Skip to main content

Fight Ransomware

 

Different Types of Ransomware

 

RansomwareRansom MessageFile ExtensionsPrimary Infection VectorDecryptable Versions*
AkiraA file named "akira_readme.txt" asking victims to contact the hacker to pay ransom.The extension is ".akira".
  • infected email attachments (macros)
  • torrent websites

  • malicious ads

  • pirated software

Akira

[Decryption Tool Link]

AstraLockerA file named "How To Restore Your Files.txt" asking victims to contact the hacker to pay ransom.

The extension is ".Astra " and ".babyk".

  • malicious email attachments,
  • malicious webpage advertisements.

AstraLocker

[Decryption Tool Link]

BianLianA file named "Look at this instruction.txt" asking victims to contact the hacker to pay ransom.

The extension is ".bianlian".

  • legitimate programs containing malware,
  • exploited vulnerabilities of ProxyShell,
  • exploited vulnerabilities of  SonicWall VPN devices,
  • brute force Windows Remote Desktop Services (RDP).

BianLian

[Decryption Tool Link]

BlackByteA file named "BlackByte_restoremyfiles.hta" asking victims to contact the hacker to pay ransom.The extension is ".blackbyte".
  • exploited vulnerabilities of Zero Day

BlackByte

[Decryption Tool Link]

CactusA file named "cAcTuS.readme.txt" asking victims to contact the hacker to pay ransom.The extension is ".cts" followed by a digit. For example ".cts1".

exploited vulnerabilities of  Fortinet VPN devices,

 

exploited vulnerabilities of  Qlik Sense.

No descryption tool for Cactus
Cerber/MagniberA message asks victims to buy 'Cerber/My Decryptor' for decryption via Tor browser.

V1-V3 is “.cerber”.
Other versions are random characters (e.g. .kgpvwnr).

 

In Magniber, the common extentions are ".ypkwwmd", ".ndpyhss", ".wmfxdqz", ".axlgsbrms", ".nhsajfee", ".mqpdbn", ".damdzv", ".qmdjtc", ".mftzmxqo", ".demffue", ".dxjay", ".fbuvkngy", ".xhspythxn", ".dlenggrl", ".skvtb", “.vbdrj”, “.fprgbk”, ".ihsdj", ".mlwzuufcg" or ".kgpvwnr"

  • malicious email attachments,
  • malicious webpage advertisements,
  • legitimate programs containing malware,
  • exploited vulnerabilities of Apache Struts2,
  • exploited vulnerabilities of Magnitude and exploitation kit

Cerber V1

[Decryption Tool Link]

 

Magniber:

Some extensions are supported by the decryption tool.

[Decryption Tool Link 1]

[Decryption Tool Link 2]

[Decryption Tool Link 3]

 

CrySIS/Dharma/PhobosA file named "FILES ENCRYPTED.txt" or ransom notes with .HTA and .TXT extension in encrypted folder shows contact information of the hacker. The message asks victims to contact the hacker to pay ransom.The common extensions are ".java", ".arena", ".bip" and ".phobos".
  • brute force Windows Remote Desktop Services (RDP),
  • exploited software vulnerabilities

Some extensions are supported by the decryption tool.

[Decryption Tool Link 1]

[Decryption Tool Link 2]

DarkSide/BlackMatter

In DarkSide, ransom notes named "README.[victim's_ID].TXT", asking victims to pay ransom for decryption on a designated webpage via Tor browser.

 

In BlackMatter, ransom message is posted on a black screen wallpaper. Ransom notes named "[random_string].README.txt" asking victims to pay ransom for decryption on a designated webpage via Tor browser.

In DarkSide, the extension is victim's ID.

 

In BlackMatter, the extension is random.

  • malicious email attachments,
  • malicious webpage advertisements

DarkSide

[Decryption Tool Link]

 

No descryption tool for BlackMatter

DjvuFiles named "_openme.txt", " _open_.txt" or "_readme.txt" shows contact information of the hacker. The message asks victims to contact the hacker to pay ransom.The common extensions are ".djvu",  "djvu*",  ".djvuu", ".udjvu",  ".djvuq", ".uudjvu",  ".djvus", ".djuvt",  ".djvur" and ".DJVUT".
  • malicious email attachments,
  • malicious webpage advertisements,
  • unoffical activation and updating tools.

Some extensions are supported by the decryption tool.

