Bam! Ransomware

This ransomware stealthily infiltrates systems and encrypts various data. During encryption, this malware appends the “.bam!” extension to the name of each file (for example, “sample.jpg” is renamed to “sample.jpg.bam!”). Following successful encryption, Bam! changes the desktop wallpaper.

The new wallpaper contains a message that details the encryption and encourages users to buy decryption software. It is currently unknown whether Bam! uses symmetric or asymmetric cryptography, however, in any case, file decryption requires a unique key. This key is stored on a remote server controlled by cyber criminals. Users are encouraged to pay a ransom in exchange for a decryption tool with the key embedded within. To receive this, victims must supposedly contact cyber criminals via one of the email addresses provided.

bam-ransomware_en

The infection process of Bam! Ransomware virus begins with a simple click by the victim. This click can be on a file that is uploaded online, such as:
1. Fake installers of a program you may have sought for to download for free (media player, torrent downloader client, etc.)
2. Fake license activators or key generators that instead of activating a program, cause the infection.
3. In addition to this, the ransomware virus may be spread via what is known as mailspam or malicious e-mail spam. Such messages are often sent to victims under the pretext they are an important invoice, receipt from the bank or notification of suspicious bank activity. These e-mails may contain either an e-mail attachment that is actually the infection file.

Targeted files can be dropped in these locations with different names , usually common windows services:
%AppData% notepad.exe
%Temp% setup.exe
%Roaming% svchost.exe
%Common% update.exe
%System32% software-update.exe
%{userprofile}% random-alphanumeric.exe or some valid application name

It may also delete system backup and disable system recovery.

The .bam! file virus aims to attack only specific files on the infected computer, more importantly:

Archives.
Videos.
Audio files.
Virtual Drives.
Pictures.

Max Secure software has just launched cyrptomonitor tool which can completely prevent any cryptoransomware infecting your c and encrypting data. Get it from here Max Total Security

Scorpio ransomware

Scorpio Encrypts the files on the compromised computer asking it’s owner to pay in BitCoin in order to get them back. The files encrypted with the .scorpio file extension added after them. The ransom note remains the same as with the .scarab file virus.

Distribution Method: Spam Emails, Email Attachments, Executable files

Scorpio Ransomware marks the files encrypted by the attack adding a specific extension to the end of each file’s name. The Scorpio Ransomware also will encrypt the affected files’ names, replacing them with what appears to be a string of random characters. The

Scorpio Ransomware’s ransom note is contained in a text file with the following name: ‘IF_YOU_WANT_TO_GET_ALL_YOUR_FILES_BACK_PLEASE_READ_THIS.TXT.’ The full text of the Scorpio Ransomware ransom note reads:
——————————————————————————————————————-
‘*** IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS ***
Your files are now encrypted!
—–BEGIN PERSONAL IDENTIFIER—–
**************************************
—–END PERSONAL IDENTIFIER—–
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: qa458@yandex.ru
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 5Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).
How to obtain Bitcoins?
* The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click
‘Buy bitcoins’, and select the seller by payment method and price:
hxxps://localbitcoins.com/buy_bitcoins
* Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins
Attention!
* Do not rename encrypted files.
* Do not try to decrypt your data using third party software, it may cause permanent data loss.
* Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.’
——————————————————————————————————————-

We do not recommend you to follow cybercriminals’ instructions because they do not provide any guarantees to you, besides, think about the consequences – paying the ransom simply allows criminals to fund their further illegal projects. Unfortunately, the files affected by the Scorpio Ransomware attack are not recoverable. Your best bet is to recover all of your files using Max Total Security Backup/Restore tool if you had this software installed on your PC, IF you did not , it is never late to start using it now and have a total peace of mind.

Reyptson ransomware

Reyptson virus operates as crypto-threat capable of encrypting data with the AES cipher. After the process, the malware appends .REYPTSON file extension to the data. Since the virus is written in the Spanish users, the malware targets users of this country.

