Odin ransomware is new cryptographic virus from family of Locky and Zepto ransomware. It uses system process (rundll32.exe) to execute and encrypt user files. Usually, infection affects user personal files such as documents, photos, videos and music. In this version virus adds .odin extension and modifies filename, changing it to random set of numbers and letters. Virus creates 3 files: _5_HOWDO_text.html, _HOWDO_text.bmp, and _HOWDO_text.html. Image file is used as desktop background and contains text with instructions to pay the ransom.
JohnyCryptor is wide-spread ransomware virus, that uses AES encryption to encrypt important files (documents, photos, e-mails, music, video, gaming files). Virus adds .firstname.lastname@example.org or .email@example.com extension to encrypted files (depending on version), and creates “How to decrypt your files.txt” file on the desktop. This file contains instructions to pay the ransom and get the decryptor. Users have to pay from 0.5 to 1.5 ($250-$700) BitCoins to get the decryptor.
Cerber3 is newer version of Cerber and Cerber2 ransomware, that is became more complicated. It was discovered and described by AVG malware analyst. New version of this virus adds .cerber3 extension instead of .cerber or .cerber2. Authors of Cerber3 demand 0.7154 bitcoins (~$400) for decryption. Malefactors give users 5 day time frame, otherwise ransom amount doubles. Malware has new ransomware note filenames (# HELP DECRYPT #.html, # HELP DECRYPT #.txt, # HELP DECRYPT #.url). Text and html files contain the same message and instructions to pay the ransom, “.url” file opens Cerber3’s payment website in browser.
Nemucod is a trojan, that downloads ransomware virus on your computer. This virus claims it uses RSA-1024 algorithm to encrypt user personal files and appends .crypted to those files. In fact, files are encrypted with more simple XOR algorithm. Ransomware encodes various types of files: documents, music, e-mails, videos, photos, game files. Decryption is possible with the special decrypter by EmsiSoft, that we will describe later.
CrySis (Virus-Encoder) is ransomware virus, that uses AES encryption to encrypt sensitive files (documents, photos, e-mails, music, video, gaming files). Threat most often appends .CrySis extension to all affected files, and that is where it name comes from. Malware generates unique user ID, that should be used by user to ask for decryption key. Ransomware modifies desktop wallpaper with image with text, e-mail and instructions to pay the ransom.