Ransomware

Dkq Ransomware is a malicious program that belongs to the notorious Dharma ransomware family. It is designed to encrypt files on infected computers, rendering them inaccessible to the user until a ransom is paid. This ransomware appends the .dkq extension to the encrypted files, along with a unique ID and the cybercriminals' email address. The new file name format includes the original file name, a unique ID, the attackers' email address, and the ".dkq" extension. For example, a file named document.docx might be renamed to document.docx.id-67RTA8W4.[dkqcnr@cock.li].dkq. After encryption, Dkq Ransomware creates a ransom note in a text file named info.txt and displays a pop-up window with further instructions. The note informs victims that their files have been encrypted and provides instructions on how to contact the attackers to pay the ransom, usually in Bitcoin. The note also warns against using third-party decryption tools or modifying the encrypted files, as this could result in permanent data loss. Dkq Ransomware uses strong encryption algorithms, typically a combination of RSA and AES, to lock files. This method ensures that decryption without the corresponding decryption key is virtually impossible.

El Dorado Ransomware is a sophisticated strain of malware that emerged in mid-2022. It is a variant of the LostTrust ransomware and is known for its double extortion tactics, which involve encrypting a victim's data and threatening to leak it on the dark web if ransom demands are not met. This ransomware has quickly gained notoriety for its robust encryption methods and its ability to target a wide range of industries and geographies, including critical infrastructure sectors. El Dorado ransomware encrypts files and appends the .00000001 extension to the filenames. For example, 1.jpg becomes 1.jpg.00000001 and 2.png becomes 2.png.00000001. The encryption algorithms used by El Dorado are highly robust, making decryption without the attacker's key extremely difficult, if not impossible. Upon successful encryption, El Dorado generates a ransom note titled HOW_RETURN_YOUR_DATA.TXT. This note informs victims of a network breach due to vulnerabilities, resulting in unauthorized access and data theft. It warns against terminating unknown processes, shutting down servers, or unplugging drives, as these actions could lead to partial or complete data loss. The note offers to decrypt a couple of files (up to 5 megabytes) for free, with the remainder decrypted upon payment. It also includes instructions on how to contact the attackers via a live chat.

Rapax Ransomware is a type of malicious software designed to encrypt files on a victim's computer, rendering them inaccessible until a ransom is paid. This ransomware is part of a broader family of ransomware variants that employ sophisticated encryption techniques to lock users out of their data. The primary goal of Rapax Ransomware is to extort money from victims by promising to provide a decryption key in exchange for a ransom payment. Upon successful infection, Rapax Ransomware encrypts the victim's files and appends a specific extension to the filenames. In the case of Rapax, the extension added is .rapax. For example, a file named document.txt would be renamed to document.txt.rapax. Rapax Ransomware employs advanced encryption algorithms to lock files. It uses a combination of AES (Advanced Encryption Standard), Salsa20, and RSA (Rivest-Shamir-Adleman) encryption methods. These algorithms ensure that the encrypted files are virtually impossible to decrypt without the corresponding decryption key, which is held by the attackers. After encrypting the files, Rapax Ransomware creates a ransom note to inform the victim of the attack and provide instructions for payment. The ransom note is typically named instruction.txt and is placed on the desktop and in various folders containing encrypted files. Additionally, the ransomware may change the desktop wallpaper to display the ransom note, ensuring that the victim is aware of the attack.

Cebrc Ransomware is a type of malicious software designed to encrypt files on an infected computer, making them inaccessible to the user. The primary objective of this ransomware is to extort money from victims by demanding a ransom in exchange for the decryption key needed to restore access to the encrypted files. Cebrc ransomware is part of a broader category of malware known as crypto-ransomware, which specifically targets and encrypts valuable data. Once Cebrc ransomware infects a system, it encrypts the victim's files and appends the .cebrc extension to the encrypted files. This alteration makes it immediately apparent to the victim that their files have been compromised. The ransomware employs strong encryption algorithms to lock the victim's files. While the specific encryption algorithm used by Cebrc ransomware is not always disclosed, most modern ransomware variants use a combination of symmetric (AES) and asymmetric (RSA) encryption. This dual approach ensures that the files are securely encrypted and that the decryption key is stored on a remote server controlled by the attackers, making it difficult for victims to decrypt the files without paying the ransom. After encrypting the files, Cebrc ransomware generates a ransom note (read_it.txt) to inform the victim of the attack and provide instructions on how to pay the ransom.

