Security researchers have tracked Dire Wolf attacks across multiple continents, affecting organizations from small businesses to larger enterprises. The ransomware’s creators chose Go as their programming language – a decision that tells us something about their technical sophistication and cross-platform ambitions.

For organizations, Dire Wolf serves as a reminder that effective ransomware doesn’t need to be revolutionary – it just needs to exploit common security gaps. The focus should remain on fundamental security practices: regular backups, network segmentation, user training, and incident response planning.

The mathematics of modern encryption mean that prevention remains far more effective than recovery. Organizations that find themselves facing Dire Wolf have already lost the most important battle – the one that happens before the ransomware executes.

In the end, Dire Wolf is less about the specific technical details and more about the ongoing failure of organizations to implement basic security hygiene. The wolves are always at the door; the question is whether you’ve bothered to lock it.

Text in the ransom note:

Dear Mr or Ms, 
If you are reading this message, it means that: 
- your network infrastructure has been compromised
- critical data was leaked
- files are encrypted
--------------------------------------------------------------------------
The best and only thing you can do is to contact us
to settle the matter before any losses occurs. 
--------------------------------------------------------------------------
We can maintain confidentiality for 3 days for you, during which we will not disclose any information about your intrusion or data leakage. 
We can extend the confidentiality period free of charge until we reach an agreement if you contact us within 3 days and communicate effectively with us.
If the confidentiality period expires, we will disclose the relevant information. 
We provide complimentary decryption testing services. For specific details, please contact us.
--------------------------------------------------------------------------
We have provided a sample document as proof of our possession of your files and you can download and check it: 
- hxxxs://gofile.io/d/3*****
Please be advised that your files are scheduled for public release after 30 working days. 
If you want to secure your files, we urge you to reach out to us at your earliest convenience.
--------------------------------------------------------------------------
Contact Details:
- live chat room:
- url:hxxx://direwolf3ddtab5anvhulcelauvoxu2a7l264hqs6vtxtgrqsjfvodid.onion/ 
- roomID: thairung
- username: tha*****
- password: E27*****
-------------------------------------------------------------------------- 
Our official website:
- url:hxxx://direwolfcdkv5whaz2spehizdg22jsuf5aeje4asmetpbt6ri4jnd4qd.onion/
--------------------------------------------------------------------------
How to access .onion website: 
1.Download and install TOR Browser https://torproject.org
2.Open it and try to access our onion address
3.Maybe you need to use VPN if it can not open our onion address

Immediate Response Steps

Time is critical when dealing with ransomware. Your first actions determine how much damage the attack causes. Here’s what to do right now.

Step 1: Disconnect from the Internet

Stop the ransomware from spreading to other computers on your network. Disconnect immediately.

1. Unplug your Ethernet cable from your computer
2. Turn off your WiFi adapter
3. Disable network connections in Windows: Settings > Network & Internet > Status > Change adapter options
4. Right-click each network adapter and select “Disable”

Step 2: Identify Infected Systems

Check which computers on your network are affected. Look for these signs:

• Files with .direwolf extension
• Desktop wallpaper changed to ransom message
• HowToRecoveryFiles.txt file on desktop
• Unusual system slowness or crashes

Step 3: Document the Attack

Take screenshots of the ransom note and affected files. You’ll need this information for recovery.

1. Screenshot the ransom note
2. List encrypted file types and locations
3. Note the exact time you discovered the attack
4. Record any suspicious emails or downloads from the past 48 hours

Dire Wolf Technical Analysis

Understanding how Dire Wolf works helps you protect against future attacks. The ransomware uses sophisticated techniques that make file recovery nearly impossible without the decryption key.

Encryption Implementation

Dire Wolf uses military-grade encryption that cannot be broken:

• Curve25519: Modern elliptic curve cryptography for key exchange
• ChaCha20: Stream cipher developed by Google and used in TLS
• Go Programming Language: Cross-platform compatibility for Windows, Linux, and macOS
• Unique Keys: Each victim gets a different encryption key

Attack Timeline Strategy

Dire Wolf operators follow a calculated timeline (see more details on tria.ge) designed to maximize pressure:

Double Extortion Tactics

Dire Wolf doesn’t just encrypt files. The attackers also steal your data before encryption:

1. Initial Access: Compromised RDP, phishing emails, or software vulnerabilities
2. Environment Mapping: Scan network for valuable targets and data
3. Data Harvesting: Steal sensitive documents, databases, and credentials
4. File Encryption: Encrypt files using Curve25519 + ChaCha20
5. Ransom Demand: Threaten to publish stolen data if payment isn’t made

Security Vendor Detection

Major antivirus companies now detect Dire Wolf ransomware. The signatures vary because the threat is still being analyzed:

• Microsoft Defender: Trojan:Win32/Casdet!rfn, Ransom:Win64/Dire Wolf.A
• Gridinsoft: Ransom.Win64.DireWolf.dd!s1
• Dr.Web: Trojan.Encoder.42458, Trojan.Encoder.42473
• BitDefender: Trojan.Generic.38142181, Trojan.Generic.38138312
• ESET: A Variant Of WinGo/Filecoder.JB
• Kaspersky: Trojan.Win32.DelShad.nrj, Trojan.Win32.DelShad.nrn
• Trend Micro: Ransom.Win64.DIREWOLF.THFBOBE

If your antivirus detected Dire Wolf, the damage might already be done. The encryption happens faster than most security software can stop it.

Manual Dire Wolf Removal Steps

Manual removal focuses on cleaning the ransomware executable and stopping ongoing processes. This won’t decrypt your files, but it prevents further damage.

Step 1: Boot into Safe Mode

Safe Mode prevents the ransomware from running during cleanup:

1. Press Windows + R to open Run dialog
2. Type msconfig and press Enter
3. Go to Boot tab and check “Safe boot”
4. Select “Minimal” option
5. Click Apply and restart your computer

Step 2: Identify Malicious Processes

Look for suspicious processes that might be Dire Wolf components:

1. Press Ctrl + Shift + Esc to open Task Manager
2. Click “More details” if needed
3. Look for processes with random names or high CPU usage
4. Check the “Details” tab for suspicious .exe files
5. Note the location of suspicious processes

Step 3: Delete Ransomware Files

Remove Dire Wolf executables from common infection locations:

1. Open File Explorer and navigate to: C:\Users\%USERNAME%\AppData\Local\Temp
2. Look for recently created .exe files with random names
3. Delete suspicious executables (check creation dates)
4. Check Downloads folder: C:\Users\%USERNAME%\Downloads
5. Remove any suspicious files downloaded in the past 48 hours

Step 4: Clean Registry Entries

Remove Dire Wolf startup entries from Windows Registry:

1. Press Windows + R and type regedit
2. Navigate to: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
3. Look for entries with random names or suspicious paths
4. Delete any entries pointing to ransomware executables
5. Check: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Step 5: Remove Scheduled Tasks

Check for persistent ransomware tasks:

1. Press Windows + R and type taskschd.msc
2. Expand “Task Scheduler Library”
3. Look for tasks with random names or suspicious triggers
4. Delete any tasks that run suspicious executables
5. Check task history for recently executed suspicious tasks

Step 6: Clear System Restore Points

Dire Wolf may have infected backup files:

1. Right-click “This PC” and select “Properties”
2. Click “System Protection” on the left
3. Select your main drive and click “Configure”
4. Click “Delete” to remove all restore points
5. Create a new restore point after cleanup

Automatic Removal with GridinSoft Anti-Malware

Manual removal can be complex and time-consuming. For a faster, more reliable solution, GridinSoft Anti-Malware offers automatic detection and removal of Dire Wolf ransomware components. Professional anti-malware software can find hidden components and registry changes that you might miss.

GridinSoft Anti-Malware specializes in advanced threat detection. It can identify Go-based malware like Dire Wolf and clean infected systems completely.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

File Recovery Options

Dire Wolf uses unbreakable encryption. Your files cannot be decrypted without the attackers’ key. Here are your recovery options:

Backup Recovery

Your best option is restoring from clean backups:

• Check external drives that weren’t connected during the attack
• Look for cloud backups (OneDrive, Google Drive, Dropbox)
• Verify backup integrity before restoring
• Restore backups to a clean system only

Shadow Volume Copies

Windows might have automatic backups that survived:

1. Download Shadow Explorer from shadowexplorer.com
2. Install and run the software
3. Select your drive and a date before the infection
4. Browse for important files and export them

File Recovery Software

Try recovering deleted originals (low success rate):

• Use Recuva or similar file recovery tools
• Scan for recently deleted files
• Look for temporary file versions
• Check application cache folders

How to Decrypt Dire Wolf Files

Let’s address the question everyone asks: “Can I decrypt my files without paying?” The short answer is no. Here’s why and what you can do instead.

