Ransomware

ZAKI ESCOVINDA Ransomware is a malicious program belonging to the Chaos ransomware family, designed to encrypt files on a victim's computer and demand a ransom for their release. This ransomware appends a distinctive file extension to the affected files, changing their original names to include .escovinda. For instance, a file named photo.jpg would be renamed to photo.jpg.escovinda. Once the encryption process is complete, the ransomware leaves a ransom note, typically named read_it.txt, on the infected machine. This ransom note informs the victim that their files have been encrypted and instructs them to pay 70 USD in Bitcoin (BTC) for the decryption software. Notably, the note mentions an incorrect conversion of 0.1473766 BTC, a sum that has fluctuated significantly in value at the time of writing.

RedRose Ransomware is a notorious ransomware-type virus that infects systems by encrypting files and demanding a ransom for their decryption. Such malicious software operates by rendering critical data like documents, photos, and databases inaccessible. RedRose achieves this by appending a distinct file extension, .RedRose, to encrypted files. For instance, an original file named photo.jpg could be renamed to resemble 1234567890_.RedRose". The extension is usually accompanied by a random string of numbers, further complicating the identification and recovery of the original files. Upon completing the encryption, RedRose generates a ransom note, typically a {random}.txt file, where {random} is a random string of numbers. This ransom note is usually placed in every directory containing encrypted files, notifying the victim about the attack and the necessity to pay a ransom, usually in Bitcoin, to regain access to their data.

Crypto24 Ransomware is a particularly malicious type of software designed to encrypt files on a victim's computer and demand payment for their release. Once it infiltrates a system, it systematically encrypts personal data by appending the .crypto24 extension to filenames. For instance, a file named example.jpg would be transformed into example.jpg.crypto24, rendering it inaccessible. Following encryption, the ransomware generates a ransom note titled Decryption.txt. This file is usually placed in all affected directories and details the attack, informing victims that their data has been encrypted and providing instructions on how to pay the ransom. It warns against renaming or modifying the encrypted files, as doing so might render them permanently irrecoverable.

C*nt Ransomware, a variant of the notorious Dharma family, is a malicious program designed to encrypt files on infected systems and extort ransom from victims. It infiltrates devices through methods such as vulnerable RDP services, phishing emails, and malicious downloads. Once inside the system, it methodically works to encrypt files, changing their extensions to end with .c*nt, along with a unique victim ID and the attackers' email address. For example, a file formerly named 1.jpg could become 1.jpg.id-7GCNA64X.[d**kdriver777@cock.li].c*nt. The ransomware utilizes robust encryption algorithms typically found in Dharma ransomware variants, which can be a combination of symmetric and asymmetric cryptography, making unauthorized decryption virtually impossible without the specific decryption key held by the attackers.

Cipher (Proton) Ransomware is a notorious cyber threat that belongs to the Proton ransomware family, which primarily targets users by encrypting their valuable data and demanding ransom for decryption. Upon infection, this malware appends the .cipher extension to the filenames of encrypted files, marking them distinctly. For example, a file initially named document.jpg would be modified to document.jpg.[watchdogs20@tuta.io].cipher, highlighting the attacker's contact email. Using asymmetric encryption, Cipher (Proton) employs sophisticated cryptographic algorithms that render files unusable without a decryption key that only the attackers possess. Once encryption completes, the ransomware generates ransom notes in multiple forms: a full-screen message before the log-in screen, desktop wallpaper alterations, and text files named #Read-for-recovery.txt. These notes evade detailing the encryption process and solely urge victims to contact the cyber criminals via email for further instructions.

Terminator Ransomware is a type of malicious software designed specifically to encrypt data on the victim’s computer and subsequently demand a ransom for decryption. Upon infecting a system, it renames encrypted files by appending the string .terminator to the file names, along with the attacker's email address. For instance, a file named 1.jpg would be renamed to 1.jpg.decryptboss@gmail.com.terminator. This ransomware utilizes advanced cryptographic algorithms that make manual decryption almost impossible without the correct decryption key, which is only provided by the cybercriminals. After the encryption process is complete, a ransom note titled ----Read-Me-----.txt is dropped into various folders containing the encrypted data. This note contains instructions on how to contact the attackers and the payment requirements for the decryption key.

Bixi Ransomware is a malicious program designed to encrypt files on the victim's system, rendering them inaccessible and demanding a ransom for their decryption. It specifically targets various file types, appending a unique .bixi extension to the original filenames, such as transforming 1.jpg into 1.jpg.bixi and 2.png into 2.png.bixi. The ransomware employs advanced cryptographic algorithms, making it exceptionally challenging to decrypt the files without the actual decryption key, which is held by the attackers. After successful encryption, !_INFO.txt, a ransom note, is automatically generated and placed in numerous directories, including the desktop, to notify the victim of the breach and instruct them on how to pay the ransom, typically in cryptocurrencies like Bitcoin. The note usually warns against using third-party decryption tools or attempting to rename the encrypted files, as these actions could lead to permanent data loss.

Originating in the summer of 2024, Cicada 3301 Ransomware is a formidable cyber threat designed to encrypt data and extort victims for payment. Written in the Rust programming language, it is a Ransomware-as-a-Service (RaaS), meaning it is available for use by other cybercriminals through a subscription model. Once activated on a victim’s system, this ransomware employs the ChaCha20 cryptographic algorithm, known for its swift and robust symmetric encryption, making decryption without the correct key an insurmountable challenge. The ransomware appends affected files with a seven-character random extension, drastically altering their original names and rendering them inaccessible. For example, a file named 1.jpg may appear as 1.jpg.f11a46a1 post-encryption. Upon completion of the encryption process, the malware drops a ransom note named RESTORE-[file_extension]-DATA.txt on the victim's system, detailing the attack and outlining the ransom demand.