Tutorials

007 Ransomware represents a recent strain in the expanding family of crypto-malware, targeting Windows systems by encrypting user data and demanding a ransom for file recovery. Unlike generic ransomware variants, it explicitly appends the 0.007 extension to the end of every encrypted file—transforming, for example, document.docx into document.docx.0.007 and thereby rendering these files inaccessible without a decryption key. For its encryption mechanism, 007 Ransomware leverages robust cryptographic algorithms, most likely AES, RSA, or a combination of both, giving attackers exclusive control over the recovery keys stored remotely on their own servers. Once the encryption process is complete, the malware forcibly replaces the victim’s desktop wallpaper and drops a ransom note named READ-007.txt onto the desktop, as well as into every affected folder. This note is written in a straightforward but intimidating manner, informing victims of the $250 demand payable in Bitcoin or Ethereum, complete with cryptocurrency wallet addresses and an email for further instructions (zerolove666@protonmail.com).

Blackransombdbot Ransomware is a recent addition to the family of file-encrypting malware, primarily targeting Windows systems. Upon infiltrating a victim's computer, it begins encrypting user documents, images, and other valuable data using cryptographic routines derived from the Chaos ransomware family, which commonly employs a mix of symmetric and asymmetric encryption - although exact specifics for this variant are unclear due to limited reverse engineering. Infected files are easily identified by the appended .blackransombdbot extension, transforming ordinary filenames such as project.docx into project.docx.blackransombdbot, rendering them inaccessible without a decryption key. The ransomware then generates a ransom note named read_it.txt, typically placed in directories containing encrypted files and often on the desktop for maximum visibility. This note informs victims that all important data has been encrypted and demands a payment of 10 USDT (Tether cryptocurrency) to a provided wallet address, promising decryption tools upon payment and even offering to decrypt several files for free as "proof." Communication with the attackers is typically set up through Telegram, with instructions on how to get in touch for payment confirmation or decryption negotiation.

THRSX Ransomware represents a highly sophisticated form of file-locking malware that targets Windows systems by encrypting user data and demanding a monetary ransom in exchange for a decryption key. Its hallmark is the addition of the .THRSX extension to affected files, transforming originals such as photo.jpg into photo.jpg.THRXS to clearly signify compromised content. Utilizing robust cryptographic algorithms, specifically AES-256-CTR for symmetric file encryption combined with RSA-4096 for key protection, it ensures that unauthorized file recovery remains practically impossible. Once active, the malware generates a prominent ransom note named RECOVER_INSTRUCTIONS.html, strategically placing it in directories containing encrypted files and on the victim’s desktop. The message within the note claims that not only are files encrypted, but also that sensitive data—including credentials and documents—has been exfiltrated, thus threatening further exposure if demands are not met. Extortion instructions require payment of 0.5 Monero (XMR) cryptocurrency and further communication via the attackers’ Telegram handle, with stern warnings about data destruction or leakage in cases of non-compliance. Users also observe changes to their desktop wallpaper, alerting them to the ransomware’s successful encryption and directing them to read the ransom note for recovery steps.

UraLocker Ransomware is a newly identified crypto-malware strain designed to deny victims access to their personal files until a ransom is paid. Upon infection, it encrypts a broad range of file formats on the compromised device using strong 2048-bit RSA public-key encryption, effectively making the files inaccessible without a corresponding private decryption key held by the attackers. After successful encryption, the ransomware appends the extension .rdplocked to every affected file, transforming, for example, picture.jpg into picture.jpg.rdplocked, and does this for all targeted file types across the drive. In addition to locking critical data, it drops a ransom note named Decrypt.html into numerous folders where files were encrypted, and also changes the desktop wallpaper with a message warning users about the attack. This ransom note instructs victims to pay a specific Bitcoin amount and to contact the criminals via a qTox ID for decryption instructions. The attackers threaten permanent data loss if contact is not initiated, further pressuring victims to comply.

