Matrix ransomware returns with more vengeance than ever

Unexpectedly, October turned out to be a rather busy month for ransomware specialists. The hight-point of this month was definitely the fuss, triggered by Bad Rabbit ransomware infection.

However, right about the time when the situation settled down a bit and some of the victims were inspired by the hope of decrypting at least a part of their documents: a new crypto-malware decided to return.

It is called Matrix ransomware and its first steps were taken back in 2016. However, at that time, security researchers did not pay a lot of information on this threat.

Matrix ransomware

Why? The crypto-malware was distributed in a passive way and researchers did not see an urgent matter to investigate it any further. This mistake came back to bite cyber security specialists in April of 2017: Matrix virus managed to employ RIG exploit kit for its distribution.

Now, in October of 2017, Matrix ransomware decided to make an unexpected appearance. A researchers from Malwarebytes was the first to report an increased activity of the infection. Later on, more and more information began circulating. It was determined that the infection spreads via malvertising.

This means that malicious advertisements are transmitting the ransomware. Furthermore, Matrix ransomware was determined to be exploiting vulnerabilities in Adobe Flash Player and Internet Explorer. Thankfully, both of these software tools have received updates, fixing those issues.

Matrix crypto-malware appends a long extension: .pyongyan001@yahoo.com. Furthermore, the names of encoded executables will also be transformed. You will no longer be able to tell files apart. One of the most frightening aspects of Matrix infection is that it attempts to intimidate victims.

People are accused of accessing website with pornography, abuse and other illegal material. However, these statements are done without any evidence and most of the people are being wrongfully accused.

Do not be frightened. If are being instructed to pay ransoms, please realize that this action is not recommended. Hackers might be planning to disappear after the ransoms end up in their bitcoin wallets. Therefore, it is better to contact ransomware specialists and ask for their assistance and recommendations.

If you are worried about your cybersecurity, please bear in mind that you have to back up your files. If you do not want to end up being in a very difficult situation after your files are encrypted, please select an appropriate online storage. There is an alternative of simply putting all your files in USB flash drives.

Bad Rabbit ransomware strikes

You might have heard of ransomware viruses: some were weak, barely reaching users’ email accounts, and others hit the world with a loud “boom!”. More frightening infections were referred to by names of NotPetya or WannaCry: infections that managed to slither into computers from all over the world.

However, there are tons of less successful crypto-malware variants, mostly all of then based on Hidden Tear open source project, or contain some serious bugs, preventing them from fully encrypting data. This time we will discuss one of the exceptions. A ransomware infection that managed to do it all: bring fear into the cyber space once again.

Bad Rabbit ransomware

Even though Bad Rabbit ransomware virus has a silly name, it should not be underestimated. Over a course of a few days, it has become the focus of many social media sites and cybersecurity portals. It attracted so much attention due to the fact that it managed to infect such utilities like airports and other business enterprises.

Bad Rabbit virus displays the exact same screen locker that NotPetya did. However, these viruses are not so comparable as it seems from the first glance. Bad Rabbit initiates redirection and uses AES algorithm. Furthermore, it encodes the decryption key with RSA-2048 cipher.

One of the most disturbing facts about this ransomware is its distribution method. Even though random Adobe Flash Player updates are considered unreliable for a very long time now, some still fail to recognize the threat. Hackers simply invaded some websites and made sure that domains would automatically present propositions to for Flash Update. As you can see, many people swallowed the bait and became infected.

Currently, it is difficult to say whether decryption of this Bad Rabbit infection will ever be possible. It could have damaged files beyond restoration. Nevertheless, it is important not to lose hope and believe in security researchers. However, do not do anything rash while researchers are investigating the newly-detected infection. Paying ransom of 0.05 BTC might not solve your problems as the authors can disappear after the ransoms are paid. Do not waste 275 dollars for an option that might not even help you.

Throwback Friday: Tgmgo.com virus

Some browser hijackers have no intention of concluding their activity and stepping back. Tgmgo.com infection is one of them: even though it is already counting its seven birthday, it does not plan to retire or leave the game. It is clearly a malware parasite as it is even related with other browser hijackers.

If your browsers’ preferences have suddenly became occupied by this specific search platform, it is important that you decide on the best option for its removal. We recommend installing an anti-malware tool which will detect all malware parasites in your operating system.

