Viruses

Diamond Ransomware is a malicious infection designed to encrypt system-stored data and blackmail victims into paying the ransom for its return. While running encryption, the virus renames all targeted files with the .diamond extension. This is simply a visual change meant to highlight the fact that users' system has been infected. Following this, ransomware developers create HOW TO RECOVER ENCRYPTED FILES.TXT - a text file containing decryption instructions.

Wizard is a ransomware virus that encrypts data with the help of AES-256 algorithms to blackmail users into paying the ransom. While restricting access to data, all affected files get renamed with the .wizard extension. For instance, a file previously titled 1.pdf will change to 1.pdf.wizard and reset its original icon. Following this, it was observed that the virus creates a text called decrypt_instructions.txt onto the desktop. This note contains information about what victims should do in order to return their encrypted files.

DataBankasi is the name of a ransomware program designed to extort money from victims off of data encryption. After the encryption occurs, all affected files get changed with the .databankasi extension becoming no longer accessible. To illustrate it with an example - a file previously named 1.pdf will change to 1.pdf.databankasi and lose its original icon as well. Following successful blockage of data, the virus creates a text file containing decryption guidelines (---BILGILENDIRME----NOTU---.txt). The text of decryption instructions is presented in the Turkish language.

TeamDarkAnon is a ransomware infection that encrypts system-stored data and extorts money from victims for its decryption. After successfully penetrating the system, TeamDarkAnon renames all encrypted files with the .anon extension. For instance, a previously working file called 1.pdf will change to 1.pdf.anon and reset its original icon. After the encryption of data is complete, the virus changes desktop wallpapers and creates a text file named HOW TO RECOVER ENCRYPTED FILES.TXT to illustrate decryption guidelines.

Cyber_Puffin is almost identical to another ransomware infection called Exploit6. Thus, it is very likely these two infections are promoted by the same group of developers. Likewise, Cyber_Puffin encrypts personal files and blackmails victims into paying money for their return. While restricting access to data, the virus assigns the custom .Cyber_Puffin extension to all affected files. For instance, a file previously named 1.pdf will experience a change to 1.pdf.Cyber_Puffin and become no longer accessible. Alike to Exploit6 Ransomware, the Cyber_Puffin variant creates a text file that displays decryption guidelines after successfully completing encryption. In addition, desktop wallpapers get replaced as well.

Exploit6 is a ransomware infection that encrypts personal files and blackmails victims into paying money for their return. During the encryption process, the file-encryptor changes the file appearance by adding the custom .exploit6 extension. To illustrate, a file previously titled 1.pdf will turn into 1.pdf.exploit6 and become no longer accessible. Alike in other malware of this kind, developers create a text file (READMI.txt) to explain decryption instructions. As said in this note, victims have to establish contact with cybercriminals by sending a message to their Telegram account (@root_exploit6). Although there is no further information about decryption inside the note, developers will more likely give it after reaching out to them. As a rule, collaborating with swindlers and paying money to them is not recommended - this is because there is a chance they will fool you and not give any decryption tool/codes even after completing the payment.

Polis is a recent ransomware infection. Alike other malware within this category, it renders files inaccessible and demands victims to pay a monetary ransom. During encryption, the virus assigns its own .polis extension to highlight the blocked data. For instance, an innocent file previously named 1.pdf will change its name to 1.pdf.polis and reset the original icon as well. Following this, Polis Ransomware creates a text note (Restore.txt) to instruct what victims should do. It is said victims have 2 days to establish contact with cybercriminals (via e-mail) and pay money to them for decryption. Otherwise, if the deadline will not be met, extortionists promise to publish the uploaded copies of locked data on special public domains. By posing such threats, cybercriminals try to make victims act immediately and follow what the guidelines say.

Moisha is a ransomware virus developed and promoted by the PT_MOISHA Hacking Team. This group of developers targets files of business-related users. After infiltrating the system and running strong encryption of data, the cybercriminals demand $10,000 in ransom for file decryption and a guarantee to not publish the collected information. All of this information is presented in more detail within the !!!READ TO RECOVER YOUR DATA!!! PT_MOISHA.html text note created after successful encryption. Unlike other ransomware infections, Moisha does not add any custom extensions to the affected files.