Viruses

Whilst most ransomware developers focus on infecting Windows-based systems, AgeLocker targets Mac and Linux, instead. The ransomware positions itself as a business-oriented virus that spreads on corporative companies, however, attacks on regular users happen as well. The encryption process looks pretty similar to Windows, the only difference is using different extensions and file formats. AgeLocker applies its personal command prompt to run the encryption process. Files that have been impacted by AgeLocker get assigned with personalized extensions based on user's names. It is impossible to identify which file was infected because of AgeLocker ciphers the original name and adds a random extension at the end. Some people reported that their files were added with the .sthd2 extension and the name of encrypted files starts with the age-encryption.org URL-address. Once all files get locked successfully, the virus sends a ransom note (security_audit_.eml) to the victim's e-mail.

AESMewLocker Ransomware is a real menace that targets your data by encrypting it with AES File Format algorithms. It is nothing peculiar to the ransomware world. The virus popped up on multiple forums a couple of days ago and raised a big question around its victims - how to decrypt files? For now, there are no viable ways to unlock files that are getting encrypted with the .locked extension after penetration. All of your files become inaccessible and can be unlocked, only if you meet the swindler's requirements and pay for the decryption key. The key itself is not cheap, you have to spend 0.05 BTC and contact extortionists to get decryption instructions. All of this information is stated in a ransom note (READ_IT.txt) created after successful encryption.

IOCP is a ransomware infection that encrypts personal data and keeps it locked until victims pay a so-called ransom. It uses the random 5-letter extension to replace the original file appearance. Once it gets added, your file will reset its icon and change it to 1.mp4.UAKXC, for example. Some people get wrong saying that IOCP is part of Conti Ransomware. This not true because Conti uses AES algorithms whilst IOCP applies Salsa20 and ChaCha20, instead. After your files get blocked, the virus creates a ransom note (R3ADM3.txt) containing instructions on how to decrypt your data. It is said that you should write an e-mail to one of the attached addresses. No time boundaries are set, however, cybercriminals say that unless you pay for the decryption software, your files will be published around the web. For the moment, because this ransomware is relatively new, experts have not found a viable way to decrypt files for free.

Zorab is a file-encrypting virus determined by S!R1, malware researcher that opened a number of other infections. Consequences delivered by Zorab can be clearly seen in data encryption and payment demands to get decryption tools. All files impacted by ransomware will be reconfigured either with .zrb or .zorab2 extension. For example, a virus-free file like 1.mp4 will get a look of 1.mp4.zrb or 1.mp4.zorab2 after penetration. Such a change means that your files become no longer accessible. To decrypt them, extortionists offer to read instructions given in a text note (--DECRYPT--ZORAB.txt) that is dropped after major encryption gets done. In the ransom note, cybercriminals try to console confused victims and let them know that their data is safe and can be recovered. The only thing they have to do is buying decryption software in BTC after establishing contact with cybercriminals via e-mail. Also, there is a trick designed to incept trust in users - decryption of 2 small files for free. Unfortunately, since you are dealing with fraudulent means, there is no real guarantee that your files will be brought back as a result. This is why most cyber experts recommend people to save their money and create extraneous backups preemptively to restore blocked files after deletion of malware.

Discovered in 2020, CoronaLock restricts access to users' data by encrypting it with ChaCha, AES and RSA algorithms. Files compromised by this ransomware, experience a change in extension to either .pandemic, .corona-lock or .biglock. For example, if 1.mp4 gets modified by the virus, it will migrate to 1.mp4.corona-lock or 1.mp4.biglock. After this, extortionists display ransom information in the note (!!!READ_ME!!!.TXT or README_LOCK.TXT) that is dropped on the desktop. Interestingly enough, people who get attacked with ".biglock" extension, do not have any contact information in the ransom note to connect with cybercriminals. It seems like its developers forgot to include it before the release. In the meantime, ".corona-lock" versions do not have that drawback and contain e-mail in the text file. If you want to take a test-decryption, you are free to send them one file.

Being categorized as ransomware-infection, Django is not a virus to be trifle with. As soon as it drops on your PC, it causes havoc around personal data by encrypting with special algorithms that do not allow third-parties tools to have any argument in the future. During data encryption, your files get altered with the .djang0unchain3d extension. This means that a file like 1.mp4 will be changed to 1.mp4.djang0unchain3d and reset its original icon. It seems like developers inspired a Hollywood movie called "Django Unchained" and decided to borrow its name. Once the encryption gets to a close, victims are presented with ransom instructions in Readme.txt that explain how to decrypt your data. Cybercriminals say that in order to retrieve your files, you should contact them via the attached e-mail address and include your ID. If you do not get an answer within 24 hours, you should write to another e-mail mentioned in the note. After this, extortionists will ask you to purchase the decryption key via the BTC wallet which will help you restore access to blocked data eventually.

Discovered recently, Dharma-2020 is a ransomware program that uses strong cryptographic algorithms to block data and demand to pay a ransom. After the virus attacks your computer, it instantly ciphers the stored files by retitling them with a criminal's e-mail address and other symbols. For example, 1.mp4 will be renamed into something like 1.mp4.id-{random-8-digit-alphanumerical-sequence}.[btckeys@aol.com].2020. After successful encryption, the program shows a message window and creates a ransom note called FILES ENCRYPTED.txt. The malware locks any attempts to decrypt your files and to use certain security programs. Then, Dharma-2020 Ransomware does a pure classic asking users to pay a ransom in BTC (from $50 to $500) and send a paycheck to their e-mail after which, they will give you a decryption program.

BlackClaw is a recent ransomware infection that uses AES and RSA algorithms to encrypt user's data. Some experts similized it with another file-encrypting virus called Billy's Apocalypse"because of similar ransom note details, however, as research continued, it turned out that there is no correlation with it. BlackClaw is an independent piece that assigns .apocalypse extension to encrypted files. For example, a file like 1.mp4 will suffer a change to 1.mp4.apocalypse. After these changes have been applied, users no longer have access to their data. The next step of BlackClaw after blocking data is dropping a text file (RECOVER YOUR FILES.hta or RECOVER YOUR FILES.txt) that notifies people about encryption. To decrypt files, users have to give 50$ over to bitcoin address mentioned in the note and contact extortionists via the Telegram channel. Thereafter, victims will supposedly get a decryption tool to restore locked files. Although 50$ is not that big amount for ransomware developers, there is still a risk of being fooled and ignored by cyber criminals after making a payment.