Tgmgo.com virus

Symptoms of a browser hijacker infection:

1. Your browser preferences no longer foster the websites you selected. In addition to this, modifications you make do not last for long. The suspicious invader returns as soon as your reboot your device.
2. You constantly see online advertisements in forms of pop-unders, pop-ups, banners, in-text ads. All of this content disrupts your browsing and makes it impossible for you to enjoy your usual online activities.
3. Your results to search queries are delivered in bizarre domains. In some cases, browser hijackers do not have individual search platforms and are made to influence the legitimate services with sponsored content.
4. You notice that online ads are inspired by your recent browsing. This means that a browser hijacker is collecting information about you and sending it to unknown third-party sources.
5. Unknown applications and browser extensions are being installed into your operating system, without your permission, of course. In some instances, rogue browser extension can enable one very important setting: the one allowing automatic installation of programs.
6. When you attempt to visit another search platform like Google or Yahoo, the suspicious search platform is introduced instead.
7. You are still infected with a parasite of hijackware even if only your new tab page is influenced. This means that the infection is made to only influence one of the main preferences (new tab, in some cases together with the start page).

Bundling: can Uncheckit really help people avoid potentially unwanted programs?

We are sure that you have installed programs into your operating system at least once in your life. Once Setup Wizards are in full action, people tend to quickly pass all of the steps and never pay attention to EULA or Privacy Policies even though these documents are extremely important. In this time of need, developers often can think of ways of helping people and assisting them.

Therefore, programs like Uncheckit had started to circulate around the web and imply their advantages. This tool proclaimed to automatically uncheck boxes that enumerate lists of recommended software applications. However, little did some people know that Uncheckit itself was going to be classified among adware infections.

Unchekit spywarerid

Currently, in October of 2017, the activity of this application has been fully concluded. It has been removed from multiple file-sharing websites for being indicated as malicious/potentially unwanted. Attention to this deceptive tool was drawn after security forums started to fill up with reports from confused users. They all claimed that Uncheckit arrived into operating systems without authorization.

However, even though this tool no longer has an official distributor, it still could be that vicious developers include it into installations of other software tools. Therefore, it could be best to refuse Uncheckit adware if it appears among the recommended software applications. Why? Well, the tool was noticed to act as a regular ad-based tool. This means that users reported increased numbers of advertisements. The fact that most of the adverts contained deceptive information was also not a helpful factor for the owners of this tool.

If you wish to protect your operating system from malware or potentially unwanted programs, we have a few recommendations. Be patient and read Eula documents, together with Privacy Policies. They can include some enlightening information about the tools you are about to prepare for usage. In addition to this, avoid installing programs from unknown or little-known sources. Third-party software tools can often be promoted in distributors that pay little attention to the quality of promoted tools.

Issues with identical browser hijackers

It is no news that Polarity Technologies Ltd. has introduced disturbing amounts of browser hijackers that look the same. Knock-off search platforms increase the possibilities for profit as much more people will be being directed to websites or ads that bring revenues for Eighpoint Technologies Ltd (a.k.a Polarity). However, this is far from being the only example we can think of when speaking of identical browser hijackers.

Startgo123.com and Search.mpc.am both look the same. Therefore, we presume that both of these rogue search platforms are created by the same developers. However, we do not known which company is responsible for them. Another suspicious feature is that they do not have EULA documents nor Privacy Policies.

Startgo123.com spywarerid

Users won’t be able to learn about the conditions of the usage which might include some disturbing terms. For instance, a browser hijacker might be capable of collecting users’ personally-identifiable information and sell it to unknown third-parties. This is when the threat of identity theft becomes very real.

Furthermore, there are other repercussions that have to be feared because of an infiltration of a browser hijacker. Your browsing activities might be bothered by constant redirection to unknown domains. This becomes a very dangerous activity because people face a possibility of being transferred to malware-laden, phishing and other types of fraudulent domains.

It is important to learn about the best ways how a browser hijacker should be avoided. First of all, it is is crucial to be prepared in case a malware parasite slithers into an operating system. For instance, always remember that anti-malware tools are a wise choice when it comes to securing computers from malware. If you will have a solid protection, then viruses will have to try harder to slither in.

Also, it is essential for people to update all of their software programs and operating systems themselves. Zero-day and vulnerabilities of other level of severity are discovered very frequently.

Therefore, it is important to take advantage of these updates as soon as they become available. If you won’t do this, then your operating system will be exposed to all sorts of intrusion. One of them is definitely considered a possibility of getting infected with a browser hijacker.

