File Spider ransomware: what is it?

Security researchers are finding new frightening malware samples daily, and on 10th of December, they stumbled upon a rather intimidating variant. Dubbed as File Spider ransomware, the infection belongs to the group of malware which encodes users’ digital files and demand fees for their decryption. The detected virus was noticed to arrive into operating systems through malicious spam campaigns.

The sent malicious Word documents contained information in the Bosnian language, but that is not the only thing that these files consisted of. Sadly, they had hidden macro codes which were activated as soon as users clicked “Enable Editing” button. After this short decision, PowerShell to download the deceptive payload of File Spider crypto-virus will run. So, with this easy trick, the spotted ransomware is targeting Balkan region and hoping to play out their strategies successfully.

File Spider ransomware

The ransomware appends .spider extension to all encoded data. Therefore, it is not difficult to recognize this infection from the sea of crypto-viruses that we have seen. As soon as the infection is settled, it will show a warning message. For victims’ comfort, it will adapt to the languages, set in the affected computers. The extortionists also control a TOR website, containing their significant symbol: a spider.

While this ransomware infection is wreaking users’ files, you should pay attention to your own cyber security. If you have not become a victim of any crypto-infections, you should consider yourself very lucky. Catching a ransomware virus nowadays is just as easy as catching a cold: all you have to do is visit contagious areas. For instance, you could interact with an infectious pop-up or an email and end up infecting. However, in the case of ransomware, the cure is going to be very pricy and might not even work.

If you want to be properly protected from ransomware infections, we suggest you to backup your digital data in online storages. If you do not pursue this task, you could risk losing all of it to a ransomware virus. File Spider might be the talk of the day, but there are numerous other variants circulating all around you.

You can never known which website is going to get hacked and injected with malicious codes. You can never be sure which online ads might be delivering malicious payloads into your operating system. The only thing you can be sure of is that your files are safely uploaded into a backup storage. With this in mind, you will never have to consider paying ransoms to vicious extortionists.

All that you should know about QkG Ransomware

qkG virus is officially listed as a ransomware infection, however, it is rather untypical one. First and foremost – it is targeting specifically word documents. To be more specific, this ransomware infection is not looking for word documents that are already on your computer – they are targeting Microsoft Word’s default template. The template is used to form every single new document on your computer, therefore every new file will eventually be encrypted.

QKG Infection

This infection is definitely unique, because it operates using methods that are not common for other ransomware families. It’s on of the few viruses that are targeting specific document type and employing malicious macro codes. In most cases ransomware only use macros to download the files needed for the virus to be installed.

In fact this ransomware is so smart, that once inside of your system it will automatically lower security settings on Microsoft Word, thus it won’t ask to enable macros next time you open it, so the virus could successfully encrypt even more files. Cyber security researchers from 2-viruses.com made a guide how to deal with this QkG ransomware and avoid similar infections in the future, so if you are infected with this virus or simply concerned about your security online, we highly recommend reading it.

You might also be familiar with the fact that usually ransomware is adding unique extensions to encrypted files. However, in this case things are different – file name and extension will remain unchanged.

Moreover, it seems like this ransomware is still in the beta or development mode, thus it’s possible that once cyber criminals finish their job, QkG ransomware will be capable of encrypting more file types or causing other sorts of cyber security problems. As for now, it is exclusively targeted to Microsoft Word documents, demanding 300 USD as a ransom.

As always, if you are looking to stay away from trouble online, make sure that your computer is protected with a real-time anti-malware security and always pay attention to the files that you are downloading to your computer from the Internet – whether it’s an attachment to the email or some sort of software you decided to install after noticing a banner advertisement on the web.

Matrix ransomware returns with more vengeance than ever

Unexpectedly, October turned out to be a rather busy month for ransomware specialists. The hight-point of this month was definitely the fuss, triggered by Bad Rabbit ransomware infection.

However, right about the time when the situation settled down a bit and some of the victims were inspired by the hope of decrypting at least a part of their documents: a new crypto-malware decided to return.

It is called Matrix ransomware and its first steps were taken back in 2016. However, at that time, security researchers did not pay a lot of information on this threat.

Matrix ransomware

Why? The crypto-malware was distributed in a passive way and researchers did not see an urgent matter to investigate it any further. This mistake came back to bite cyber security specialists in April of 2017: Matrix virus managed to employ RIG exploit kit for its distribution.

