Viruses

WaspLocker is quite a devastating virus infection that encrypts personal data with strong cryptographic algorithms. This is to make sure users will be unable to return their data without the help of cybercriminals. Unfortunately, cybercriminals demand their victims to pay 0.5 BTC which is unbearably high. Users attacked by WaspLocker receive this information inside of a text note called How to restore your files.txt and a separate pop-up window with instructions on how to recover blocked files. In addition, WaspLocker developers highlight data encryption by appending new extensions (.locked or .0.locked) and resetting icons of files. For instance, a file like 1.pdf will alter to 1.pdf.locked or 1.pdf.0.locked depending on what WaspLocker version infected your system.

KMA47 was developed for the sole purpose - to encrypt personal data and demand money for its return. Such a virus falls into the category of high-risk ransomware infections. The process of data encryption starts with the addition of new .encrypt extension at the end of blocked files and finishes with the creation of read_me.txt - a ransom note explaining instructions on how to recover the files. For instance, a file like 1.pdf will change to 1.pdf.encrypt and reset its icon. KMA47 also changes victims' wallpapers. The note says got hacked by the virus resulting in full data encryption. In order to fix it, victims are guided to contact cyber criminals using e-mail communication (manager@mailtemp.ch or helprestoremanager@airmail.cc) and pay a ransom of 100$ eventually. After sending the money, ransomware developers should send your private key and special decryption software to unlock the data. Although cybercriminals might be the only figures able to fully decrypt your data, paying the ransom does not always guarantee you will get it eventually. Unfortunately, manual decryption is also less likely due to strong algorithms and online storage of keys. You can give it a try using third-party decryptors unless you have backup copies available. If you have spare files stored on the safe cloud or physical storage, copy them back and avoid paying the ransom.

Eeyee is a dangerous virus that executes data encryption using cryptographic ciphers to restrict victims from accessing it. Such type of infection is classified as ransomware and aims to pull its victims into sending money for the decryption. In order to show that files stored on a PC have been encrypted, the virus assigns its own .eeyee extension with strings of random symbols generated uniquely for each encrypted sample. For instance, a file like 1.pdf will face a change to 1.pdf._9kS79wzVPITFK7aqOYOceNkL7HXF2abMSeeTutfPGP_I8Rqxs2yWeo0.eeyee or similarly with other symbols. Encrypted files will be blocked from any access and also reset their icons to blank. Almost immediately after encryption, Eeyee creates the 6pZZ_HOW_TO_DECRYPT.txt text note with ransom instructions. The note is meant to inform victims about the changes and guide them through the recovery process. Cybercriminals say it is mandatory to purchase special decryption software to return the files and prevent leaks of the compromised data. Victims are instructed to contact the swindlers using the onion link in Tor Browser. After completing these steps, victims will get in touch with the developers and learn further details on buying the tools. The note also contains some messages advising to not modify data or ask for help from third parties (FBI, Police, Recovery companies, etc.).

Youneedtopay is a type of virus categorized as ransomware. It functions by encrypting personal files and demanding money for their return. During this process, ransomware assigns the .youneedtopay extension to all blocked data. For instance, a file like 1.pdf will be changed to 1.pdf.youneedtopay and reset its original icon. After appending these changes, the virus creates a text note called READ_THIS.txt which is meant to explain decryption instructions. Desktop wallpapers get altered as well. Take a closer look at what is the content there.

Admin Locker is the name of a ransomware virus that started its spread in December 2021. It uses a combination of AES+RSA algorithms to write secure cryptographic ciphers over the stored data. This affects files' access and their visual appearance. Admin Locker appends one of the following extensions to all blocked data - .admin1, .admin2, .admin3, .1admin, .2admin, or .3admin. It does not matter which one of them was applied to you. Their only function is to show files have been encrypted and make victims see it. For instance, a file like 1.pdf will change to 1.pdf.1admin (or other extension) and become no longer accessible. After encryption is done, Admin Locker explains how to recover the data in its text note (!!!Recovery File.txt) and on its web page that can be accessed via the TOR link.

Noway is a ransomware infection that encrypts all important data using AES-256 algorithms. It also renames the blocked data with randomly-generated symbols and .noway extension. To illustrate, a file like 1.pdf will change to 611hbRZBWdCCTALKlx.noway and lose its original icon upon successful encryption. As a rule, the majority of ransomware-encrypted files cannot be decrypted without the help of cybercriminals. Despite this, Noway Ransomware is one of few that can be officially decrypted using the Emisoft tool for free. You can download it further in our guide below. We encourage you to not rush with the decryption process as you must delete the virus first (also guided in this tutorial). In addition to running encryption over personal data, Noway issues a text note called Unlock your file Instraction.txt. The note shows how to recover your data with the help of ransomware developers. The crooks give 72 hours for deciding to pay the ransom. Should victims exceed this given deadline of payment, swindlers claim your data will become inaccessible forever. This is not true as Emisoft developers managed to crack open the ciphers and help victims decrypt files of Noway for free.

RL Wana-XD is a ransomware infection that encrypts important data stored on a PC. To highlight it, the virus ads its own .XD-99 extension to all the affected filenames. For instance, a file like 1.pdf will change to 1.pdf.XD-99 and reset its original icon. As a result, victims will be no longer able to access the file and browse its content. To revert these implications, developers of RL Wana-XD offer their victims to read special decryption instructions inside of a text note (Readme.txt). The text note is short, yet specific - developers claim the only way to return your data is to pay for unique decryption software and key. In order to do this, victims are guided to contact the swindlers through Wana-XD@bk.ru or RL000@protonmail.ch e-mail addresses. Unfortunately, keys used by RL Wana-XD Ransomware to encipher your data are often secure and stored in the ONLINE mode. This means manual decryption with the help of third-party tools is likely to give no fruit or manage to decode only some part of the data. Unless you have your personal ID ending with t1, third-party decryption will be less likely to help. At the same time, paying cybercriminals is always associated with risk as they can fool their victims and not send any promised decryption.

Razer is the name of a ransomware infection that runs encryption of data requesting victims to pay money for its return. Users infected with this virus will see their file names changed with a random string of characters, cybercriminals' e-mail address (razer1115@goat.si), and .razer extension at the end. For instance, a file named 1.pdf that went through these changes will look something like this 1.pdf.[42990E91].[razer1115@goat.si].razer and reset its icon to blank. In order to decrypt the data, virus developers offer to follow their instructions provided within the readme-warning.txt text note. It is said victims should contact the frauds using one of the e-mails (razer1115@goat.si, pecunia0318@tutanota.com, or pecunia0318@goat.si) and pay the ransom in bitcoins. To convince victims that they can be trusted, cybercriminals offer the so-called guarantee option where victims are allowed to send 2 files with simple extensions (max 1MB) and receive them decrypted for free. Many ransomware creators use this trick to prompt victims into paying the ransom and staying in contact with them. We highly recommend you avoid meeting the requests of the developers and recover your data using a backup, instead.