Basta Ransomware is an advanced strain of crypto-malware that belongs to the notorious Makop ransomware family and is designed to encrypt files on a victim’s Windows device while demanding a ransom for decryption. Upon successful infiltration, it systematically targets user data - including documents, photos, videos, and databases - and applies powerful cryptographic algorithms to render the files inaccessible. During this process, Basta appends a complex file extension to every locked file, for example, changing picture.jpg to picture.jpg.[victimID].[basta2025@onionmail.com].basta, which includes a unique victim identifier, a contact email, and the .basta extension. After encryption, Basta leaves its distinctive ransom note, named README-WARNING+.txt, in every folder that contains encrypted files. The ransom note informs victims that their data has been both encrypted and stolen, threatening to leak or destroy the data if demands are not met and strictly instructing the victim to contact the attackers (typically through an email address on the note). It explicitly warns users against using third-party decryption services, threatening permanent data loss or further extortion if attempts are made.

Dire Wolf Ransomware is a sophisticated strain of crypto-malware that targets Windows systems, functioning primarily as a file-locking ransomware. Upon successful infiltration, it systematically encrypts a vast array of commonly used file types—documents, images, archives, and more—effectively rendering them inaccessible to their owners. To mark its handiwork and make identification obvious, .direwolf is appended as a new extension to each affected file, transforming names such as report.docx into report.docx.direwolf. This variant typically relies on advanced cryptographic algorithms, most likely AES or RSA, which ensures that breaking the encryption without access to the unique decryption key possessed by the attackers is virtually impossible. Following encryption, it generates an ominous ransom note named HowToRecoveryFiles.txt and places it strategically in every folder containing locked files, as well as the desktop, to maximize the likelihood that victims will see it immediately. The note threatens public disclosure of stolen data and urges the victim to contact the attackers within a limited confidentiality window for possible recovery. It typically contains unique credentials, links to a live chat, and instructions for reaching an official site hosted on Tor, suggesting a well-organized criminal operation behind the attack. Victims often experience symptoms like being unable to open files, noticing the new extension, and seeing the desktop or folders populated with ransom messages.

Midnight Ransomware is a dangerous file-encrypting malware strain identified as part of the Babuk ransomware family, discovered during active research on malicious file submissions to VirusTotal. It is designed to illegally extort victims by encrypting all accessible files on an infected system, rendering user data unusable and then demanding a hefty ransom for restoration. Once activated, Midnight Ransomware systematically renames every targeted file by appending the .Midnight extension, so, for example, a file named invoice.pdf would become invoice.pdf.Midnight. This aggressive malware utilizes robust cryptographic algorithms, typically leveraging a combination of symmetric and asymmetric encryption, which makes decryption nearly impossible without a private key stored on the attackers’ remote servers. When the encryption process concludes, the victim will find a ransom note named How To Restore Your Files.txt dropped into affected folders. This note informs users that their files are locked and threatens permanent data loss or public data leaks unless instructions are followed and payment is made within a few days, with late payment resulting in a higher ransom.

Datarip Ransomware is a recent and highly disruptive strain of file-encrypting malware that targets Windows systems, originating from the notorious MedusaLocker family. Once executed on a victim’s device, it systematically scans for documents, images, videos, databases, and many other file types, encrypting them using robust RSA and AES cryptographic algorithms. Following successful encryption, the ransomware appends a unique .datarip extension to every affected file, making them instantly unrecognizable and inaccessible without the decryption key. For instance, a file previously named holiday.jpg becomes holiday.jpg.datarip, clearly signaling to users that their data is under hostage. To further its intimidation, the malware alters the desktop wallpaper and drops a ransom note - RETURN_DATA.html - directly onto the desktop and within folders containing encrypted content, ensuring the victim’s awareness is immediate and persistent. This HTML ransom note sternly warns against using third-party recovery tools, renaming encrypted files, or modifying them, as these actions may result in irreversible data corruption. Compounding the pressure, the criminals claim to have exfiltrated sensitive data and threaten to leak or sell this information unless contact is made and payment arranged within a strict time frame. Contact details, typically anonymous email accounts, are provided for negotiations, where victims are encouraged to send samples for "free decryption" as proof of capability. Datarip’s communication tactics underscore the dual risk of permanent data loss and potential privacy breaches.