Why Decryption Is Impossible

Dire Wolf uses Curve25519 + ChaCha20 encryption. This isn’t some amateur crypto that security researchers can crack:

• Mathematical Reality: Breaking this encryption would require more computing power than exists on Earth
• Unique Keys: Each victim gets a different encryption key stored only on the attackers’ servers
• No Weaknesses: Security experts have found no flaws in the encryption implementation
• Time Factor: Even with quantum computers, decryption would take millions of years

Free Decryption Tools Status

Security companies regularly release decryption tools for ransomware with flawed encryption. Here’s the current status for Dire Wolf:

• No-More-Ransom Project: No decryption tool available
• Emsisoft: No decryption tool available
• Kaspersky: No decryption tool available
• Avast: No decryption tool available

Check these resources periodically in case researchers discover a flaw, but don’t hold your breath. Modern ransomware like Dire Wolf uses proper encryption.

Avoid Fake Decryption Tools

Scammers exploit ransomware victims with fake decryption tools. Here’s how to spot them:

• Payment Required: Legitimate decryption tools are always free
• Suspicious Websites: Only download from official security company sites
• Too Good to Be True: If it claims to decrypt any ransomware, it’s fake
• Multiple Infections: Fake tools often install more malware

What About Paying the Ransom?

The attackers do have the decryption key. But paying comes with serious risks:

• No Guarantee: 40% of victims who pay never get their files back
• Partial Recovery: Some victims receive decryption tools that only work on some files
• Repeat Attacks: You’re marked as someone who pays, increasing future attacks
• Legal Issues: Paying ransoms may violate sanctions laws in some countries
• Funding Crime: Your payment funds more ransomware attacks

Alternative Recovery Methods

Instead of trying to decrypt files, focus on these proven recovery methods:

1. Restore from Backups: Your best bet if you have clean backups
2. Shadow Volume Copies: Windows automatic backups that might survive
3. File Recovery Tools: Might find deleted originals before encryption
4. Previous Versions: Windows File History might have older copies
5. Application Caches: Some programs keep temporary copies

Frequently Asked Questions

What is Dire Wolf ransomware and why is it dangerous?

Dire Wolf is a ransomware that encrypts your files and steals your data. It’s dangerous because it uses military-grade encryption that cannot be broken. The attackers also threaten to publish your stolen data if you don’t pay the ransom.

How did Dire Wolf get on my computer?

Dire Wolf spreads through phishing emails, compromised remote desktop connections, and software vulnerabilities. Attackers often use legitimate-looking email attachments or exploit unpatched security holes in your system.

Can I decrypt my files without paying the ransom?

No, Dire Wolf uses Curve25519 + ChaCha20 encryption which is mathematically impossible to break. Your only options are restoring from backups or using file recovery tools to find deleted originals.

Should I pay the ransom to get my files back?

Security experts recommend against paying ransoms. There’s no guarantee you’ll get your files back, and payment encourages more attacks. Focus on backup recovery instead.

How can I prevent Dire Wolf ransomware?

Keep regular offline backups, update your software, use strong passwords, and avoid suspicious emails. Install reputable antivirus software and keep Windows Defender enabled.

What if manual removal doesn’t work?

Use GridinSoft Anti-Malware for automatic detection and removal. Professional anti-malware tools can find hidden components that manual removal might miss.

How do I know if my computer is completely clean?

Run a full system scan with GridinSoft Anti-Malware after manual cleanup. Check that no suspicious processes are running and that the ransom note files are gone.

Can Dire Wolf spread to other computers on my network?

Yes, Dire Wolf can spread through network connections. Disconnect infected computers immediately and scan all systems on your network for the threat.

Dire Wolf in the Ransomware Landscape

Dire Wolf represents the evolution of ransomware tactics. The threat shows several concerning trends:

Technical Sophistication

Using Go programming language shows the attackers understand modern development practices. Go creates efficient, cross-platform malware that’s harder to analyze than traditional Windows-only threats.

Double Extortion Standard

What was once exclusive to major ransomware groups is now standard practice. Even new players like Dire Wolf implement data theft alongside encryption. This mirrors the evolution we’ve seen with groups like LockBit and REvil.

Global Coordination

Attacks across multiple continents indicate organized operations with significant resources. This isn’t a lone hacker but a coordinated criminal enterprise.

Psychological Manipulation

The 3-day “confidentiality window” creates false urgency. It’s designed to prevent victims from consulting security professionals or law enforcement.

Understanding these trends helps organizations prepare for the evolving ransomware landscape. Consider reading our analysis of nation-state threat actors to understand the broader context of modern cyber threats.

Quick Summary

Dire Wolf ransomware represents competent execution of proven attack methods. The threat actors understand both technical and psychological aspects of successful extortion campaigns.

For victims, the focus should be on cleanup and recovery from backups rather than attempting to decrypt files. The mathematics of modern encryption make file recovery without the key virtually impossible.

Prevention remains more effective than recovery. Organizations and individuals who maintain proper backups and security practices can recover from Dire Wolf attacks without paying ransoms.

The emergence of threats like Dire Wolf reinforces the importance of basic security hygiene. Regular backups, software updates, and security awareness training remain the best defenses against ransomware attacks. For comprehensive protection strategies, consider our guide on internet safety tips and cybersecurity best practices.

The post Dire Wolf (.direwolf) Ransomware Virus – Removal and Decryption appeared first on Gridinsoft Blog.

PE32 Ransomware Overview

Cybersecurity researchers have discovered and investigated a new ransomware-type threat. PE32 Ransomware encrypts victims’ files and demands payment for decryption while threatening to leak stolen data. Unlike more infamous ransomware families like LockBit or Conti, which we have separate posts about, PE32 is marked by its immature design and poor security practices. And nonetheless, it remains a significant threat, as it is still able to encrypt the files and disrupt system operations.

It targets both individual users and corporate environments, with ransom demands ranging from $700 to $7,000 for individual machines or servers and $10,000 to 2 Bitcoin (BTC) for corporate targets. Its most distinctive feature is its reliance on the Telegram Bot API for command and control (C2) communication, a departure from the covert HTTP or DNS methods used by traditional ransomware. This choice, combined with its chaotic behavior, makes PE32 a truly unique case study in the evolving ransomware landscape.

Detailed PE32 Ransomware Analysis

PE32 Ransomware operates in a manner that is both non-obvious and confusing, often defying the logical patterns seen in more refined malware. Its behavior is described as noisy and chaotic, making it easier to detect but challenging to analyze due to its erratic execution. The ransomware encrypts files indiscriminately, targeting everything in its path, including files with little to no value, such as Chrome language files, GIFs, or CSS files. This lack of selectivity underscores its poorly designed logic, as it wastes resources on data that offers no leverage for extortion.

The ransomware’s execution begins with a simple prompt, after which it rapidly encrypts files, focusing on visible folders like the Desktop. It creates a directory named “C:\PE32-KEY” containing files such as “context.pe32c,” “lock.pe32,” “pe32lockfile.lock,” “ID,” and “README.txt”. Encrypted files are appended with the “.pe32s” extension, marking them as inaccessible. PE32 also drops marker files like “pe32lockfile.lock” in every encrypted folder, to indicate completion, but this triggers false positives in detection systems, complicating analysis. Additionally, it initiates disk repair processes by triggering chkdsk.exe via “C:\bootTel.dat,” which can destabilize the system further.

From a technical perspective, PE32 relies on standard Windows libraries, including ntdll.dll, kernel32.dll, crypt32.dll, bcrypt.dll, and schannel.dll, to handle operations like TLS/SSL communication for its Telegram-based C2 channel. Its encryption process is fast, with reported cycles labeled as UltraFast, Fast, and Slow, and it collects system information such as the computer’s GUID, hostname, software policy settings, and supported languages.

This data collection is likely used to avoid infecting systems in specific regions, however, this contradicts the general logic of the ransomware operation, or rather its absence. Also, some functions within the malware appear to serve no practical purpose, contributing to its illogical behavior. For instance, certain code segments suggest conditional logic, but they do not meaningfully alter the ransomware’s operation, just adding to its confusing nature.