Furthermore, recent analysis has revealed the threat’s tendency to hack victims’ Thunderbird contact list and plague its contacts with fraudulent invoices messages. Now it clearly prefers Spanish users. They are expected to receive the biggest share of such emails. The pop-up and text file contain a ransom-demand message in Spanish stating that files are encrypted using the AES-128 algorithm and that victims must pay a ransom to restore them.

reyptson

Reyptson includes the ability to distribute itself through a spam email campaign conducted from the victim’s computer. It does this by checking if the Thunderbird email client is installed, and if it is, it will attempt to read the victim’s email credentials and contact list. If it is able to retrieve the contacts and credentials, it will begin a spam campaign to send out fake invoices to the victim’s contact list. These spam emails will have a subject line of Folcan S.L. Facturación and will contain a fake invoice. This invoice is written in Spanish and tells the recipient to click on a link to download an invoice. When the recipient clicks on the link, it will download a file called factura.pdf.rar, which contains an executable. This executable will infect the user with the ransomware when it is opened.

Hashes:
SHA256: e6d549543863cd3eb7d92436739a66da4b2cc1a9d40267c4bb2b2fa50bf42f41

Network Communication:
http://www.melvinmusicals.com/facefiles/
http://37z2akkbd3vqphw5.onion/?usuario=[user_id]&pass=[password]
http://37z2akkbd3vqphw5.onion.link/?usuario=[user_id]&pass=[password]

Files associated with the Reyptson Ransomware:
%AppData%\Spotify\
%AppData%\Spotify\SpotifyWebHelper\
%AppData%\Spotify\SpotifyWebHelper\dat
%AppData%\Spotify\SpotifyWebHelper\fin
%AppData%\Spotify\SpotifyWebHelper\Reyptson.pdf
%AppData%\Spotify\SpotifyWebHelper\Spotify.vbs
%AppData%\Spotify\SpotifyWebHelper\SpotifyWebHelper.exe

Registry Entries associated with the Reyptson Ransomware:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Spotify Web Helper v1.0 %AppData%\Spotify\SpotifyWebHelper\Spotify.vbs

At this time there is no way to decrypt files encrypted by Reyptson, but if you have been using Max Total Security then you can restore your files from the back up. Very soon Max Total Security is launching a totla protection tool from any ransomware.

Random6 Ransomware

Random6 Ransomware virus can alter your system security through Spam Emails, Browser Redirects, Bundled Installers and Malware Downloader. Random6 Ransomware virus will first lock down all your files with . Then after, it will leave a ransom note on your computer in TEXT or HTML format to describe about the decryption method. It will also replace the desktop background with a ransom image. It can also disable your anti-virus to make you helpless. It can block your Firewall security and make your system an easy target for other threats. It will force you to pay ransom money to rescue your files.

the Random6 Ransomware is programmed to alter not only the file’s structure but its name as well. The encoded files are recognized easily by the base64 encoded string and six random characters as a file extension. The cyber parasite is reported to target images, text, eBooks, PDFs, databases, and work-related files, which may be of great importance to the user. The Random6 Ransomware may run as [random 9-chars].exe in the Task Manager and change the desktop background of the compromised system. Due to the fact that users find unique extensions appended to the encoded files, the format of the ransom notification is a bit different as well. The Trojan is programmed to delete its traces after the encoding process is completed and it leaves the ransom request on the user’s desktop as ‘RESTORE-.[random 6-char ext]-FILES.txt.’ The file offers the following text:

‘Your files are Encrypted!
For decryption send letter on email filesrestore@tutanota.com in letter attach your Personal ID.
If email don’t works, register here: http://bitmsg.me, send letter to BM-NBazWh9xNVf2SgmvLv8pc3Uc9CCXtXMu
With your Personal ID and email for contacts.
After you send payment to given BTC adress in answer, you will get your files restored.
Your Personal ID:
[128 RANDOM CHARACTERS]’

To prevent ransomware-type infections, be very cautious when browsing the Internet. Never open files received from suspicious emails, download software from unofficial sources, or use third party tools to update installed software. In addition, use a legitimate anti-virus/anti-spyware suite.

At this time the only option is to restore your files from the back up . Use Max Total Security to protect your PC and easily back and Restore your files. Get 24×7 complimentary support if you have any issues due to malware.