Ransomware

JOKER (Chaos) Ransomware is a malicious program categorized under the ransomware class, primarily designed to encrypt valuable data on a victim's computer and demand a ransom for the decryption key. Based on the Chaos ransomware variant, this ransomware appends encrypted files with an extension composed of four random characters. For example, a file named 1.jpg would be renamed to 1.jpg.xb0d after encryption. After encrypting files, the ransomware changes the desktop wallpaper and creates a ransom note titled read_it.txt. In the note, the attackers demand 1,500 USD, payable in Monero cryptocurrency, for the decryption software. The exact amount in Monero is listed as 9.05 XMR, although this value can fluctuate based on current conversion rates.

Qual Ransomware is a malicious program identified as part of the Djvu ransomware family, designed to encrypt files on an infected system and demand a ransom for their decryption. When Qual executes, it appends the .qual extension to the name of each encrypted file, rendering them inaccessible without the decryption key. For example, a file initially named photo.jpg will be renamed to photo.jpg.qual. The encryption mechanism employed by Qual is robust, typically utilizing advanced cryptographic algorithms that make decryption without the corresponding decryption key virtually impossible. After encrypting the files, Qual drops a ransom note in a text file named _readme.txt, which can usually be found in every folder containing encrypted files. This note instructs the victim to contact the attackers via specific email addresses and outlines the ransom amount required for the decryption tool, often offering a discount if payment is made within a certain timeframe.

DragonForce Ransomware is a sophisticated type of malware designed to encrypt files on a victim's computer, rendering them inaccessible until a ransom is paid. This ransomware first surfaced in early 2024 and was identified through malware samples on VirusTotal. Upon execution, DragonForce encrypts files and renames them by appending the extension .dragonforce_encrypted. An example of this would be renaming document.pdf to random_string.dragonforce_encrypted. The encryption methodology employs strong algorithms, making decryption challenging without the specific decryption key. These keys are usually stored remotely by the attackers to prevent victims from easily retrieving them. Alongside the encrypted files, DragonForce also generates a ransom note named readme.txt, typically placed in each affected directory and on the victim's desktop.

StormCry Ransomware, also known as Stormous, is a particularly vicious type of malware that encrypts valuable data on infected systems and demands a ransom for decryption. Discovered by cybersecurity researchers during routine investigations, this ransomware targets a wide array of files including databases, documents, photos, and videos. Once the encryption process is completed, it renames the affected files by appending a .stormous extension—turning files like example.jpg" into "example.jpg.stormous. The attackers use robust cryptographic algorithms to ensure that the victims cannot regain access to their files without a unique decryption key that they hold. This tactic not only makes the data unusable but also leaves victims with few options for recovery other than paying the ransom. After encryption, StormCry Ransomware generates ransom notes in both HTML (readme.html) and text format (pleas_readme@.txt), which are placed in visible locations on the infected machine, such as the desktop and within encrypted folders.

Promorad Ransomware is a malicious variant of the notorious Djvu ransomware family, designed to encrypt vital files on a victim's computer and demand a ransom for their decryption. Once it infiltrates a system, it appends the .promorad or .promorad2 file extension to the names of the encrypted files, rendering them inaccessible. For instance, a file previously named document.jpg will be renamed to document.jpg.promorad. This ransomware uses robust encryption algorithms, frequently leveraging AES or RSA cryptographic methods to ensure that decrypting the files without the necessary key is practically infeasible. After encryption, Promorad Ransomware generates a ransom note named _readme.txt, which is strategically placed in every folder that contains encrypted files. This note contains instructions on how victims can contact the cybercriminals and make the ransom payment to obtain the decryption key.

Senanam Ransomware is a malicious software that primarily infects Windows machines and encrypts the files present on the system to extort a ransom from victims. After it infiltrates a computer, it appends the .senanam extension to the original filenames of the locked files. For instance, a file named document.pdf would be encrypted and renamed to document.pdf.senanam. The ransomware operation often employs robust encryption methods such as AES (Advanced Encryption Standard) to secure the files, making decryption without the key extremely difficult. Once the encryption process is complete, the ransomware generates a ransom note typically named READ_IT.txt and places it in each folder containing encrypted files. This note contains instructions for the victim on how to pay the ransom in order to receive a decryption key, usually requiring payment in cryptocurrency such as Bitcoin.

2000USD Ransomware is a type of malicious software designed to encrypt a victim's files and demand a ransom payment in exchange for the decryption key. Once it infiltrates a system, typically through phishing emails or downloads from untrusted websites, it encrypts various file types and appends the .2000usd extension to the affected files, rendering them inaccessible. This ransomware uses a robust encryption algorithm, although the specific type is often not disclosed to victims. After encryption, it generates a ransom note named ----Read-Me----.txt, which is usually placed in each folder containing encrypted files. The note details instructions for the victim, including the ransom amount (usually in cryptocurrency) and how to contact the attackers to obtain the decryption key.

Sorcery Ransomware is a pernicious type of malware specifically designed to encrypt the victim's files and extort money in exchange for a decryption key. Once it infiltrates a system, it appends the .sorcery extension to all affected files, transforming, for example, document.txt into document.txt.sorcery. This ransomware employs robust cryptographic algorithms to lock your data, making decryption without the correct key virtually impossible. Furthermore, Sorcery Ransomware alters the victim's desktop wallpaper and drops a ransom note named README.hta, both of which inform the affected user about the encryption and demand a ransom for the decryption key. The note explicitly states that the victim’s files were not only encrypted but also stolen, with threats to publish the data on a Tor network webpage if the ransom demands are not met within a specified time frame.