Now, in October of 2017, Matrix ransomware decided to make an unexpected appearance. A researchers from Malwarebytes was the first to report an increased activity of the infection. Later on, more and more information began circulating. It was determined that the infection spreads via malvertising.

This means that malicious advertisements are transmitting the ransomware. Furthermore, Matrix ransomware was determined to be exploiting vulnerabilities in Adobe Flash Player and Internet Explorer. Thankfully, both of these software tools have received updates, fixing those issues.

Matrix crypto-malware appends a long extension: .pyongyan001@yahoo.com. Furthermore, the names of encoded executables will also be transformed. You will no longer be able to tell files apart. One of the most frightening aspects of Matrix infection is that it attempts to intimidate victims.

People are accused of accessing website with pornography, abuse and other illegal material. However, these statements are done without any evidence and most of the people are being wrongfully accused.

Do not be frightened. If are being instructed to pay ransoms, please realize that this action is not recommended. Hackers might be planning to disappear after the ransoms end up in their bitcoin wallets. Therefore, it is better to contact ransomware specialists and ask for their assistance and recommendations.

If you are worried about your cybersecurity, please bear in mind that you have to back up your files. If you do not want to end up being in a very difficult situation after your files are encrypted, please select an appropriate online storage. There is an alternative of simply putting all your files in USB flash drives.

Bad Rabbit ransomware strikes

You might have heard of ransomware viruses: some were weak, barely reaching users’ email accounts, and others hit the world with a loud “boom!”. More frightening infections were referred to by names of NotPetya or WannaCry: infections that managed to slither into computers from all over the world.

However, there are tons of less successful crypto-malware variants, mostly all of then based on Hidden Tear open source project, or contain some serious bugs, preventing them from fully encrypting data. This time we will discuss one of the exceptions. A ransomware infection that managed to do it all: bring fear into the cyber space once again.

Bad Rabbit ransomware

Even though Bad Rabbit ransomware virus has a silly name, it should not be underestimated. Over a course of a few days, it has become the focus of many social media sites and cybersecurity portals. It attracted so much attention due to the fact that it managed to infect such utilities like airports and other business enterprises.

Bad Rabbit virus displays the exact same screen locker that NotPetya did. However, these viruses are not so comparable as it seems from the first glance. Bad Rabbit initiates redirection and uses AES algorithm. Furthermore, it encodes the decryption key with RSA-2048 cipher.

One of the most disturbing facts about this ransomware is its distribution method. Even though random Adobe Flash Player updates are considered unreliable for a very long time now, some still fail to recognize the threat. Hackers simply invaded some websites and made sure that domains would automatically present propositions to for Flash Update. As you can see, many people swallowed the bait and became infected.

Currently, it is difficult to say whether decryption of this Bad Rabbit infection will ever be possible. It could have damaged files beyond restoration. Nevertheless, it is important not to lose hope and believe in security researchers. However, do not do anything rash while researchers are investigating the newly-detected infection. Paying ransom of 0.05 BTC might not solve your problems as the authors can disappear after the ransoms are paid. Do not waste 275 dollars for an option that might not even help you.

Throwback Friday: Tgmgo.com virus

Some browser hijackers have no intention of concluding their activity and stepping back. Tgmgo.com infection is one of them: even though it is already counting its seven birthday, it does not plan to retire or leave the game. It is clearly a malware parasite as it is even related with other browser hijackers.

If your browsers’ preferences have suddenly became occupied by this specific search platform, it is important that you decide on the best option for its removal. We recommend installing an anti-malware tool which will detect all malware parasites in your operating system.

Tgmgo.com virus

Symptoms of a browser hijacker infection:

1. Your browser preferences no longer foster the websites you selected. In addition to this, modifications you make do not last for long. The suspicious invader returns as soon as your reboot your device.
2. You constantly see online advertisements in forms of pop-unders, pop-ups, banners, in-text ads. All of this content disrupts your browsing and makes it impossible for you to enjoy your usual online activities.
3. Your results to search queries are delivered in bizarre domains. In some cases, browser hijackers do not have individual search platforms and are made to influence the legitimate services with sponsored content.
4. You notice that online ads are inspired by your recent browsing. This means that a browser hijacker is collecting information about you and sending it to unknown third-party sources.
5. Unknown applications and browser extensions are being installed into your operating system, without your permission, of course. In some instances, rogue browser extension can enable one very important setting: the one allowing automatic installation of programs.
6. When you attempt to visit another search platform like Google or Yahoo, the suspicious search platform is introduced instead.
7. You are still infected with a parasite of hijackware even if only your new tab page is influenced. This means that the infection is made to only influence one of the main preferences (new tab, in some cases together with the start page).