The Dark Side of Ad Fly

Adf.ly or just Ad Fly, is a well-known advertising network that has been around for quite some time. It is a tool that can be used website owners to monetise their content or just regular Internet users to make money by spreading links locked by ad.fly tool and make some extra bucks this way.

Ad Fly serves as a middle man between publishers of advertisements and those who want to monetise their links and web content. By the concept, it sounds like a really good idea for both parties. However, things are a bit different in reality. A blog post by 2-viruses.com addressed this problem, why in some cases Adf.ly should be considered as an adware infection. The line between legitimate tool and malicious infection is very thin and it seems like Ad Fly tends to cross it.

The-dark-side-of-Ad-Fly

The biggest problem is that Adf.ly fails to control their partners. For instance, if you want to advertise using Google Adwords, Facebook ads or any other well-known advertising network, you will have to pass a strict control and verify for number of criteria. This way users are 100 percent sure that the content they receive through these providers are save to use. When speaking of Ad Fly, this lack of control is a really dark side. Various scammers and hackers can direct traffic to their websites of questionable reputation by using this tool. It’s not a secret that most of the time advertisements displayed by Ad Fly leads to offers to purchase viagra or other controversial services, that you wouldn’t normally encounter on legitimate websites.

Another feature that puts a question mark on this tool – it might stick to your web browsers without even asking your permission to do that. It can be also very difficult to get rid of it, therefore users struggle everyday, skipping ads and experiencing random redirects.

What’s our best advice in order to stay away from malware like this? Well, first of all, your computer should always be protected with reliable protection tools. There are tons of useful and free tools, such as AdBlock, CCleaner and so on – they will help you to protect your computer from unwanted content and spam, malicious files. Good anti-malware program should come useful as well. You should also be careful while browsing the Internet. Avoid websites that look suspicious and only download software from well-known and reliable sources.

Analysis of Search.chill-tab.com browser hijacker

It is always difficult to indicate the owners of browser hijackers as they are always trying to conceal their identities. In some cases, they do not introduce themselves at all. In other cases, suspicious developers leave a different company name in each of their products.

We have investigated a curious case of Search.chill-tab.com virus. In this website, its owners are not properly introducing themselves. However, the web sever on which the domain is hosted reveals more information about the possible owners of this domain.

Search.chill-tab.com virus is generated by developers that are using multiple company names to hide their true identity. Titles of Veristaff, Pinwid, ReSoft, CodeSet and maybe others have been noticed to be indicated in similar products.

Search.chill-tab.com virus

This is a classical strategy that hackers or simply greedy developers take advantage of. For the sake of profiting as much as possible, website-developers create identical search engines and use deceptive means of advertising to promote them.

As you might know, utilizing suspicious platforms for searching is never a wise idea. Suspicious ads will soon start to be noticed in forms of pop-ups, pop-unders, banners or in-text ads.

All of this promotional material might be involved in some sort of malvertising campaign. For instance, rogue updates for browser and Flash Players have been indicated as one of the most popular schemes for malware distribution.

Please pay attention to the search engine, assigned as your preference. If it happens to be Search.chill-tab.com browser hijacker, follow appropriate guidelines to get rid of this tool once and for all. These specific parasites are definitely aggravating as they are difficult to eliminate. However, anti-malware tool will always help you remain protected from vicious infections.

What are the first symptoms of a browser hijacker? Well, this question is easy to answer: modified browsers’ preferences, maybe other settings as well. There are certain types of browser hijackers. For instance, last week, we discussed infections that only affect new tab pages. This means that the default search provider will probably foster your selected engine.

To avoid potentially unwanted or dangerous software, install only respectable software tools and try to always select advanced/custom modes for installation processes.

Browser hijackers that occupy new tabs: how to avoid them?

There is a certain type of browser hijackers that occupy new tab pages and in some cases, start pages. They are similar to usual hijackware parasites,butt they do not occupy search providers. If you want to read more about this type of parasites, check out this helpful article.

There are several most widely known developers of browser hijackers that we have investigated. One of them is the MindSpark Interactive Company which has produced many similarly-looking browser extensions. All of them encourage people to use Hp.myway.com browser hijackers and are difficult to remove.

Newtab viruses

This organization is also very famous for its deceptive advertising strategies. If you are a regular visitor in online-streaming services, you might have been introduced with one or another Mindspark toolbar. Of course, you should always decline these propositions.