[Decryption Tool Link]

eCh0raixRansom notes named "README_FOR_DECRYPT.txtt" or  "README_FOR_DECRYPT.txt", asking victims to pay ransom for decryption on a designated webpage via Tor browser.The commaon extension are ".encrypt" and ".encrypted".
  • exploited vulnerabilities of  QNAP NAS devices
No descryption tool for eCh0raix
ESXiArgsRansom notes named "ransom.html" or  "How to Restore Your Files.html", asking victims to contact the hacker to pay ransom.The commaon extension is ".args".
  • exploited vulnerabilities of VMware ESXi

ESXiArgs-Recover

[Recover Tool Link]

GandCrabA message asks victims to pay ransom for decryption on a designated webpage via Tor browser.In V1, the extension is ".GDCB".
In V2 and V3, the extension is ".GRAB".
In V4, the extension is ".KRAB".
In V5, the extension is random
  • malicious email attachments or links,
  • legitimate programs containing malware,
  • brute force Windows Remote Desktop Services (RDP),
  • brute force Tomcat Manager

GandCrab V1, V4 and V5 up to V5.2

[Decryption Tool Link]

GlobeImposterA file named "HOW_TO_BACK_FILES.txt" or "how_to_back_files.html" in encrypted folder shows victim’s personal ID serial number and contact information of hacker. The message asks victims to send ID serial number to hacker's email address, then pay ransom according to hacker's instruction.

In 1.0 version, the common extension is ".CHAK".
In 2.0 version, the common extensions are ".TRUE" and ".doc".
In 3.0 version, the common extensions are ".the Chinese Zodiac+4444" and ".Twelve Olympians+666".
In 4.0 version, the common extension is ".auchentoshan".

In 5.1 version, the common extension is ".IQ0005".

  • malicious email attachments,
  • penetration scanning,
  • brute force Windows Remote Desktop Services (RDP).

GlobeImposter 1.0

[Decryption Tool Link]

Hades

A file named “README_RECOVER_FILES_[victim_id].html”, "README_RECOVER_FILES_[victim_id].png" or "README_RECOVER_FILES_[victim_id].txt" in each folder containing encrypted files, which shows victim’s personal identification ID, the link for purchasing the decryption password and hacker's email address. The message asks victims to hacker's provided link, then pay ransom according to hacker's instruction.

The common extension is  ".MafiaWare666", ".jcrypt", ".brutusptCrypt", ".bmcrypt", ".cyberone", ".l33ch".

  • Hades’ primary initial access into a network is through internet-facing systems that use Remote Desktop Protocol (RDP) or by accessing Virtual Private Networks (VPNs) with legitimate credentials.
  • deliver malware via fake software updates displayed on compromised websites
  • exploited vulnerability of the ProxyLogon Exchange

Hades

[Decryption Tool Link]

HermeticRansom

A file named “read_me.html” on the victim’s Desktop folder shows victim’s personal ID serial number and contact information of hacker. The message asks victims to send ID serial number to hacker's email address, then pay ransom according to hacker's instruction.

The common extension is  ".[[email protected]]

.encryptedJB".

  • malicious email attachments,
  • penetration scanning

HermeticRansom

[Decryption Tool Link]

HiveA file named "HOW_TO_DECRYPT.txt" shows contact information of the hacker, asking victims to contact the hacker to pay ransom.

The version 1 extension is ".hive" The version 2 extensions are ".w2tnk" and ".uj1ps"

All random string extension of version 3 and 4

  • exploited software vulnerabilities

Hive

[Decryption Tool Link]

LockBitA file named "Restore-My-Files.txt" shows contact information of the hacker, asking victims to contact the hacker to pay ransom.The  extension is ".abcd".
  • malicious email attachments,
  • malicious webpage advertisements.

LockBit

[Decryption Tool Link]

LockerGogaA file named "README-NOW.txt" or  "README_LOCKED.txt" shows contact information of the hacker, asking victims to contact the hacker to pay ransom.The  extension is ".locked".
  • malicious email attachments,
  • malicious webpage advertisements.

LockerGoga

[Decryption Tool Link]

MazeRansom message is posted on a screen wallpape. A file named "DECRYPT-FILES.html", asking victims to contact the hacker and follow the hacker's intrution to pay ransom.The extension is random.
  • malicious email attachments,
  • malicious webpage advertisements.
No descryption tool for Maze
MegaCortexVictims with data encrypted by versions 2 through 4 need the ransom note (e.g. “!!READ_ME!!!.TXT”, “!-!README!-!.RTF”, etc) present.The extension is “.aes128ctr”.
  • targeting corporate networks and found along with QBot, Emotet, and Cobalt Strike.

MegaCortex

[Decryption Tool Link]

MortalKombat

It changes the desktop wallpaper to give it a Mortal Kombat theme and generates a ransom note called HOW TO DECRYPT FILES.txt.