Bundling: can Uncheckit really help people avoid potentially unwanted programs?

We are sure that you have installed programs into your operating system at least once in your life. Once Setup Wizards are in full action, people tend to quickly pass all of the steps and never pay attention to EULA or Privacy Policies even though these documents are extremely important. In this time of need, developers often can think of ways of helping people and assisting them.

Therefore, programs like Uncheckit had started to circulate around the web and imply their advantages. This tool proclaimed to automatically uncheck boxes that enumerate lists of recommended software applications. However, little did some people know that Uncheckit itself was going to be classified among adware infections.

Unchekit spywarerid

Currently, in October of 2017, the activity of this application has been fully concluded. It has been removed from multiple file-sharing websites for being indicated as malicious/potentially unwanted. Attention to this deceptive tool was drawn after security forums started to fill up with reports from confused users. They all claimed that Uncheckit arrived into operating systems without authorization.

However, even though this tool no longer has an official distributor, it still could be that vicious developers include it into installations of other software tools. Therefore, it could be best to refuse Uncheckit adware if it appears among the recommended software applications. Why? Well, the tool was noticed to act as a regular ad-based tool. This means that users reported increased numbers of advertisements. The fact that most of the adverts contained deceptive information was also not a helpful factor for the owners of this tool.

If you wish to protect your operating system from malware or potentially unwanted programs, we have a few recommendations. Be patient and read Eula documents, together with Privacy Policies. They can include some enlightening information about the tools you are about to prepare for usage. In addition to this, avoid installing programs from unknown or little-known sources. Third-party software tools can often be promoted in distributors that pay little attention to the quality of promoted tools.

Issues with identical browser hijackers

It is no news that Polarity Technologies Ltd. has introduced disturbing amounts of browser hijackers that look the same. Knock-off search platforms increase the possibilities for profit as much more people will be being directed to websites or ads that bring revenues for Eighpoint Technologies Ltd (a.k.a Polarity). However, this is far from being the only example we can think of when speaking of identical browser hijackers.

Startgo123.com and Search.mpc.am both look the same. Therefore, we presume that both of these rogue search platforms are created by the same developers. However, we do not known which company is responsible for them. Another suspicious feature is that they do not have EULA documents nor Privacy Policies.

Startgo123.com spywarerid

Users won’t be able to learn about the conditions of the usage which might include some disturbing terms. For instance, a browser hijacker might be capable of collecting users’ personally-identifiable information and sell it to unknown third-parties. This is when the threat of identity theft becomes very real.

Furthermore, there are other repercussions that have to be feared because of an infiltration of a browser hijacker. Your browsing activities might be bothered by constant redirection to unknown domains. This becomes a very dangerous activity because people face a possibility of being transferred to malware-laden, phishing and other types of fraudulent domains.

It is important to learn about the best ways how a browser hijacker should be avoided. First of all, it is is crucial to be prepared in case a malware parasite slithers into an operating system. For instance, always remember that anti-malware tools are a wise choice when it comes to securing computers from malware. If you will have a solid protection, then viruses will have to try harder to slither in.

Also, it is essential for people to update all of their software programs and operating systems themselves. Zero-day and vulnerabilities of other level of severity are discovered very frequently.

Therefore, it is important to take advantage of these updates as soon as they become available. If you won’t do this, then your operating system will be exposed to all sorts of intrusion. One of them is definitely considered a possibility of getting infected with a browser hijacker.

The Dark Side of Ad Fly

Adf.ly or just Ad Fly, is a well-known advertising network that has been around for quite some time. It is a tool that can be used website owners to monetise their content or just regular Internet users to make money by spreading links locked by ad.fly tool and make some extra bucks this way.

Ad Fly serves as a middle man between publishers of advertisements and those who want to monetise their links and web content. By the concept, it sounds like a really good idea for both parties. However, things are a bit different in reality. A blog post by 2-viruses.com addressed this problem, why in some cases Adf.ly should be considered as an adware infection. The line between legitimate tool and malicious infection is very thin and it seems like Ad Fly tends to cross it.