Command and Control Communication

PE32 Ransomware’s command and control (C2) communication is a standout feature, relying entirely on the Telegram Bot API. Unlike traditional ransomware, which uses encrypted HTTP, DNS, or custom servers to communicate covertly, PE32 sends all commands and data through Telegram, with no DNS or HTTP requests involved.

The bot token, a critical component for accessing the Telegram API, is hardcoded into the malware’s code, exposing a significant vulnerability. Just imagine the faces of ransomware operators after Telegram blocks their bot. Moreover, this lack of obfuscation means that anyone who extracts the token can interact with the bot, potentially spamming it, issuing commands, or disrupting its operations.

The use of Telegram as a C2 channel has several implications. On one hand, it simplifies deployment for attackers, as they do not need to maintain a dedicated server infrastructure. On the other hand, it introduces significant risks. Security researchers or malicious actors can use tools like Matkap (Matkap Tool) to abuse the exposed bot token, leading to potential denial-of-service attacks or unauthorized access.

Additionally, Telegram’s infrastructure is more traceable than Darknet-based C2 servers, making it easier for law enforcement or security teams to monitor communications. This “unhidden” approach contrasts sharply with the stealth typically employed by ransomware.

Ransom Note Overview

The ransom note is located in the “C:\PE32-KEY\README.txt” file and is notably unconventional. Unlike traditional ransomware, which often directs victims to darknet sites or encrypted communication platforms, PE32 instructs victims to contact the attackers via Telegram, with a backup Gmail address provided.

This approach is out of the box, as it leverages public, widely accessible platforms rather than obscure channels. The note typically outlines the ransom demands, emphasizing the dual threat of file encryption and potential data leakage if payment is not made.

The use of Telegram and Gmail makes the ransom process more accessible for attackers, as they can easily monitor communications. However, it also increases their exposure, as these platforms can be monitored or blocked by security teams.

How to Remove PE32 Ransomware?

Although PE32 Ransomware cannot be called very careful in terms of its operation, it nevertheless fulfills its main function. So, removing PE32 Ransomware requires careful action to prevent further damage. Reputable anti-malware software, such as GridinSoft Anti-Malware, is recommended for detecting and eliminating the ransomware. Next, you need to reboot the device into Safe Mode with networking and run the anti-malware solution. It will update its databases and perform a scan, thereby finding and removing all threats.

Manual removal is strongly discouraged due to the complexity of ransomware and the risk of incomplete removal, which could allow the malware to persist or reinfect the system. Before restoring any backups or accessing encrypted files, it is critical to ensure the ransomware is fully removed to avoid encrypting recovered data. After removal, users should scan their systems thoroughly to confirm the absence of residual threats.

Can I Recover Files?

Unfortunately, recovering files encrypted by PE32 Ransomware is challenging without the attackers’ decryption key. As for now, no known decryption tools are currently available for PE32. Paying the ransom is not advisable, as there first is no guarantee that attackers will provide the decryption key, and it may encourage further demands.

The most effective recovery method is restoring files from backups. If backups were maintained and stored in separate locations, such as remote servers or unplugged storage devices, users can recover their data after removing the ransomware. In the absence of backups, third-party data recovery tools may offer limited assistance if encrypted files were partially overwritten, but success is not guaranteed.

The post PE32 Ransomware appeared first on Gridinsoft Blog.

VerdaCrypt Ransomware Overview

VerdaCrypt is classified as a ransomware-type program, a category of malware designed to encrypt victims’ data and demand payment for decryption. It was discovered by cybersecurity researchers during routine inspections of new malware submissions to profile platforms, indicating its active presence in the wild. This ransomware use the “.verdant” file extension, which it appends to encrypted files, rendering them inaccessible. This extension serves as a marker of infection, distinguishing VerdaCrypt from other ransomware variants.

A key characteristic of VerdaCrypt is its employment of double extortion tactics, which is not something new and has already been found in other ransomware. Beyond simply encrypting files, it also threatens to publish or leak sensitive data online if the ransom is not paid. This increases pressure on victims—especially businesses and institutions—who are concerned about reputational damage or legal consequences.

The ransom demand is typically delivered via a text file named !!!READ_ME!!!.txt, which is placed prominently on the desktop or within affected folders. It instructs victims to contact the attackers through encrypted communication platforms like Protonmail, using addresses such as dendrogaster_88095@protonmail.com. Payment is usually requested in Bitcoin, with the amount potentially escalating over time. Attackers may also discourage alternative recovery attempts by warning that such actions could render files permanently inaccessible.

Operational Mechanisms

VerdaCrypt’s infection methods are consistent with common ransomware distribution strategies. It primarily spreads through phishing emails, which may contain malicious attachments, such as documents with embedded macros, or deceptive downloads. These emails often exploit social engineering tactics to trick users into opening infected files. Additionally, VerdaCrypt can be distributed via torrent websites or other untrusted sources, exploiting system vulnerabilities or being delivered through trojans.

Once installed, the ransomware executes an encryption payload that targets various file types, including documents, multimedia, and databases, using advanced cryptographic algorithms. These algorithms ensure that decryption without the attackers’ unique key is virtually impossible, enhancing the ransomware’s effectiveness. The only clarification is that this process excludes encryption of critical system files, which allows the infected system to work. This is done in order to give the victim the opportunity to pay the ransom.

The encryption process involves appending the “.verdant” extension to compromised files, signaling their locked status. VerdaCrypt can also spread across local networks and external storage devices, increasing its impact. The ransom note, !!!READ_ME!!!.txt, not only demands payment but may include dramatic language, such as “YOUR DIGITAL EXISTENCE HAS BEEN COMPROMISED,” to instill urgency and fear. This note provides instructions for contacting the attackers and specifies the ransom amount, often in Bitcoin, as said above.

Removal Strategies

Removing VerdaCrypt requires a combination of automated tools and manual steps to ensure the malware is eradicated from the system. The primary recommendation is to use reputable anti-malware software, such as GridinSoft Anti-Malware. It is critical to back up files before attempting removal to avoid potential data loss, especially given the ransomware’s impact on file accessibility.

Removal steps include booting the system in Safe Mode with networking, which can be enabled using the “msconfig” command to select Safe Boot, and then restarting. Next, you need to run a scan with GridinSoft Anti-Malware. Its enhanced malware detection system will find and eliminate the threat, so you will have no problem with the recovery steps and futher usage of the PC. Download it by the banner below, and don’t miss out on 6-day free trial that unlocks the full potential of the program.

Can I Get My Files Back?

Unfortunately, as of the latest research, there are no known public decryption tools specifically designed for VerdaCrypt. The encryption used is robust, and only the cybercriminals who developed the ransomware possess the necessary keys for decryption. Cybersecurity experts strongly advise against paying, as it does not guarantee data recovery and may encourage further criminal activity.

The most reliable recovery method is restoring files from backups. If an organization or an individual has valuable information or something established, they need to take care of uninterrupted access to valuable files in any scenario. You are encouraged to maintain regular backups on unplugged storage devices or remote servers, such as cloud services, to ensure data can be recovered without interacting with attackers.

Victims are also encouraged to report incidents to authorities, such as the IC3 Internet Crime Complaint Centre in the US (IC3), Action Fraud Police in the UK (Action Fraud), or the official portal of the German police (German Police), to aid in tracking and combating such threats.

The post VerdaCrypt Ransomware appeared first on Gridinsoft Blog.

D0glun ransomware emerged in January 2025 as a new crypto-ransomware variant with direct links to the Babuk and Cheng Xilun ransomware families. This sophisticated threat encrypts files using AES-256 encryption, appends the “.@D0glun@” extension to compromised files, and demands Bitcoin payment for decryption. This technical analysis explores D0glun’s infection mechanisms, encryption techniques, and provides actionable protection strategies based on the latest threat intelligence.

Technical Overview

D0glun ransomware shares significant code similarities with the leaked Windows version of Babuk and is a direct descendant of Cheng Xilun (Babuk→Cheng Xilun→D0glun). Security researchers have confirmed these connections through analysis of execution patterns, encryption methods, and ransom note formats. The March 2025 crypto crime report indicates that this family was responsible for several incidents within a broader trend of $124 million stolen across 25 separate ransomware incidents in Q1 2025.

