Ransomware

ALBASA is a ransomware-type virus designed to encrypt system-stored data and blackmail victims into paying money for its return. During encryption, all files acquire the new .ALBASA extension and reset their original icons to blank. This is also accompanied by the creation of RESTORE_FILES_INFO.txt - a text note containing instructions on how to recover blocked data.

Cantopen is a ransomware infection that was discovered quite recently. It encrypts personal files by adding the .cantopen extension and creating the HELP_DECRYPT_YOUR_FILES.txt text file to blackmail victims into paying the ransom. To illustrate, a file named 1.pdf will be altered to 1.pdf.cantopen and drop its original shortcut icon. Such a change will be applied to all the targeted data making it no longer accessible.

Black is the name of a ransomware infection that was discovered quite recently. It is developed to run data encryption and blackmail victims into paying money for its return. Victims may spot successful decryption simply by looking at their files - the majority of them will be changed using the .black extension and lose the original icons. To give an example, 1.pdf will be altered to 1.pdf.black, 1.png to 1.png.black, and so forth with the rest of the targetted files. Then, as soon as this part of encryption is done, the virus features decryption instructions inside of a text note (read_me.txt).

Cat4er is a ransomware virus that triggers data encryption upon infecting the targetted system. It does so by assigning the .cat4er extension to make encrypted files look like 1.pdf.cat4er, 1.png.cat4er, 1.xlsx.cat4er, and so forth depending on the original name. After running such changes, the virus creates an HTML file called HOW_FIX_FILES.htm and meant to instruct victims through the decryption process. As stated in the HTML note, victims can reaccess all the blocked data by going to the attached TOR link and following instructions on how to purchase special decryption software. Victims are given 10 days to decide on paying the ransom worth 0.08 BTC - around 3300$ at the moment of writing this article. After the payment is made, cybercriminals promise to send the declared tools able to decrypt the files. Unfortunately, ransomware actors are the only figures having the necessary keys to unlock your data. These keys are often strongly secured and almost impossible to crack with the help of third-party tools.

Newexploit is a ransomware virus designed to encrypt PC-stored data and blackmail victims into paying the so-called ransom. Successful encryption is justified after Newexploit changes file extensions to .exploit. For instance, a file like 1.pdf will drop its original icon and change to 1.pdf.exploit. As a result of this, users lose their access to files meaning they are unable to read or edit them anymore. In order to fix it, Newexploit offers its victims to follow instructions written inside of a text note (RECOVERY INFORMATION.txt). This note gets created immediately after successful encryption and contains information on how to recover the data.

Being part of the Phobos family, Elbie is a ransomware infection designed to generate profits for its developers by extorting money from victims. It does so right after encrypting data and appending new file extensions. For instance, a file named 1.pdf will change to something like 1.pdf.id[C279F237-2994].[antich154@privatemail.com].Elbie and also reset its original icon. The pattern used by cybercriminals to rename files is original_filename.[victim's ID].[antich154@privatemail.com].Elbie. After applying all the visual changes, the virus creates two ransom notes called info.hta and info.txt. Both of them contain short and broader instructions on how to return the blocked data.

DeadBolt is a ransomware virus that hacks QNAP and NAS devices using vulnerability issues to encrypt the stored data. It happens immediately not letting users prevent the process and save their files from strong encryption. Once distributed, the virus hijacks the QNAP login screen to feature a ransom note demanding victims to pay for decryption. This blocks infected users from going anywhere beyond the logging screen to access their admin page, for instance. Though, QNAP noted this can be bypassed by using the following URLs - http://nas_ip:8080/cgi-bin/index.cgi or https://nas_ip/cgi-bin/index.cgi. In addition, all ransom note pop-ups are also contained within a single HTML file called index.html_deadlock.txt. DeadBolt also assigns the new .deadbolt extension to all data impacted within a system. To illustrate, a file like 1.pdf will change to 1.pdf.deadbolt becoming fully inaccessible. The same will happen to all files encrypted by DeadBolt Ransomware. You can expand the list of all file extensions targetted by this ransomware variant:

Asistchinadecryption was classified as a ransomware infection. This means it is able to encrypt personal data and demand money for its return. During encryption, all compromised files experience visual changes - the virus appends .asistchinadecryption along with a victim ID to original filenames. For instance, a file like 1.pdf will be altered to 1.pdf.asistchinadecryption.C04-41D-05E and reset its original icon. The same will be applied to all other data only varying with IDs per victim. The file-encryptor also creates a file named !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT. This is a ransom note meant to provide victims with steps on how to recover the files.