New tab viruses will show intense amounts of online advertisements with the hopes of triggering interests of possible users. In some cases, these search engines receive commission for the products, purchased thanks to their marketing.
Furthermore, browser hijackers have annoying habits of collecting users’ online information. Occasionally, this data might be shared with unknown third-parties that could use this information for their personal benefits. Therefore, we hope you will not keep an unknown new tab in your browsers.

There are many other producers of New tab viruses. ClientConnect LTD is one of those suspicious companies that generate knock-off search platforms and hope to benefit from them. Also, we have observed a parade of disturbing browser hijackers that try to trick users by incorporating “newtab” into their titles. If you notice that an unknown search platform has made modifications to your browser, we hope you will find an appropriate removal tool to take care of this problem. Always be certain that your browsing activities are properly protected and no shady applications have managed to slither inside your operating system.

Old Search.conduit.com virus still functions

Browser hijackers have been around for a long time and there are many old parasites that still manage to function. Search.conduit.com infection is one of the prevailing older search engines that are still trying to make it among the dozens of new hijackers.

The Conduit Toolbar was founded more than 8 years ago and at first, it was one of the most hi-tech online platforms around. Its owner, Adam Boyden, was even featured in influential magazines for his success.

After some time, the Conduit Toolbar began to be distributed in a way that many security researchers find disturbing: bundling. It appears that the browser extension would be installed together with other freeware applications. As people did not even bother to read installation processes, they agreed to get many redundant software applications.

Search.conduit.com virus

Conduit Toolbar was determined to have rootkit capabilities, allowing the toolbar to influence operating systems more. Because of this feature, browser hijacking was constituted to be possible.

Therefore, Search.conduit.com virus would be noticed as users’ home pages, default search providers and new tab pages. The exact classification of this tool has ranged from a potentially unwanted program (PUP) to a browser hijacker.

Some security researchers indicated it as a PUP because it was not necessarily malicious, but a lot of time has passed. ClientConnect Ltd. company is indicated as the owner of Search.conduit.com virus. During our analysis, we discovered that there are dozens of similarly-shaped search engines that are generated only for monetization purposes. Results to search queries might be tainted with sponsored material for which the owners of the platform receive financial support.

United States, Japan, Canada, India and United Kingdom are the regions that are currently being dragged into Search.conduit.com virus. Of course, people from other countries can also be bothered with the software of Conduit.

It is always advisable to stick to using more legitimate and secure searching platforms. In this case, you will have less chance of being exposed to potentially malware-laden websites, phishing scams or other deceptive websites that have no business being visited by you. To be safe from malware, we hope you will try to avoid this type of content.

Taboola serves malicious ads in MSN.com website

Online advertising companies have also been observed as not 100% secure services as frequently, their content distributed fake news, click-bait articles or malware-laden adverts. The popular and extremely profitable Taboola ad-network has obtained a rather cozy position in the digital world, but some security researchers are still regarding its content as questionable. Within the last weeks of September in 2017, a very disturbing truth resurfaced and made many researchers say “I told you so!”.

Taboola served malicious ads in MSN.com

From the recent news, owners of MSN.com intentionally included Taboola Ads in their domain. When you are making such a deal with MSN.com, the 53rd website in the world, you have to be careful. However, Taboola failed this task and provided MSN with advertisements that lead users straight into technical support scams. Such deceptive domains are only interested in tricking users and obtaining money.

Taboola Ads

The technical support scam pretended to originate from Microsoft technicians and urged users to contact a toll-free helpline. In addition to this, the domain insisted that people would reveal the usernames and passwords of Windows accounts with administrative rights.

This incident should definitely discourage more cautious website-owners from including ads from Taboola into their domains. It now has become clear that the ad-serving network should make their requirements more strict and review the submitted content before pushing it to its partners.

This just goes to prove that tons of online advertisements are bound to cause trouble. If you notice that your browsing is being interrupted by adverts, please make sure that your operating system has not become compromised by malware.

In addition to this, we always encourage our users to stay away from ads in unknown websites. However, the fact that MSN.com transferred people to technical support scams reminds us that basically any domain can become a distributor of suspicious content.

However, there are certain features of potentially dangerous ads:

1. They are presenting fake news or click-bait articles. We are referring to headline of “Justin Bieber is dead: see pictures to believe!” or “1 easy trick to pay off your home in half the time”. While they do sound intriguing, check reputable sources for more information instead of an unreliable source.
2. They present technical support. It could be that an ad will warn users that their operating systems are severely damaged. Do not believe these statements.
3. Lotteries, surveys and other participation-requiring adverts. They usually could require to learn users personal details or other information.