The ransomware features:

• Fast encryption process using AES-256 symmetric encryption for file content
• File extension modification to “.@D0glun@[original_extension]” with additional variant patterns of “@zero_d0glun_[original_extension]”
• Three distinct ransom notes including desktop wallpaper modification
• Chinese-language ransom instructions that appear as corrupted text on systems without Chinese character support
• TOR communication channel for ransom payment and negotiation
• Bitcoin wallet for transaction processing (identified address: 1M7JVws3HccTGd14CV3qX21G7gzcJj77UH)
• Additional communication channels via QQ (424714982) and Telegram (https://t.me/CXL13131)

The first samples of D0glun were identified in January 2025, nearly five years after Cheng Xilun’s initial appearance in April 2020. This timing suggests strategic redeployment of the codebase either by the original threat actor under a new alias or a different group with access to the Cheng Xilun source code.

Infection Vectors

D0glun employs multiple distribution methods to infect systems, with recent research from March 2025 identifying exploitation of the Confluence Data Center vulnerability (CVE-2023-22518) as a newly observed attack vector:

Source: WatchGuard’s Ransomware Tracker, combined with GridinSoft Threat Intelligence data, 2025

The most prevalent infection vectors include:

1. Phishing campaigns: Emails containing malicious attachments or links that, when opened, download and execute the ransomware payload through PowerShell scripts
2. Remote Desktop Protocol (RDP) exploitation: Targeting systems with weak or default credentials or unpatched RDP vulnerabilities
3. Fake software updates: Posing as legitimate application updates that actually contain the ransomware payload
4. Confluence CVE-2023-22518 exploitation: Targeting the improper authorization vulnerability in Confluence Data Center and Server that allows unauthenticated attackers to reset Confluence and create administrator accounts
5. Supply chain attacks: Compromising legitimate software distribution channels to deliver the payload
6. Malicious torrent files: Hiding within pirated software, games, or media distributed through P2P networks

According to security reports, organizations in manufacturing, healthcare, and business services sectors are primary targets, with most infections occurring in North America and Europe, but also reported cases in Brazil, Argentina, South Africa, and Japan.

Technical Capabilities and Execution Flow

When executing on a compromised system, D0glun follows a methodical process:

1. Initial setup: Creates mutex “hsfjuukjzloqu28oajh727190” to prevent multiple instances from running
2. System reconnaissance: Collects system information, installed software details, and network configuration
3. Credential harvesting: Attempts to extract credentials from FTP clients, VNC software, browsers, and email applications
4. Defense evasion: Disables Windows Defender, modifies security settings, and employs anti-debugging techniques
5. Persistence establishment: Creates registry entries to ensure execution after system restart
6. Backup destruction: Executes “vssadmin delete shadows /all /quiet” to remove shadow copies
7. File encryption: Systematically encrypts over 200 file types including documents, images, databases across local drives and network shares
8. Ransom note deployment: Drops ransom notes in each directory and changes desktop wallpaper
9. Self-cleanup: Deletes artifacts and potentially removes itself after encryption is complete

D0glun avoids encrypting files with specific extensions to maintain system functionality:

• .dat – Common data files needed by many applications
• .dll – Dynamic Link Libraries required for system operation
• .exe – Executable files that may be needed to run processes
• .ini – Configuration files for Windows and applications
• .log – System log files that track events
• .sys – System files critical for operating system function

Analysis of sample hash a8df7571e871d22f13ba3eb376eddd1f73ce241d24caa878494e1805219b342a reveals that D0glun uses a sophisticated multi-stage infection process linked to the Confluence exploit:

1. Initial exploitation of CVE-2023-22518 to create admin credentials
2. Execution of PowerShell scripts to download the main ransomware payload (typically named “svcPrvinit.exe”)
3. Deployment via C&C servers at 193.176.179.41 and 193.43.72.11
4. Execution with command-line parameters for silent operation

Encryption Methodology

D0glun employs a sophisticated encryption strategy:

1. Generates a unique AES-256 symmetric key for file encryption
2. Encrypts the AES key using an embedded RSA-2048 public key
3. Only the threat actors possess the corresponding private RSA key needed for decryption
4. Creates identifiable patterns in encrypted files to verify ownership during ransom negotiation

This approach makes decryption impossible without obtaining the private key from the attackers, as the asymmetric RSA encryption securely protects the symmetric AES key used for file encryption.

Ransom Note Analysis

The D0glun ransom note appears in Chinese, creating additional complications for victims without Chinese language support on their systems. Translation reveals several notable elements:

Your files are encrypted.

What's wrong with my computer?
I've encrypted some of your files.
File types include ZIP|TXT|PNG|JPG|PDF|DOC|and other common file formats.
---------- ---------- ------
Please do not try any antivirus software before decryption, otherwise I can not guarantee the safety of your files!
-------------------------------------------------------
How do I recover my important files?
--------------------------------------
Files with @D0GLUN@+source file suffix.
Such files can only be decrypted by our decryption service.
Trying any other decryption method will be futile.
Please visit our Dark Web site and we will provide you with a specialized decryption service.
Of course, there is a fee for this service
======================================
Can we really decrypt it?
======================================
We will honor our word of honor
We can decrypt a small part of your file for free
to prove that we can actually decrypt it!

---------- ----------
Please download the Tor Browser to your right


Then visit the following address
-
Contact us for help
In the lower right corner is my BTC collection address

Key ransom note elements include:

• Claims that antivirus will damage encrypted files (false intimidation tactic)
• TOR onion address: hxxp://33333333h45xwqlf3s3eu4bkd6y6bjswva75ys7j6satex5ctf4pyfad.onion
• Bitcoin wallet address: 1M7JVws3HccTGd14CV3qX21G7gzcJj77UH
• QQ communication channel: 424714982
• Telegram contact: https://t.me/CXL13131

The ransom note follows patterns similar to Cheng Xilun, further confirming the relationship between these ransomware families. The attackers typically offer to decrypt a small sample file to demonstrate their capability to restore data.

MITRE ATT&CK Techniques

D0glun employs various techniques mapped to the MITRE ATT&CK framework:

• T1486: Data Encrypted for Impact – Primary ransomware function to encrypt victim files
• T1490: Inhibit System Recovery – Deletion of shadow copies and backup mechanisms
• T1082: System Information Discovery – Collection of system details to tailor the attack
• T1562.001: Disable or Modify Tools – Disabling security software to evade detection
• T1083: File and Directory Discovery – Enumeration of files for targeting
• T1112: Modify Registry – Creation of registry entries for persistence
• T1059.001: PowerShell – Use of PowerShell scripts for execution
• T1047: Windows Management Instrumentation – Leveraging WMI for system manipulation

Protection and Remediation

If your system becomes infected with D0glun ransomware, follow these essential steps:

Immediate Response

1. Immediately disconnect from all networks to prevent spread to other systems
2. Disconnect external storage devices
3. Document the ransomware attack details (ransom note, encrypted file examples, contact information)
4. Report the incident to local law enforcement and national cybersecurity agencies

Ransomware Removal

To remove D0glun ransomware, use specialized security software that can detect and eliminate this threat:

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Note that removing the ransomware only prevents further file encryption; it does not recover already encrypted files.

File Recovery Options

Currently, no free decryptor exists for D0glun ransomware. Your recovery options include:

• Restore from backups: The most reliable recovery method is restoring from clean, disconnected backups
• Shadow Volume Copies: If not deleted by the ransomware, Windows Shadow Copies might contain previous versions of files
• Cloud storage versions: Services like OneDrive, Google Drive, and Dropbox may have previous file versions if versioning was enabled
• Data recovery tools: In some cases, specialized tools like EaseUS Data Recovery might be able to recover fragments of files

Security experts and law enforcement agencies strongly advise against paying the ransom, as payment:

• Does not guarantee file recovery
• Finances criminal operations
• Marks you as a willing payer, potentially leading to future attacks

Prevention Strategies

Implement these security measures to protect against D0glun and similar ransomware:

• Patch management: Apply security updates promptly, especially for Confluence and remote access technologies
• Immutable backups: Maintain 3-2-1 backup strategy (3 copies, 2 different media types, 1 off-site) on write-once media
• Email security: Implement advanced anti-phishing protection and user awareness training
• Network security: Secure RDP access with multi-factor authentication and limit external exposure
• Endpoint protection: Deploy modern anti-malware solutions with behavioral detection capabilities
• Least privilege: Restrict user permissions to reduce the impact of successful attacks
• Network segmentation: Isolate critical systems to limit lateral movement
• Application control: Implement application whitelisting to prevent unauthorized executables
• Network monitoring: Deploy intrusion detection systems to identify unusual activity

Organizations should also develop and regularly test incident response plans specific to ransomware attacks to minimize recovery time and data loss.

