Virus and Spyware Removal Guides, uninstall instructions

What is the Black Kingdom ransomware?

Black Kingdom, also known as GAmmAWare, is a malicious program classified as ransomware. Systems infected with this malware experience data encryption and users receive ransom demands for decryption tools.

When Black Kingdom encrypts, the filenames of affected files are appended with the ".DEMON" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.DEMON" following encryption.

Once this process is complete, a ransom message is created in a full-screen pop-up window and within "README.txt" text files, which are dropped into compromised folders.

What is Gopher?

Gopher is malicious software that infects computers (encrypts files) and displays messages demanding fees to be paid to regain access to computers/files. It encrypts and renames files, displays a pop-up window ("Restore Your Files.exe"), and changes the desktop wallpaper.

Gopher renames files by appending the ".gopher" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.gopher", "2.jpg" to "2.jpg.gopher", and so on.

Note that this ransomware variant was discovered by S!Ri.

What is Pirat ransomware?

Pirat is a type of malicious software that encrypts and restricts access to files until a ransom is paid to unlock (decrypt) them. Like many other ransomware variants, Pirat not only renames files but also encrypts them.

It adds the victim's ID, brokendig@zimbabwe.su email address, and appends the ".pirat" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[brokendig@zimbabwe.su].pirat", "2.jpg" file to "2.jpg.id-C279F237.[brokendig@zimbabwe.su].pirat", and so on.

Pirat also creates a ransom message within the "FILES ENCRYPTED.txt" text file and displays a pop-up window (another ransom message). Note that this ransomware belongs to the Dharma ransomware family.

What is LAO ransomware?

LAO is malicious software belonging to the Dharma ransomware group. This malware is designed to encrypt data and demand payment for decryption. The files affected by LAO are rendered inaccessible (useless), and victims are asked to pay to recover access to their data.

During the encryption process, files are renamed according to this pattern: original filename, unique IDs assigned to the victims, cyber criminals' email address, and the ".LAO" extension. For example, a file initially named "1.jpg" would appear as something similar to "1.jpg.id-C279F237.[filerecovery@zimbabwe.su].LAO" following encryption.

After this process is complete, ransom-demand messages are created in a pop-up window and the "FILES ENCRYPTED.txt" text file.

What is QuickLookSearches?

The QuickLookSearches application operates as adware and a browser hijacker. It serves various advertisements and promotes the address of a fake search engine by modifying browser settings. Applications of this type often collect various user-system information.

In most cases, people download and install adware/browser hijackers inadvertently. For this reason, they are also known as potentially unwanted applications (PUAs).

People are commonly tricked into installing QuickLookSearches when using a fake Adobe Flash Player installer, which is designed to stealthily infiltrate the app.

What kind of malware is CryptoWire?

Typically, ransomware blocks access to data or operating systems by encrypting files and displaying/creating ransom messages. Victims cannot access (use) their data unless they pay the ransom.

Ransomware often renames files. CryptoWire renames encrypted files by inserting ".encrypted" into filenames. For example, "1.jpg" is renamed to "1.encrypted.jpg", "2.jpg" to "2.encrypted.jpg", "3.jpg" to "3.encrypted.jpg", and so on.

What is SimpleSignSearch?

SimpleSignSearch generates revenue for its developer by serving advertisements and promoting a fake search engine. In this way, it functions as adware and a browser hijacker. Apps of this type can also collect data relating to internet browsing activities.

Typically, users download and install apps such as SimpleSignSearch inadvertently and, therefore, they are classified as potentially unwanted applications (PUAs).

Note that SimpleSignSearch installs through a fake Adobe Flash Player installer.

What is the load00[.]biz website?

load00[.]biz is a rogue site sharing many similarities with captcha-sourcecenter.com, yourcommonfeed.com, cpa-optimizer.best, and countless others. Visitors to this page are presented with dubious content and/or are redirected to other untrusted/malicious websites.

Few users enter these sites intentionally - most are redirected to them by intrusive advertisements or by Potentially Unwanted Applications (PUAs) already installed on their devices. This software does not require explicit permission to infiltrate systems and thus users may be unaware of its presence.

PUAs cause redirects, run intrusive ad campaigns, and gather browsing-related information.

What is TabOptimizer?

TabOptimizer is promoted as a tool for managing browser tabs, thereby eliminating errors and improving the browsing experience. In fact, this piece of software operates by running intrusive advertisement campaigns (i.e., delivering various ads). Due to this, TabOptimizer is classified as adware.

Additionally, TabOptimizer has data tracking capabilities, which are employed to monitor users' browsing activity. Since most users download/install adware-type programs inadvertently, they are also categorized as Potentially Unwanted Applications (PUAs).

What is the 1btc (MedusaLocker) ransomware?

Belonging to the MedusaLocker ransomware family, 1btc is a malicious program. It operates by encrypting data and demanding payment for decryption tools. I.e., affected files are rendered inaccessible and victims receive ransom demands to recover access to their data.

During the encryption process, files are appended with the ".1btc" extension. For example, a file originally named something like "1.jpg" would appear as "1.jpg.1btc", "2.jpg" as "2.jpg.1btc", and so on.

Once this process is complete, ransom-demand messages within "!!!HOW_TO_DECRYPT!!!.mht" files are dropped into compromised folders.