Powz Ransomware is a variant of the STOP/Djvu ransomware family, known for encrypting files on infected systems and demanding a ransom for their decryption. This ransomware appends the .powz extension to the filenames of encrypted files, rendering them inaccessible to the user. The primary goal of Powz ransomware is to extort money from victims by holding their data hostage until a ransom is paid. Once Powz ransomware infects a system, it scans for files to encrypt. It uses the Salsa20 encryption algorithm, which, while not the strongest, still provides a significant challenge for decryption without the proper key. For example, document.docx becomes document.docx.powz. After encrypting the files, Powz ransomware creates a ransom note named _readme.txt in each folder containing encrypted files. This note provides instructions for contacting the attackers via email (support@fishmail.top or datarestorehelp@airmail.cc) and details the ransom amount, which ranges from $490 to $980, depending on how quickly the victim contacts the attackers. The note also offers to decrypt one file for free as proof that decryption is possible.

Kkll Ransomware is a malicious program that belongs to the Djvu ransomware family. It is designed to encrypt files on the victim's computer, rendering them inaccessible, and then demands a ransom for their decryption. This type of ransomware is particularly insidious because it not only locks users out of their files but also pressures them into paying a ransom to regain access. Once Kkll ransomware infects a system, it scans for various file types, including images, documents, and videos, and encrypts them. The encrypted files are then appended with the .kkll extension. For example, a file named photo.jpg would be renamed to photo.jpg.kkll after encryption. Kkll ransomware uses sophisticated encryption algorithms to lock files. The exact encryption method is not always disclosed, but it typically involves strong encryption standards that are difficult to break without the decryption key. The ransomware generates a unique key for each victim, which is required to decrypt the files. After encrypting the files, Kkll ransomware creates a ransom note named _readme.txt in all affected folders. This note informs the victim that their files have been encrypted and provides instructions on how to pay the ransom to obtain the decryption key. The ransom note typically includes a statement that the files have been encrypted and can only be decrypted with a unique key, the ransom amount (usually $980, but can be reduced to $490 if the victim contacts the attackers within 72 hours), instructions to send an email to the provided addresses (e.g., helpmanager@mail.ch and restoremanager@airmail.cc) to get further instructions, and an offer to decrypt one file for free as proof that decryption is possible.

DORRA Ransomware is a malicious software variant from the Makop ransomware family, designed to encrypt files on a victim's computer, making them inaccessible until a ransom is paid. This ransomware typically spreads through phishing emails, malicious advertisements, drive-by downloads, and pirated software. Once it infects a computer, DORRA encrypts files using strong encryption algorithms such as AES, Salsa20, and RSA, and appends the .DORRA extension to the filenames. For example, 1.jpg becomes 1.jpg.[2AF20FA3].[dorradocry@outlook.com].DORRA. After encryption, DORRA generates a ransom note named +README-WARNING+.txt, which informs the victim that their files have been encrypted and stolen. The note warns against attempting to decrypt the files independently, as this could corrupt them and lead to permanent data loss. It instructs the victim to contact the attackers via the provided email address (dorradocry@outlook.com) and to send their unique ID, embedded in the filenames, to receive further instructions on how to decrypt their files. The note also threatens to publish the victim's data on the internet if the ransom is not paid.

Trinity Ransomware is a newly identified strain of ransomware that has recently emerged as a significant threat in the cybercrime landscape. Discovered by Cyble Research and Intelligence Labs (CRIL) on May 10, 2024, Trinity employs a sophisticated double extortion technique, combining data encryption with the threat of revealing sensitive information to coerce victims into paying a ransom. This ransomware shares notable similarities with the Venus ransomware, particularly in its use of specific register values and mutex naming conventions. Upon successful infection, Trinity ransomware encrypts user files and appends a .trinitylock extension to them. This alteration of file extensions is a common tactic used by ransomware to signal that the files have been compromised and to prevent easy access without decryption. After encrypting the files, Trinity ransomware generates a ransom note (README.txt), typically placed in various directories on the infected system. The note demands payment in exchange for the decryption key and threatens to release sensitive exfiltrated data if the ransom is not paid. The exact content and format of the ransom note can vary, but it generally includes instructions on how to make the payment, often in cryptocurrency, and may provide a sample file decryption to prove the effectiveness of their decryptor.