Technical Indicators of Compromise (IOCs)

Security teams should monitor for these D0glun indicators:

File Hashes (SHA-256):
3eb7f1dd0274bd4ffcdf463876ab547503f9e6120db22c5e1923fe16cab71b50
a8df7571e871d22f13ba3eb376eddd1f73ce241d24caa878494e1805219b342a
d6d55a8fbd1c603719fe611e572e2431512e7063c44896f705524dab66234d45
f549ae8d509dab97f2d8b12ecf344c72ab2e715b2667e78d8fdd892eb6a459de
bec9d2dcd9565bb245f5c8beca4db627390bcb4699dd5da192cc8aba895e0e6a

IP Addresses:
193.176.179.41
193.43.72.11
45.145.6.112

File Extensions:
.@D0glun@<original extension>
.<original extension>.@d0glun@<original extension>
.<original extension>.@zero_d0glun_<original extension>

Ransom Note Files:
@[email protected]
Desktopcxl.txt
help.exe

Mutex:
hsfjuukjzloqu28oajh727190

Communication:
TOR: http://33333333h45xwqlf3s3eu4bkd6y6bjswva75ys7j6satex5ctf4pyfad.onion
QQ: 424714982
Telegram: https://t.me/CXL13131
BTC: 1M7JVws3HccTGd14CV3qX21G7gzcJj77UH

Process Names:
svcPrvinit.exe

Conclusion

D0glun ransomware represents a continuing evolution of the Babuk/Cheng Xilun ransomware lineage with significant technical enhancements. Its emergence in 2025 and recent exploitation of Confluence vulnerabilities demonstrates how threat actors recycle, modify, and improve existing ransomware code to create new threats. The Chinese language elements and possible connection to North Korean actors (based on similar TTPs observed in other campaigns) suggest a complex attribution picture that continues to evolve.

Organizations must maintain strong security postures, implement comprehensive backup strategies, and deploy modern endpoint protection solutions like GridinSoft Anti-Malware to defend against these evolving threats. For additional protection against online threats, consider using the Website Reputation Checker to verify the safety of web resources before access.

The post D0glun Ransomware: Analysis and Protection Guide appeared first on Gridinsoft Blog.

Moscovium Ransomware Overview

Moscovium (.m0sC0v1um) ransomware is a type of malware designed to encrypt files on a victim’s computer, rendering them inaccessible until a ransom is paid. This ransomware appends the “.m0sC0v1um” extension to encrypted files, a distinctive marker of its activity. The name “Moscovium” is likely derived from the chemical element named after the Moscow region, suggesting a possible connection to Russian cybercriminal operations.

While there is no clear evidence of this at the time of writing this post, given the current geopolitical situation and Russia’s propensity to spawn malware, it would be expected. The ransomware’s emergence is noted in recent cybersecurity discussions, with sources indicating it targets individuals and organizations, exploiting the lucrative nature of data encryption for extortion.

The association of this ransomware with Moscow is inferred from the naming convention, aligning with reports of Russian-linked ransomware activities. On the other hand, this could be a very obvious attempt to make everyone think that Moscovium ransomware came from Russia, I have the least faith in that theory.

How Does It Work?

Moscovium ransomware’s infection and operation follow a typical ransomware lifecycle. It primarily spreads through deceptive tactics such as phishing emails, where attackers craft messages that appear legitimate, often impersonating trusted organizations or contacts. These emails contain malicious attachments or links that, when opened, activate the ransomware. Social engineering plays a key role, tricking users into downloading the malware, which can also spread through compromised websites, drive-by downloads, or bundled software from untrustworthy sources.

Once inside the system, Moscovium exploits vulnerabilities in outdated software or operating systems to gain access. It then encrypts files, using a combination of symmetric and asymmetric encryption, appending the “.m0sC0v1um” extension to each file, making them inaccessible. The encryption process targets common file types like documents, photos, and databases, disrupting normal operations. After encryption, it displays the ransom note, demanding payment for the decryption key, thereby causing significant data loss and operational disruption.

Ransom Note Overview

The ransom note for moscovium ransomware, contained in a file named “!!!DECRYPT_INSTRUCTIONS!!!.txt,” directly communicates the attackers’ demands to the victim. The note states:

This message informs victims that their files are locked, specifies a ransom of 0.1 Bitcoin (BTC) to be sent to a provided wallet address, and instructs them to email proof of payment to an address hosted on Tutanota, an encrypted email service. The warning against self-decryption suggests that unauthorized attempts could render files permanently unrecoverable, a common scare tactic to pressure compliance.

How to Remove Virus?

Removing Moscovium ransomware requires a systematic approach to eliminate the malware and prevent further damage. The recommended method is to use a trusted anti-malware solution capable of detecting and removing all components of the ransomware. Specifically, GridinSoft Anti-Malware is an incredibly effective tool for this purpose, capable of identifying and deleting all files, folders, and registry keys associated with Moscovium.

Additionally, users should be cautious with email attachments and links, avoiding suspicious downloads, and enabling firewall protections. Regular system updates and security patches are essential preventive measures, as highlighted in broader cybersecurity guidance.

Can I Recover Encrypted Files?

Recovering files encrypted by Moscovium ransomware is challenging due to the lack of public decryption tools. As of March 2025, research indicates no known methods exist to decrypt files without the attacker’s key. Paying the ransom does not guarantee file recovery, as attackers may not provide the decryption key, and it supports criminal activities.

The most reliable recovery option is to have regular backups stored on external drives or cloud services, ensuring they are not connected to the infected system during the attack to avoid encryption. If backups are available, restoring files post-removal is feasible. Without backups, the likelihood of recovering files is low, potentially leading to permanent data loss.

The post Moscovium Ransomware appeared first on Gridinsoft Blog.

Fox Ransomware Overview

Fox Ransomware is categorized as a member of the Dharma family, a prominent ransomware lineage first noted in 2016. It is known for its evolution into Ransomware-as-a-Service (RaaS) models. This family is notorious for encrypting both local and network-shared files. It also disables system firewalls and deletes Volume Shadow Copies to hinder recovery efforts. Fox, specifically, is designed to lock user files, demanding a ransom for decryption, and can cause significant data loss and financial impact.

The Dharma family’s characteristics include manual installation via RDP exploitation, often targeting small and medium-sized businesses. Its variants, including Fox, are distributed through brute-force attacks on port 3389. This manual distribution method, unlike automated spam emails, highlights the targeted nature of these attacks. It exploits vulnerabilities in remote access protocols to gain unauthorized access.

How Does It Work?

Fox ransomware’s infection vector primarily involves manual intrusion through compromised RDP connections. Attackers scan the internet for computers with open RDP, typically on TCP port 3389, and attempt to brute-force passwords. Once access is gained, the malware is installed and begins encrypting files. It uses a combination of AES-128 and RSA-2048 algorithms, ensuring strong encryption that is nearly impossible to break without the unique decryption key, which is stored on a remote server.

The encryption process involves renaming files, with Fox appending the .FOX extension. For example, a file named “document.pdf” might be renamed to “document.pdf.FOX”. Fox ensures persistence by copying itself to the %LOCALAPPDATA% directory and registering with Windows Registry Run keys. It also gathers location data and may exclude predefined locations from encryption. This thorough approach makes detection easier during encryption due to its slow process. However, by the time it is noticed, significant damage may already be done.

Ransom Note Overview

The ransom note for Fox ransomware is typically named #FOX_README#.rtf and is placed on the desktop, a common tactic within the Dharma family to ensure visibility. This note contains contact emails such as PabFox@protonmail.com, FoxHelp@cock.li, and FoxHelp@tutanota.com. It instructs victims that their files are encrypted with AES-128+RSA-2048 and demands payment, usually in Bitcoins, Monero, or other cryptocurrencies.

The ransom typically ranges from $500 to $1500, though exact amounts are provided via email. The note often sets a deadline, threatening data deletion if not paid within a specified period. This approach aligns with Dharma family’s tactics, where ransom notes vary by strain but consistently aim to extort money, leveraging fear and urgency. The use of multiple contact emails suggests a network of operators, potentially affiliates within the RaaS model, enhancing the family’s reach and profitability.

How to Remove Virus?

As other serious malware, removing Fox Ransomware requires a complex approach. The first step is to isolate the infected system by disconnecting it from the network or booting your Windows into Safe Mode. This prevents lateral movement and additional encryption, limiting the ransomware’s spread. Next, use GridinSoft Anti-Malware to detect and remove the threat all at one time, with a guarantee of it not returning. Download it by clicking the banner below and run a Full scan, so the program will scan the system down to the most remote corner.

