Virus and Spyware Removal Guides, uninstall instructions

What is 2021 ransomware?

Ransomware is malware that prevents victims from accessing their files by encryption. In most cases, it renames encrypted files and displays a ransom message. 2021 ransomware's ransom messages appear in a pop-up window and the "FILES ENCRYPTED.txt" file.

This ransomware renames files by adding the victim's ID, decrypt2021@aol.com email address, and appending the ".2021" extension. For example, "1.jpg" is renamed to "1.jpg.id-C279F237.[decrypt2021@aol.com].2021", "2.jpg" to "2.jpg.id-C279F237.[decrypt2021@aol.com].2021", and so on.

This ransomware is a part of the Dharma ransomware family.

What is Hunter?

Hunter is an information stealer, a type of malware that gathers sensitive information from the compromised system and sends it to attackers.

This particular stealer collects data and has additional capabilities. It is available for sale on a hacker forum where it can be purchased for 700 or 4000 rubles (depending on the subscription plan).

Hunter is written using the C++ programming language and attackers receive information collected by it via Telegram.

What is LOCKED?

LOCKED encrypts files (and renames them), changes desktop wallpaper, creates the "HOW TO DECRYPT FILES.txt" file, and displays a pop-up window. It renames files by appending the ".LOCKED" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.LOCKED", "2.jpg" to "2.jpg.LOCKED", and so on.

Note that this ransomware belongs to the Xorist ransomware family.

What is the $500 Amazon Gift Card! scam?

Scammers behind this website attempt to trick visitors into believing that, if they complete a survey, they will receive a $500 Amazon gift card. Neither this nor other similar web pages are legitimate or trustworthy.

Commonly, scammers behind these pages ask users to provide personal information and, in some cases, even passwords, banking details, and other sensitive details.

Note that these sites are usually opened by browsers automatically when they have potentially unwanted applications (PUAs) installed on them.

What is Locks?

Locks encrypts data, modifies the filename of each encrypted file, and generates two ransom messages. It renames files by appending the ".locks" extension to filenames. For example, "1.jpg" is renamed to "1.jpg.locks", "2.jpg" to "2.jpg.locks", and so on.

Locks creates "HOW TO DECRYPT FILES.txt" text files in folders that contain encrypted data and displays a pop-up window - these are ransom messages that contain instructions about how to pay the ransom and contact the ransomware developers.

Note that Locks belongs to the Xorist ransomware family.

What is Funcy Web?

Funcy Web is classified as a browser hijacker because it promotes a fake search engine (quicknewtab.com) and directs users to it without their permission. It also collects browsing history details and possibly other data.

Note that browser hijackers such as Funcy Web are not often installed by users intentionally and, for this reason, they are also classified as potentially unwanted applications (PUAs).

What is OperativeMachine?

OperativeMachine is classified as adware because it generates advertisements. Note that it also functions as a browser hijacker, modifying browser settings to promote a fake search engine.

Typically, users do not download or install apps such as OperativeMachine intentionally and, for this reason, they are classified as potentially unwanted applications (PUAs). This particular app is distributed via a fake installer for Adobe Flash Player.

What is BTC giveaway scam?

Some internet scams invite people to send a specific Bitcoin sum to a provided wallet or via a QR code, and promise to return double the amount of cryptocurrency. People who trust these scams receive nothing in return and simply lose the cryptocurrency that they send.

This giveaway scam is no different and is promoted via YouTube and on a specific website. It is also likely to be promoted via adware.

What kind of malware is Babuk Locker?

Babuk Locker is ransomware that creates the "How To Restore Your Files.txt" file (ransom message) in all folders that contain encrypted files and renames the files by appending the ".__NIST_K571__" extension. For example, "1.jpg" is renamed to "1.jpg.__NIST_K571__", "2.jpg" to "2.jpg.__NIST_K571__", and so on.

Babuk Locker ransomware may also append ".babuk" or ".babuk2" extension. Babuk Locker uses SHA256 hashing, ChaCha8 encryption, and the ECDH key generation and algorithm to secure its keys and encrypt files.

Research shows that cyber criminals behind Babuk Locker target mainly companies, however, they might also target regular users. Note that this ransomware was discovered by Glacius_.

What is GoSearch22?

GoSearch22 is a potentially unwanted application (PUA) that functions as adware and generates advertisements. It belongs to the family of adware-type apps called Pirrit. Apps such as GoSearch22 are often downloaded and installed by users intentionally, and are thus classified as 'potentially unwanted'.

Note that, as well as generating ads, GoSearch22 tracks and records information.