The extension is “..Remember_you_got_only_24_hours_to_make_the_payment_if_you_dont_pay_prize_will_triple_Mortal_Kombat_Ransomware”spreads through phishing emails and targets exposed RDP instances.

MortalKombat

[Decryption Tool Link]

MuhstikA message asks victims to pay ransom for decryption on a designated webpage via Tor browser.The extension is ".muhstik".
  • exploited vulnerabilities of web server or NAS.

The device whose ID includes in below keys list can be decrypted.

[Keys List Link]

[Decryption Tool Link]

NemtyNemty’s ransom message is [extension]-DECRYPT.txt. The message asks victims to pay ransom for decryption on a designated webpage via Tor browser.

In Nemty, the extension is ".nemty".

  • use the Gandcrab infection vector,
  • exploited vulnerabilities of Zero Day.

Some file types encrypted by specific versions of Nemty can be decrypted.

[Decryption Tool Link]

NetwalkerA file named "{ID} – Readme.txt" asking victims to pay ransom for decryption on a designated webpage via Tor browser.The extension is random.
  • phishing email with malicious attachments or links
No descryption tool for Netwalker
Rhysida

A file named "CriticalBreachDetected.pdf" asking victims to pay ransom for decryption on a designated webpage via Tor browser.

In Rhysida, the extension is ".rhysida".

  • malicious email attachments,
  • malicious webpage advertisements,
  • brute force Windows Remote Desktop Services (RDP).

Rhysida

[Decryption Tool Link]

Ryuk/Conti

In Ryuk, files named "RyukReadMe.txt" or "RyukReadMe.html" shows contact information of the hacker. The message asks victims to contact the hacker to pay ransom.
For the latest version, hackers ask victims to pay ransom for decryption on a designated webpage via Tor browser.

 

In Conti, a file named "CONTI_README.txt" shows contact information of the hacker. The message asks victims to contact the hacker to pay ransom.

In Ryuk, the extension is ".RYK".

 

In Conti, the extension is ".CONTI", ".KREMLIN", ".RUSSIA", ".PUTIN".

  • malicious email attachments,
  • malicious webpage advertisements,
  • brute force Windows Remote Desktop Services (RDP).
  •  

No descryption tool for Ryuk and Conti

 

Some of the versions of Conti with extention ".KREMLIN", ".RUSSIA", ".PUTIN" can be decrypted.

[Decryption Tool Link]

Sodinokibi/REvilRansom message is posted on a blue screen wallpaper. Ransom notes are placed in each folder with the message asking victims to pay ransom for decryption on a designated webpage via Tor browser.The extension is random.
  • use the Gandcrab infection vector,
  • exploited vulnerabilities of Zero Day,
  • malicious email attachments,
  • malicious webpage advertisements,
  • brute force Windows Remote Desktop Services (RDP).

Sodinokibi/REvil decryption tool

[Decryption Tool Link]

STOPA file named "_openme.txt" or "_readme.txt" in encrypted folder shows victim’s personal ID serial number and contact information of hacker. The message asks victims to send ID serial number to hacker's email address, then pay ransom according to hacker's instruction.The common extensions are ".puma", ".pumas", ".coharos" and ". STOP".
  • malicious email attachments,
  • malicious webpage advertisements,
  • legitimate programs containing malware.

Some extensions are supported by the decryption tool.

[Decryption Tool Link]

TrigonaTrigona’s ransom note is dropped to the system with the name how_to_decrypt.hta. The HTML code in this file contains embedded JavaScript functionality.The extension is "._locked".exploited software vulnerabilitiesNo descryption tool for Trigona
WannaCryA file named "info.hta" shows contact information of the hacker, asking victims to contact the hacker to pay ransom.The extension is ".WannaCry".
  • malicious email attachments,
  • malicious webpage advertisements,
  • legitimate programs containing malware,
  • exploited vulnerabilities of  EternalBlue.

WannaCry

[Decryption Tool Link]

YanluowangA file named "README.txt" shows contact information of the hacker, asking victims to contact the hacker to pay ransom.The extension is ".yanluowang".
  • exploited software vulnerabilities

Yanluowang

[Decryption Tool Link]

YashmaA file named "Restore_Files.html" shows contact information of the hacker, asking victims to contact the hacker to pay ransom.The extension is ".AstraLocker" or 4 random alphanumeric-characters.
  • malicious email attachments,
  • malicious webpage advertisements.

Yashma

[Decryption Tool Link]

 

*You can identify ransomware and download decryption tools from the website below. HKCERT makes no guarantee of the tools for successful recovery of the files. *
https://www.nomoreransom.org/en/index.html