After the attack, I would recommend you to keep GridinSoft Anti-Malware on the device, with its proactive protection enabled. This will ensure an immediate reaction on any phishy activity happening in your system. Keep all your software up to date: ransomware actors often use exploits to infect systems and networks, and updates often contain fixes for important flaws that you should not miss.

Can I Recover Encrypted .FOX Files?

File recovery for Fox ransomware victims depends on pre-existing measures and post-infection options. Without backups, recovery is challenging, as there are no known public decryption tools for Fox (Dharma) Ransomware. Some antivirus vendors offer decryption tools for specific ransomware families, but these are not guaranteed for Fox.

Paying the ransom is strongly discouraged, as research shows criminals often ignore victims post-payment, offering no positive result and potentially scamming users. This approach not only fails to guarantee file recovery but also fuels further criminal activity, with risks that attackers may not provide the decryption key, aligning with cybersecurity best practices to avoid funding cybercrime.

The most reliable method is restoring files from backups, provided they are stored securely off-site and not accessible to the malware during infection. Regular backups, maintained on remote servers or unplugged storage devices, are critical, as the malware can encrypt backups if stored locally.

The post Fox Ransomware appeared first on Gridinsoft Blog.

Lucky Ransomware Overview

Lucky Ransomware is a variant of the MedusaLocker Ransomware family. This strain has been active since at least September 2019. This family is known for its Ransomware-as-a-Service (RaaS) model, where developers share the malware with other threat actors for a share of the ransom payments. The Lucky variant specifically appends the .lucky777 extension to encrypted files, rendering them inaccessible. This extension is a key identifier, distinguishing it from other MedusaLocker variants that might use extensions.

MedusaLocker, including its Lucky variant, primarily targets the healthcare sector. It exploits vulnerabilities to disrupt operations, especially during critical times like the COVID-19 pandemic. However, its reach extends to other industries, indicating a global impact.

The use of AES and RSA-2048 encryption algorithms is a hallmark of this ransomware. AES provides symmetric encryption for speed, while RSA-2048 offers asymmetric encryption for secure key exchange, making decryption without the key nearly impossible.

Ransom Note Overview

Upon successful encryption, Lucky ransomware drops a ransom note in the form of an HTML file named READ_NOTE.html, typically found on the desktop. This note serves as the communication channel between the victim and the attackers, demanding payment in Bitcoin for the decryption key.

The content includes a personal ID for the victim and contact emails, such as paul_letterman@zohomailcloud.ca and thomas_went@gmx.com. Victims are urged to create a new email on protonmail.com for communication.

The note warns against modifying or renaming encrypted files, as this could corrupt them permanently. It also advises against using third-party decryption tools, which might exacerbate the situation. Crooks also offers to decrypt 2-3 non-important files for free as proof of their ability to restore data, a common tactic to build trust. Additionally, it threatens data leakage or sale if the ransom is not paid, adding pressure with a 72-hour deadline before the price increases, intensifying the urgency for victims.

How Does It Work?

Lucky follows patterns observed in the broader MedusaLocker family. Research suggests it spreads through exploiting vulnerabilities in Remote Desktop Protocol (RDP), a protocol for remote access to Windows systems, often via brute-force attacks on weak passwords. Alternatively, it may infiltrate via malicious email attachments, such as phishing emails with infected files. These emails leverage social engineering to trick users into executing the malware.

Once inside, the malware employs AES and RSA-2048 encryption. AES, or Advanced Encryption Standard, is a symmetric algorithm that encrypts data quickly. Meanwhile, RSA-2048, an asymmetric algorithm, secures the AES key, making brute-force decryption impractical due to its 2048-bit key length. This dual approach ensures files are locked securely, with the .lucky777 extension appended to each, like changing “document.txt” to “document.txt.lucky777.”

MedusaLocker variants, including Lucky, are designed to avoid encrypting executable files (e.g., .exe, .dll) to keep the system functional for ransom payment. They may also use techniques like restarting in Safe Mode to evade security software. It scans networks for additional hosts, using tools like PsExec to spread.

Additionally, it disables backups by deleting shadow copies, ensuring victims cannot easily recover their files without paying the ransom. Recent activity, as of early 2025, shows continued attacks, with a focus on South American countries since mid-2023, doubling victim numbers monthly, indicating an evolving threat landscape.

How to Remove Lucky Ransomware Virus?

Removing Lucky virus requires careful steps to ensure the malware is eradicated without further damage. The first action is to clean the system, as any subsequent files could be blocked by the ransomware. To do this, reboot the computer in Safe Mode with Networking, which loads minimal drivers and services. This reduces malware interference and increases the chances of successful removal. Follow our guide to switch your computer and get ready for further steps.

Once in safe mode, download and run GridinSoft Anti-Malware by clicking the banner below. This tool is designed to detect and remove various malware types, including ransomware. Ensure the software is updated to recognize the latest threats. Perform a Full scan to identify and eliminate the infection.

How to Recover Encrypted Files?

Recovering files encrypted by Lucky ransomware is a complex process. As for now, the evidence leans toward no public decrypter being available. The encryption, using AES and RSA-2048, is robust, and without the attackers’ decryption key, recovery is challenging. Research indicates that paying the ransom is not advised, as there’s no guarantee of receiving the decryption key. Additionally, it supports criminal activity, potentially encouraging further attacks on other victims.

The best strategy is to restore files from a backup, ideally stored in multiple locations, such as remote servers or unplugged storage devices. This ensures safety from infection and prevents data loss. If no backup exists, professional data recovery services, such as those specializing in ransomware, may offer solutions, though success is not guaranteed. The No More Ransom Project (No More Ransom) can be checked for any updates on decryption tools, but currently, none are available for MedusaLocker.

The post Lucky Ransomware (MedusaLocker) appeared first on Gridinsoft Blog.

CipherLocker Ransomware Overview

CipherLocker is a newly identified ransomware variant that encrypts user data and appends the “.clocker” extension to the affected files. This follows a typical attack pattern—locking victims’ files and demanding a ransom for decryption. While it may seem like a no name ransomware, it’s just as good as its more established counterparts and can also give you trouble.

This ransomware has a pretty common distribution pattern for this type of malware. It is spreading primarily through infected email attachments, torrents, and malicious advertisements. The attackers behind CipherLocker demand payment in Bitcoin, also popular among cybercriminals. Based on current analysis, no free decryption tool is available.

Ransom Note Overview

In each folder with locked files, CipherLocker delivers its ransom note. This is a text file, typically named “README.txt” or “RECOVERY_INSTRUCTIONS.txt.” The message informs victims that their files have been encrypted and that all potential backup solutions, including Windows Shadow Copies and recycle bin contents, have been removed. To regain access to their files, victims are instructed to pay 1.5 BTC (~$147 998,37 at the current price) to a specified Bitcoin wallet.

Another version of CipherLocker ransom note

CipherLocker ransomware note

The ransom note sets a strict deadline, and says that failure to comply will result in permanent data loss. The attackers claim that payment guarantees a safe decryption process, even offering sample file decryption as proof. Victims are provided with an email address (haxcn@proton.me) for further communication. However, there is no certainty that paying will lead to file recovery, as cybercriminals (especially no name) frequently fail to provide decryption keys even after receiving payment.

How Does It Work?

CipherLocker operates using a multi-stage infection process. Once executed on a system, it immediately scans for user files and encrypts them with a strong encryption algorithm, adding the “.clocker” extension. This makes the files inaccessible without the corresponding decryption key, which only the attackers possess. Although some ransomware sometimes encrypts only part of the files, this is not specified with a particular sample.

The CipherLocker also deletes Windows Volume Shadow Copies, disables system restore points, and wipes backups stored on the machine. This ensures that users cannot recover their data through standard recovery methods. Security researchers have identified that the ransomware uses Telegram as an intermediary command-and-control (C2) channel.

How to Remove Virus?

The first and most critical step in dealing with CipherLocker is to remove the ransomware from the system. This will prevent further encryption of new or recovered files. Before attempting file recovery, users should boot their computers into Safe Mode with Networking to prevent the ransomware from actively running. But before that, download and install GridinSoft Anti-Malware by clicking the banner you see below.

