Ransomware

Lord Bomani Ransomware is a type of malware that belongs to the GlobeImposter family. It encrypts files on the victim's computer and appends the developer's email address (Bomani@Email.CoM) to the filenames. For example, a file named 1.jpg would be renamed to 1.jpg.[Bomani@Email.CoM]. The ransomware also creates a ransom note named Read Me!.hTa which informs the victim that their files have been encrypted due to a security issue on their PC. The note provides three email addresses for contacting the attackers: lord_bomani@keemail.me, jbomani@protonmail.com, and bomani@email.com. It also includes a specific ID that must be provided in the subject line when emailing the attackers. The ransom note states that payment for file decryption must be made in Bitcoin, and the cost depends on how quickly the victim contacts the threat actors. It warns against renaming files or attempting to use third-party decryption tools, and it threatens to release sensitive personal data if the ransom is not paid. The note also offers to decrypt up to three files for free as a guarantee, provided the total size of the files is less than 5MB and they do not contain valuable information.

Malware Mage Ransomware is a type of malicious software that encrypts data on an infected computer and demands a ransom for its decryption. Discovered during a routine investigation of new submissions to the VirusTotal platform, this ransomware appends the .malwaremage extension to encrypted files. For instance, a file named 1.jpg would appear as 1.jpg.malwaremage after encryption. The ransomware then displays a pop-up window containing the ransom note. The ransom note informs victims that their documents, videos, images, and other files have been encrypted using the AES-256 cryptographic algorithm. To recover the inaccessible data, victims are instructed to purchase a decryption key from the attackers. The ransom amount is 0.08134 BTC, which is approximately six thousand US dollars, though this value can fluctuate with exchange rates. The note emphasizes that failure to pay within the given time frame will result in the destruction of the decryption key, leading to permanent data loss.

LOTUS Ransomware is a type of malware that encrypts files on a victim's computer, rendering them inaccessible until a ransom is paid. It belongs to the Dharma ransomware family and is designed to extort money from victims by holding their data hostage. After installation, it displays a ransom message in a pop-up window and creates a text file named MANUAL.txt containing further instructions. LOTUS Ransomware appends the .LOTUS extension to the names of encrypted files. Additionally, it includes the victim's ID and the attacker's email address in the filename. For example, a file named 1.jpg would be renamed to 1.jpg.id-B4M9F983.[paymei@cock.li].LOTUS. After encrypting files, LOTUS ransomware creates a ransom note named "MANUAL.txt" and places it in each folder containing encrypted files. The note typically includes a notification of file encryption, instructions on how to pay the ransom (often in cryptocurrency like Bitcoin), and contact information for the attackers (e.g., paymei@cock.li, paymei@tuta.io). It also warns victims not to rename files or try to decrypt them with third-party software, as this may cause permanent damage to the files. The ransom note emphasizes that victims can only receive a decryption key or software from the attackers.

Wormhole Ransomware is a type of malicious software designed to encrypt files on a victim's computer, rendering them inaccessible until a ransom is paid. This ransomware variant is part of a broader category of malware that uses encryption to hold data hostage, demanding payment for the decryption key. The name "Wormhole" is derived from the file extension it appends to encrypted files. Once Wormhole ransomware encrypts files on a victim's computer, it appends the .Wormhole extension to the encrypted files. This extension helps victims and cybersecurity professionals identify the type of ransomware that has infected the system. Wormhole ransomware employs strong encryption algorithms to secure the victim's files. Typically, ransomware uses a combination of symmetric and asymmetric encryption. Symmetric encryption involves using a single key for both encryption and decryption, with AES (Advanced Encryption Standard) being commonly used due to its efficiency and security. Asymmetric encryption involves a pair of keys – a public key for encryption and a private key for decryption, with RSA (Rivest-Shamir-Adleman) often used for this purpose. The exact encryption methods used by Wormhole ransomware are not detailed in the sources, but it is likely to use a combination of AES for file encryption and RSA for securing the AES key, similar to other ransomware variants. After encrypting the files, Wormhole ransomware typically creates a ransom note to inform the victim of the attack and provide instructions for payment (How to recover files encrypted by Wormhole.txt). This note is usually placed in prominent locations such as the desktop or in each directory containing encrypted files. The ransom note may include instructions on how to pay the ransom, often in cryptocurrency like Bitcoin, a deadline for payment to avoid permanent data loss, and contact information for the attackers, often an email address or a link to a dark web site.

