware, primarily designed to encrypt valuable data on a targeted system and subsequently demand a ransom in exchange for a decryption key. Upon infiltrating a computer, it systematically encrypts files, rendering them inaccessible, and appends each file name with a .cryptevex extension, indicating their compromised state. For instance, a file named document.txt would become document.txt.cryptevex post-infection. Employing robust cryptographic algorithms, often a combination of symmetric and asymmetric encryption, CrypteVex ensures that without the decryption key, deciphering the locked files is virtually impossible for the average user. Victims are typically greeted with a ransom note, which is both pasted as the desktop wallpaper and saved as an HTML file named README.html in various directories. This message ominously warns users about their encrypted files, urging them to purchase a decryption tool from the attackers within a specified time frame, with threats of doubling the ransom if delayed beyond two days.

Forgive Ransomware is a type of malware that encrypts files on an infected system, effectively rendering them inaccessible until a ransom is paid. Once executed, it targets a variety of file types and appends the .forgive extension to each, making it easily identifiable while also disturbing the user's file structure by altering filenames such as picture.jpg to picture.jpg.forgive. Using advanced encryption algorithms, the ransomware ensures that the files cannot be opened or used without the decryption key that only the attackers possess. An important component of this ransomware is its ransom note, which it leaves in the form of a pop-up window titled ransom_note.txt. This note appears on the user's desktop, demanding a payment of $500 in Ethereum to a specified wallet address with the promise of providing a decryption key in return. Typically, paying the ransom does not guarantee recovery of the files, as victims often find that cybercriminals do not send the necessary decryption keys even after payment.

Discovered by our team of researchers, Hudson Ransomware is a malicious software that encrypts files on infected systems and demands a ransom for their decryption. This ransomware appends filenames with the extension .{victim's_ID}.hudson, rendering files inaccessible without the decryption key provided only upon payment. Victims will typically notice their files, once named something like example.docx, appearing as example.docx.{victim's_ID}.hudson. The encryption methods employed by Hudson Ransomware are highly sophisticated, likely utilizing a combination of asymmetric and symmetric algorithms to ensure that decryption is impossible without the unique private key. Following encryption, Hudson Ransomware leaves a ransom note named README.TXT on the infected device. This file contains instructions on how to recover the encrypted data, typically warning users not to rename files or attempt third-party decryption, as these actions could result in permanent data loss.