Once in Safe Mode, run the Full scan with GridinSoft Anti-Malware. This will search the system down to the most remote config files, guaranteeing the removal of CipherLocker virus. Additionally, users should always have proactive security measures in place to prevent such infections in the future. Regularly updated anti-malware solutions can block ransomware before it executes, minimizing damage.

Can I Recover Encrypted Files?

Unfortunately, there is no publicly available decryption tool for CipherLocker, meaning that recovering files without the attackers’ decryption key is not feasible. However, paying the ransom is strongly discouraged, as there is no guarantee that victims will receive working decryption software after payment. Supporting cybercriminals financially also fuels further attacks against others.

Instead, users should focus on prevention and best security practices. Since CipherLocker spreads primarily through pirated software and phishing campaigns, avoiding unverified downloads and suspicious email attachments is crucial. Regularly backing up important files to an offline or cloud-based storage system ensures that even if ransomware strikes, data loss is minimized. For those without backups, forensic data recovery specialists may be able to assist in some cases, but success is not guaranteed.

The post CipherLocker Ransomware appeared first on Gridinsoft Blog.

FXLocker Ransomware Overview

FXLocker is a newly identified ransomware variant that follows the typical modus operandi of file-encrypting malware. It targets user files, encrypting them with a strong cryptographic algorithm, and appends the “.fxlocker” extension to the affected files. Victims are then presented with a ransom demand, instructing them to pay a hefty sum in Bitcoin to recover their data. The ransom note appears both in a pop-up window and a text file named “README.txt.”

Interestingly, FXLocker’s ransom demand is set at 0.75892 BTC – equivalent to around $95,000 at the time of analysis. This figure is unusually high for ransomware that could potentially affect individual users. This suggests that the malware might either be misconfigured (which is unlikely) or intended to attack corporations. Moreover, the ransom note lacks a valid Bitcoin wallet address, which raises questions about whether the ransomware is still in a testing phase or if the attackers are handling payment collection manually.

Detailed Analysis

FXLocker operates through a straightforward but highly effective infection chain. Once executed, it scans the victim’s system for files to encrypt, applying the “.fxlocker” extension to each one. The encryption algorithm used is robust, making decryption without the attackers’ key practically impossible. Like many modern ransomware strains, FXLocker ensures that victims cannot access their data without intervention from the perpetrators.

The ransom note explicitly warns against renaming or modifying encrypted files, as this could prevent decryption. Additionally, it cautions victims against closing the pop-up or rebooting their system. This suggests that the malware might incorporate persistence mechanisms or secondary payloads designed to corrupt data upon system restart.

In terms of detection, major antivirus vendors have flagged FXLocker under various names, such as “Trojan:Win32/Wacatac.B!ml” (Microsoft). The inclusion of “Python” in some detections indicates that the ransomware is likely written in Python. This aligns with a growing trend where cybercriminals leverage easy-to-deploy scripting languages to develop ransomware.

Ransom Note Overview

The ransom note delivered by FXLocker is both typical and concerning. It explicitly states that all files have been encrypted and demands 0.75892 BTC for decryption. The note provides two contact emails (haxcn@proton.me and wikicn@proton.me) for victims to reach out to the attackers. Additionally, it includes a “Reference ID” that victims are instructed to mention in their correspondence.

What makes this ransom note uncommon is the absence of a valid Bitcoin wallet address. Typically, ransomware groups include a hardcoded wallet address to streamline payments. However, FXLocker requires victims to contact them first. This suggests that the ransomware operators might be handling payments on a case-by-case basis, possibly negotiating ransom amounts based on the victim’s profile.

The note also doubles down on psychological pressure, warning that failure to comply within the deadline will result in “permanent data loss.” While this is a common tactic used by ransomware operators, the repetition of this threat in the note hints at a less professional approach compared to more established ransomware gangs.

How to Remove FXLocker Virus?

The first step should be removing FXLocker from the system entirely. As long as the ransomware remains active, any newly created or recovered files risk being re-encrypted. The best approach is to disconnect the infected system from the internet and run a full system scan using reputable antivirus software. Booting into Safe Mode with Networking and using GridinSoft Anti-Malware can also help in identifying and removing the malicious payload. Download it by clicking the banner below and run a Full Scan to check the system down to the most remote areas, so the malware will be gone for good.

While manual removal might be possible for some threats, FXLocker employs multiple persistence mechanisms. This makes complete eradication difficult without professional tools. Therefore, using security software is strongly recommended to prevent further damage.

How to Recover FXLocker Files?

Unfortunately, at the time of writing, no publicly available decryption tool exists for FXLocker. The encryption algorithm is strong, meaning brute-force decryption is not a feasible option. Unless a flaw is discovered in the ransomware’s implementation, recovering files without the attackers’ key remains impossible.

Despite this, I strongly discouraged paying the ransom. Firstly, there is no guarantee that the cybercriminals will provide the necessary decryption key even after receiving payment. Additionally, paying the ransom only fuels further attacks, encouraging criminals to continue their operations.

The best way to restore files is through a backup. If an unaffected backup is available, users should format their systems, reinstall their operating system, and restore data from the backup. If no backup exists, data recovery software might offer limited help, but its effectiveness is uncertain. Moving forward, implementing a robust backup strategy-storing copies of critical files on external or cloud-based systems-remains the best defense against ransomware attacks.

The post FXLocker Ransomware appeared first on Gridinsoft Blog.

Cloak Ransomware Overview

Cloak is a highly sophisticated ransomware strain designed to encrypt user files and demand ransom for decryption. It primarily targets small to medium-sized businesses in Europe, with Germany as a key focus. The group has also expanded its operations to countries in Asia. It targets various sectors, including healthcare, real estate, construction, IT, food, and manufacturing.

Once executed, it systematically scans the system for files to encrypt, appends a “.crYpt” extension to them, and leaves a ransom note titled “readme_for_unlock.txt.” This note provides instructions for victims on how to regain access to their files by purchasing a decryption tool.

A notable aspect of Cloak ransomware is its association with a Darknet website with data leaks. This suggests that it might also engage in double extortion. While the ransom note does not explicitly mention data theft, the presence of a leak site indicates that stolen data could be exposed if the ransom is not paid. Additionally, this ransomware employs evasion tactics to disable security tools. It also removes backups, further complicating recovery efforts.

Ransom Note Overview

The ransom note, “readme_for_unlock.txt,” informs victims that their files have been encrypted and that decryption is only possible by purchasing a tool from the attackers. The exact ransom amount is not specified in the note, but must be paid in Bitcoin. Victims are given the option to decrypt two small files for free as proof that decryption is possible.

The note also warns against seeking help from cybersecurity experts or law enforcement, claiming that doing so will result in permanent data loss. This is a common intimidation tactic used to dissuade victims from attempting alternative recovery methods. Additionally, the note provides a link to a Tor-based contact page.

How Does It Work?

Cloak ransomware follows a structured process to maximize damage. Based on the analysis, this ransomware is derived from the leaked Babuk source code. It starts by identifying and queuing files for encryption, specifically avoiding system-critical folders like “Windows” and “ProgramData.”

The ransomware supports two encryption modes: full encryption for smaller files and intermittent encryption for larger ones. This selective encryption approach increases efficiency while ensuring that files remain unusable without the correct decryption key.

The encryption process relies on a combination of Curve25519 for key exchange and HC-128 for encrypting file contents. Cloak generates a unique 32-byte private key for each infection, derives a public key using Curve25519_donna, and then creates a shared key to encrypt files. Encrypted files have a 0x48-byte footer structure appended to them, storing cryptographic details essential for decryption.

To enforce persistence, Cloak modifies the system registry, ensuring that it runs on every startup. It also deletes volume shadow copies to prevent file recovery. Additionally, it modifies system policies to block users from logging out, shutting down, or accessing the Task Manager. Furthermore, the ransomware sets a custom wallpaper displaying the ransom demand, adding psychological pressure to the victim.

How to Recover Cloak Ransomware Files?

Before all, it is crucial to eliminate Cloak ransomware from the system. As long as the malware remains active, any newly created or restored files may be re-encrypted. The best approach is to disconnect the infected system from the internet and boot into Safe Mode. From there, running a full system scan with a GridinSoft Anti-Malware, that can help detect and remove the ransomware.

Manual removal is not recommended, as Cloak modifies system settings and registry keys. Additionally, after removal, users should restore their systems from a clean offline backup if available. Ensuring that all security updates are installed and using strong, updated passwords can help prevent reinfection.

Can I Recover Files?