The-dark-side-of-Ad-Fly

The biggest problem is that Adf.ly fails to control their partners. For instance, if you want to advertise using Google Adwords, Facebook ads or any other well-known advertising network, you will have to pass a strict control and verify for number of criteria. This way users are 100 percent sure that the content they receive through these providers are save to use. When speaking of Ad Fly, this lack of control is a really dark side. Various scammers and hackers can direct traffic to their websites of questionable reputation by using this tool. It’s not a secret that most of the time advertisements displayed by Ad Fly leads to offers to purchase viagra or other controversial services, that you wouldn’t normally encounter on legitimate websites.

Another feature that puts a question mark on this tool – it might stick to your web browsers without even asking your permission to do that. It can be also very difficult to get rid of it, therefore users struggle everyday, skipping ads and experiencing random redirects.

What’s our best advice in order to stay away from malware like this? Well, first of all, your computer should always be protected with reliable protection tools. There are tons of useful and free tools, such as AdBlock, CCleaner and so on – they will help you to protect your computer from unwanted content and spam, malicious files. Good anti-malware program should come useful as well. You should also be careful while browsing the Internet. Avoid websites that look suspicious and only download software from well-known and reliable sources.

Analysis of Search.chill-tab.com browser hijacker

It is always difficult to indicate the owners of browser hijackers as they are always trying to conceal their identities. In some cases, they do not introduce themselves at all. In other cases, suspicious developers leave a different company name in each of their products.

We have investigated a curious case of Search.chill-tab.com virus. In this website, its owners are not properly introducing themselves. However, the web sever on which the domain is hosted reveals more information about the possible owners of this domain.

Search.chill-tab.com virus is generated by developers that are using multiple company names to hide their true identity. Titles of Veristaff, Pinwid, ReSoft, CodeSet and maybe others have been noticed to be indicated in similar products.

Search.chill-tab.com virus

This is a classical strategy that hackers or simply greedy developers take advantage of. For the sake of profiting as much as possible, website-developers create identical search engines and use deceptive means of advertising to promote them.

As you might know, utilizing suspicious platforms for searching is never a wise idea. Suspicious ads will soon start to be noticed in forms of pop-ups, pop-unders, banners or in-text ads.

All of this promotional material might be involved in some sort of malvertising campaign. For instance, rogue updates for browser and Flash Players have been indicated as one of the most popular schemes for malware distribution.

Please pay attention to the search engine, assigned as your preference. If it happens to be Search.chill-tab.com browser hijacker, follow appropriate guidelines to get rid of this tool once and for all. These specific parasites are definitely aggravating as they are difficult to eliminate. However, anti-malware tool will always help you remain protected from vicious infections.

What are the first symptoms of a browser hijacker? Well, this question is easy to answer: modified browsers’ preferences, maybe other settings as well. There are certain types of browser hijackers. For instance, last week, we discussed infections that only affect new tab pages. This means that the default search provider will probably foster your selected engine.

To avoid potentially unwanted or dangerous software, install only respectable software tools and try to always select advanced/custom modes for installation processes.

Browser hijackers that occupy new tabs: how to avoid them?

There is a certain type of browser hijackers that occupy new tab pages and in some cases, start pages. They are similar to usual hijackware parasites,butt they do not occupy search providers. If you want to read more about this type of parasites, check out this helpful article.

There are several most widely known developers of browser hijackers that we have investigated. One of them is the MindSpark Interactive Company which has produced many similarly-looking browser extensions. All of them encourage people to use Hp.myway.com browser hijackers and are difficult to remove.

Newtab viruses

This organization is also very famous for its deceptive advertising strategies. If you are a regular visitor in online-streaming services, you might have been introduced with one or another Mindspark toolbar. Of course, you should always decline these propositions.

New tab viruses will show intense amounts of online advertisements with the hopes of triggering interests of possible users. In some cases, these search engines receive commission for the products, purchased thanks to their marketing.
Furthermore, browser hijackers have annoying habits of collecting users’ online information. Occasionally, this data might be shared with unknown third-parties that could use this information for their personal benefits. Therefore, we hope you will not keep an unknown new tab in your browsers.

There are many other producers of New tab viruses. ClientConnect LTD is one of those suspicious companies that generate knock-off search platforms and hope to benefit from them. Also, we have observed a parade of disturbing browser hijackers that try to trick users by incorporating “newtab” into their titles. If you notice that an unknown search platform has made modifications to your browser, we hope you will find an appropriate removal tool to take care of this problem. Always be certain that your browsing activities are properly protected and no shady applications have managed to slither inside your operating system.