Viruses

Newexploit is a ransomware virus designed to encrypt PC-stored data and blackmail victims into paying the so-called ransom. Successful encryption is justified after Newexploit changes file extensions to .exploit. For instance, a file like 1.pdf will drop its original icon and change to 1.pdf.exploit. As a result of this, users lose their access to files meaning they are unable to read or edit them anymore. In order to fix it, Newexploit offers its victims to follow instructions written inside of a text note (RECOVERY INFORMATION.txt). This note gets created immediately after successful encryption and contains information on how to recover the data.

Being part of the Phobos family, Elbie is a ransomware infection designed to generate profits for its developers by extorting money from victims. It does so right after encrypting data and appending new file extensions. For instance, a file named 1.pdf will change to something like 1.pdf.id[C279F237-2994].[antich154@privatemail.com].Elbie and also reset its original icon. The pattern used by cybercriminals to rename files is original_filename.[victim's ID].[antich154@privatemail.com].Elbie. After applying all the visual changes, the virus creates two ransom notes called info.hta and info.txt. Both of them contain short and broader instructions on how to return the blocked data.

DeadBolt is a ransomware virus that hacks QNAP and NAS devices using vulnerability issues to encrypt the stored data. It happens immediately not letting users prevent the process and save their files from strong encryption. Once distributed, the virus hijacks the QNAP login screen to feature a ransom note demanding victims to pay for decryption. This blocks infected users from going anywhere beyond the logging screen to access their admin page, for instance. Though, QNAP noted this can be bypassed by using the following URLs - http://nas_ip:8080/cgi-bin/index.cgi or https://nas_ip/cgi-bin/index.cgi. In addition, all ransom note pop-ups are also contained within a single HTML file called index.html_deadlock.txt. DeadBolt also assigns the new .deadbolt extension to all data impacted within a system. To illustrate, a file like 1.pdf will change to 1.pdf.deadbolt becoming fully inaccessible. The same will happen to all files encrypted by DeadBolt Ransomware. You can expand the list of all file extensions targetted by this ransomware variant:

Asistchinadecryption was classified as a ransomware infection. This means it is able to encrypt personal data and demand money for its return. During encryption, all compromised files experience visual changes - the virus appends .asistchinadecryption along with a victim ID to original filenames. For instance, a file like 1.pdf will be altered to 1.pdf.asistchinadecryption.C04-41D-05E and reset its original icon. The same will be applied to all other data only varying with IDs per victim. The file-encryptor also creates a file named !!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT. This is a ransom note meant to provide victims with steps on how to recover the files.

White Rabbit is classified as a ransomware program that runs encryption of data to demand money for its return. It was detected by Michael Gillespie - a popular malware researcher specializing in ransomware infections. While encrypting all the important data stored on a system, the virus appends a .scrypt extension to the end of each file. For instance, a sample named 1.pdf will change to 1.pdf.scrypt and reset its original icon. In addition, all blocked files will get their ransom note files with unique encryption keys. 1.pdf.scrypt will get 1.pdf.scrypt.txt, 1.xlsx.scrypt - 1.xlsx.scrypt.txt, and so forth.

WaspLocker is quite a devastating virus infection that encrypts personal data with strong cryptographic algorithms. This is to make sure users will be unable to return their data without the help of cybercriminals. Unfortunately, cybercriminals demand their victims to pay 0.5 BTC which is unbearably high. Users attacked by WaspLocker receive this information inside of a text note called How to restore your files.txt and a separate pop-up window with instructions on how to recover blocked files. In addition, WaspLocker developers highlight data encryption by appending new extensions (.locked or .0.locked) and resetting icons of files. For instance, a file like 1.pdf will alter to 1.pdf.locked or 1.pdf.0.locked depending on what WaspLocker version infected your system.

KMA47 was developed for the sole purpose - to encrypt personal data and demand money for its return. Such a virus falls into the category of high-risk ransomware infections. The process of data encryption starts with the addition of new .encrypt extension at the end of blocked files and finishes with the creation of read_me.txt - a ransom note explaining instructions on how to recover the files. For instance, a file like 1.pdf will change to 1.pdf.encrypt and reset its icon. KMA47 also changes victims' wallpapers. The note says got hacked by the virus resulting in full data encryption. In order to fix it, victims are guided to contact cyber criminals using e-mail communication (manager@mailtemp.ch or helprestoremanager@airmail.cc) and pay a ransom of 100$ eventually. After sending the money, ransomware developers should send your private key and special decryption software to unlock the data. Although cybercriminals might be the only figures able to fully decrypt your data, paying the ransom does not always guarantee you will get it eventually. Unfortunately, manual decryption is also less likely due to strong algorithms and online storage of keys. You can give it a try using third-party decryptors unless you have backup copies available. If you have spare files stored on the safe cloud or physical storage, copy them back and avoid paying the ransom.

Eeyee is a dangerous virus that executes data encryption using cryptographic ciphers to restrict victims from accessing it. Such type of infection is classified as ransomware and aims to pull its victims into sending money for the decryption. In order to show that files stored on a PC have been encrypted, the virus assigns its own .eeyee extension with strings of random symbols generated uniquely for each encrypted sample. For instance, a file like 1.pdf will face a change to 1.pdf._9kS79wzVPITFK7aqOYOceNkL7HXF2abMSeeTutfPGP_I8Rqxs2yWeo0.eeyee or similarly with other symbols. Encrypted files will be blocked from any access and also reset their icons to blank. Almost immediately after encryption, Eeyee creates the 6pZZ_HOW_TO_DECRYPT.txt text note with ransom instructions. The note is meant to inform victims about the changes and guide them through the recovery process. Cybercriminals say it is mandatory to purchase special decryption software to return the files and prevent leaks of the compromised data. Victims are instructed to contact the swindlers using the onion link in Tor Browser. After completing these steps, victims will get in touch with the developers and learn further details on buying the tools. The note also contains some messages advising to not modify data or ask for help from third parties (FBI, Police, Recovery companies, etc.).