Unfortunately, decryption without the attacker’s private key is virtually impossible due to the strong cryptographic algorithms used by Cloak. While paying the ransom might seem like an option, I would strongly advise you not to do this. Many victims who pay never receive the promised decryption key, and funding cybercriminals only encourages further attacks.

If a backup exists on an external device or cloud storage, or conversations in messengers, files can be restored from there. While this does not guarantee a full file recovery, you will likely be able to get back at least some files. Having 30% of your files recovered is way better than having none at all.

For users without backups, there may be a slim chance of recovery if security researchers discover a flaw in Cloak’s encryption implementation. Regularly checking cybersecurity forums and trusted security researchers’ websites may provide updates on potential decryption solutions.

As I said at the beginning, this grouping steals files before encrypting them. If the ransom is not paid, the attackers publish the files on their Data Leak Site. So users can find their files for free. Meanwhile, practicing safe browsing habits and avoiding suspicious email attachments can help prevent future infections.

The post Cloak Ransomware appeared first on Gridinsoft Blog.

On top of changes to the files, the malware changes desktop wallpaper and spawns a ransom note that contains the details about how to pay the money and contact the hacker afterwards. It also opens the ransom note to the full screen so the user won’t miss or ignore it.

Ransom Note Overview

Ransom note of Nnice ransomware is exceptionally short, consisting of only one sentence and a contact email address – maxfromhim@gmail.com. All it says is that all the files were encrypted and it is impossible to get them back “without the special file”. It is unclear what special file it is about, as typically the decryption requires a special tool.

The same information is present on the wallpaper that the malware sets up after finishing the encryption. It only differs in wording and the promise to give the files back. There are no mentions of the specific sum that the hacker demands, meaning that it is up to discussion.

I strongly encourage you against paying anything to the fraud. There is no guarantee that they will give you the decryptor tool, and not simply ignore you or ask even a bigger sum for some unrelated reason. Also, by paying the ransom, you in fact fund the further malicious activity, so the attacks will happen more and more often.

Nnice Ransomware Analysis

The technical side of Nnice ransomware is worth your attention, as it gives important hints on what you need to do after the attack. It is based off of Chaos ransomware, a malware strain that has a special builder app, which simplifies modifying the behavior and features of the virus.

Upon execution, Nnice ransomware checks system location and some of the configurations to ensure it is not running on a virtual machine. Then, it disables Volume Shadow Copies, a built-in backup system that could have helped the user with reverting the system state to pre-encryption.

For the encryption, it uses AES/RSA encryption algorithms, and applies encryption only to files smaller than 2 megabytes. This helps a lot when it comes to file decryption, I will explain why later in this article. After finishing the encryption, it modifies the registry key to change the wallpaper, and opens its ransom note in the Notepad app.

One important and worrying detail of the ransomware is the data stealing module that is built into itvo. Following the encryption process, it accesses user credentials stored in browser files. This is a tactic typical for spyware and infostealers; they dump logins and passwords into a separate text file and send it to the command server.

How to Remove Nnice Virus?

A step that I heavily recommend you to do before proceeding with data recovery is to remove the malware. After all the action, the ransomware remains active and will encrypt any recovered files that appear in the system.

To remove Nnice ransomware, I recommend using GridinSoft Anti-Malware. Its multi-component detection system will find even the most modern malware samples, no matter how well they hide in the system. Download it by clicking the banner below and run a Full scan, to check the most remote areas of your computer.

After the removal, I will recommend you to reset all the passwords that you have used in the attacked system. This will ensure that the hacker won’t have access to your online accounts.

How to Recover the files?

The encryption algorithm used by this ransomware is quite strong, so brute forcing the decryption key is a futile idea. Yet the way the malware handles the encryption allows for a trick to circumvent the decryption entirely and get the files back for free.

Files over 2 megabytes are not encrypted. Any media files (photos, videos, music) are likely left untouched; malware does this to save system power and avoid attracting too much attention to its activity. Thus, all you have to do to access them is delete the .nnice extension at the end. After that, you should be able to access the files as usual.

For smaller files, unfortunately, the simple way around is not available. You can try seeking for unencrypted versions of files in cloud backups, conversations in messengers, emails and so on. It is possible for law enforcement to arrest the hackers and retrieve all the decryption keys. Malware analysts, at the same time, can elaborate a functioning decryptor that will restore the files for free.

The post Nnice Ransomware appeared first on Gridinsoft Blog.

One hallmark of Contacto is its tendency to modify the system wallpaper, replacing it with a black background displaying a message in white letters: “All your files are stolen and encrypted. Find Contacto_Help.txt and follow the instructions”.

As per usual for malware of this type, the ransomware appends its unique .Contacto extension to encrypted files. The files as the result turn from, for example report.docx report.docx.Contacto. These visual and structural changes make it immediately clear to victims that their system has been compromised.

Ransom Note Overview and Analysis

The Contacto_Help.txt file mentioned in the altered wallpaper is a ransom note. It appears on a desktop and in other folders that the ransomware counts as important. Inside this note, there are pretty basic pieces of information, threats of data loss if the victim tries other decryption ways, and contact information.

For contacting the hackers, the victim is offered to email 2 addresses – contacto@mailum.com and helpfile@generalmail.net. Both are specific for this malware, i.e no other ransomware strains ever used these addresses. This makes it harder to detect possible connections with currently active malware samples and hacker groups.

One of the important parts of the message is victim ID, listed at the very top. This ID is unique for the system, and has a corresponding decryption key stored on cybercriminals’ servers.

To prove having a decryption tool, hackers offer the victim to send them a file for test decryption. It should be less than 1 megabyte in size and free of any sensitive content. Such a trick aims at making the victim more confident about paying for the decryption, though it still does not guarantee anything.

I would heavily recommend you to avoid paying the ransom. Paying off the bill stimulates further activity of cybercriminal actors, so their attacks will happen more and more often. Also, you may not need to pay the money in the first place – there are ways to recover the files, which I will describe later in this article.

Contacto Ransomware Virus Overview

Contacto ransomware virus is built with heavy obfuscation techniques, making static analysis challenging and allowing it to bypass basic antivirus solutions. It also checks the system environment to avoid detection in virtual machines or debugging setups.

If the checks pass, the ransomware executes its payload by disabling system protection mechanisms, including Microsoft Defender. Another action is stopping built-in backup mechanisms like Volume Shadow Copy, so the user cannot use it to revert the system to pre-attack state.

To avoid early detection by the original file, it creates its duplicate in the ProgramData folder. This also prevents the user from being able to see the file and delete it, at least without additional tweaking. Once this duplicate file is ready, the malware deletes the original file and creates a selection of persistence mechanisms (registry keys, Task Scheduler entries) that launch the new file upon system startup.

Then, the malware starts file encryption. It uses a rather strong cipher algorithm, which ensures brute force decryption is not possible. Once the encryption is over, it initiates system reboot, which also changes desktop wallpaper; as it starts with no notification for the user, one can lose some of the progress and data. But, well, that is not the biggest concern during the ransomware attack.

How to Remove Contacto Ransomware [Important]

Before attempting any file recovery, it is vital to remove the ransomware to prevent further encryption. Contacto remains active even after finishing the encryption, continuously targeting new or restored files.

GridinSoft Anti-Malware will get you covered against active ransomware threats. With its advanced detection modules, it can effectively eliminate Contacto, no matter how well-hidden it is. Follow the guide below; opt for a Full Scan – this will check the entire system, down to the most remote files and configurations.

Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.

After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.

Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.

Recover .Contacto Files for Free

Although Contacto’s encryption algorithm is robust, it is still possible to recover your files. The methods I’ve picked are free and may only require your time and patience to execute properly.

Large Files Are Ignored. To speed up its operations, Contacto often skips encrypting files over 500 MB. Files like large videos, archives (e.g., ZIP, RAR, 7z), and some of the Office documents may only have the extension altered, with no real encryption applied to them. Simply removing the ransomware extension can restore file functionality.

File Recovery Tools. Depending on how Contacto handles files during encryption, recovery tools may be able to restore them to their original state. Choose a recovery tool capable of handling a broad range of file formats to maximize the chances of success.

Online Backups and Cloud Storages. Even though a lot of people despise automatic backups, they may actually be useful in that case. Check for any places you may have uploaded files before the attack; even conversations in messengers and social media may contain the files you need. And in future, I’d advise you to use backups on a monthly basis – this will ensure your resistance to any malware or hardware failure.

The post Contacto Ransomware appeared first on Gridinsoft Blog.