TellYouThePass is a type of ransomware that first emerged in 2019. It is known for encrypting files on infected systems and demanding a ransom for their decryption. This ransomware has seen a resurgence, particularly in exploiting vulnerabilities such as the Apache Log4j and more recently, a critical PHP vulnerability (CVE-2024-4577). The ransomware targets both Windows and Linux operating systems and has been rewritten in Golang to facilitate cross-platform attacks. Once TellYouThePass encrypts files on an infected system, it appends the .locked extension to the filenames. For example, a file named document.docx would be renamed to document.docx.locked. TellYouThePass ransomware uses a combination of RSA-1024 and AES-256 cryptographic algorithms to encrypt files. This combination ensures that the encryption is robust and difficult to break without the decryption key. After encrypting the files, TellYouThePass creates a ransom note named README.html in each affected directory. This note contains instructions for the victim on how to pay the ransom, typically in Bitcoin, and how to contact the attackers to receive the decryption tool. The note warns victims not to rename the encrypted files or attempt to decrypt them using other tools, as this could result in permanent data loss.

Razy Ransomware is a malicious software designed to encrypt files on a victim's computer using an asymmetric encryption algorithm. Once it infects a system, it appends either .razy or .razy1337 as extensions to the names of the encrypted files, making them inaccessible without the decryption key. Following the encryption process, Razy creates three specific files and places them on the desktop: css.vbs, index.html, and razy.jpg. The "razy.jpg" file serves as an initial alert to the user, indicating that their files have been encrypted and directing them to open the index.html file for further instructions. However, unlike typical ransomware that provides detailed payment instructions and demands a ransom in cryptocurrency (usually between 0.5 and 1.5 Bitcoin), Razy's approach is somewhat different. The "index.html" file contains four links: two for payment and two leading to Razy's social media pages on Twitter and Facebook. Notably, these links are broken, suggesting that they lead nowhere. This peculiarity has led to the assumption that Razy might still be in development or created for research purposes rather than for financial gain.

PartiZAN32 Ransomware is a type of malware, which restricts access to data by encrypting files and demanding a ransom for their decryption. It was discovered during an analysis of samples uploaded to the VirusTotal website. This ransomware appends a unique extension to the encrypted files and changes the desktop wallpaper to notify the victim of the attack. Once PartiZAN32 infects a computer, it encrypts the files and appends a specific extension to the filenames. The extension used by PartiZAN32 is .qwertzuioplkjhgfyxcvbnmD. For example, a file named 1.jpg would be renamed to 1.jpg.qwertzuioplkjhgfyxcvbnmD. PartiZAN32 uses strong encryption algorithms to lock the files on the infected computer. The exact encryption algorithm used by PartiZAN32 is not specified in the sources, but ransomware from the Xorist family typically employs symmetric encryption methods, making decryption without the key extremely difficult. artiZAN32 creates two types of ransom notes to inform the victim about the encryption and the ransom demand. Text file - a file named HOW TO DECRYPT FILES.txt is created on the desktop and in various folders. Pop-up message - a pop-up window is displayed with the ransom message. The ransom note instructs the victim to contact the attackers via email (pasomnicadecryption@gmail.com) to receive a decryption key. It also warns against attempting to decrypt the files without the provided key, as this could result in permanent data loss. The note mentions that the victim has five attempts to enter the correct decryption key, after which the files and the victim's IP address will be sold on the dark web.

FOG Ransomware is a newly identified strain of malicious software designed to encrypt files on infected devices, rendering them inaccessible until a ransom is paid. This ransomware variant was first detected in early May 2024 and has primarily targeted educational institutions and recreation sectors in the United States. Once Fog ransomware encrypts files, it appends either the .FOG or .FLOCKED extension to the filenames. For example, a file named document.docx would be renamed to document.docx.FOG or document.docx.FLOCKED. FOG Ransomware uses a multi-threaded encryption routine to encrypt files. It gathers system information, such as the number of logical processors, to allocate threads efficiently for encryption. The ransomware employs Windows API calls and references the NT API for system information. It also uses a JSON-based configuration block to control pre- and post-encryption activities, including the use of an embedded public key for encryption. After encrypting the files, Fog ransomware drops a ransom note named readme.txt in the affected directories. This note provides instructions for the victims on how to contact the attackers and negotiate the ransom payment. The note typically includes a link to a Tor dark website where victims can communicate with the attackers and view a list of stolen files.