Virus and Spyware Removal Guides, uninstall instructions

What is Xatz ransomware?

Our research team discovered the Xatz ransomware while inspecting new submissions to the VirusTotal website. Xatz is part of the Djvu ransomware family. This program operates by encrypting data and demanding payment for its decryption.

Once executed on our testing system, Xatz began encrypting files and appended their filenames with a ".xatz" extension. For example, a file titled "1.jpg" appeared as "1.jpg.xatz", "2.png" as "2.png.xatz", and so on. After the encryption process was completed, the ransomware created a ransom note named "_readme.txt".

It is pertinent to mention that Djvu ransomware infections are commonly combined with the Vidar and RedLine data-stealing malware.

What is Cyb ransomware?

Our research team discovered Cyb – yet another malicious program belonging to the VoidCrypt ransomware family, during a routine investigation of new submissions to VirusTotal.

After we executed a sample of Cyb on our testing system, it began encrypting files and appended their filenames with a ".cyb" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.cyb", "2.png" as "2.png.cyb", etc. Following the completion of this process, Cyb created a ransom note named "Dectryption-guide.txt".

What is BlackRock ransomware?

While investigating new submissions to VirusTotal, our researchers discovered the BlackRock ransomware. It is designed to encrypt data and demand ransoms for its decryption. This malicious program is part of the Phobos ransomware family.

On our testing machine, BlackRock encrypted files and modified their filenames. Original titles were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".blackrock" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.id[9ECFA84E-2803].[icanrestore@onionmail.org].blackrock" after encryption.

Once this process was concluded, ransom-demanding messages were created in a pop-up window ("info.hta") and text file ("info.txt").

What kind of malware is Xash?

While examining samples on VirusTotal, our malware analysts discovered Xash, a ransomware strain that is part of the Djvu family. This nefarious software encrypts files and appends the ".xash" extension to their original names. It also creates a ransom note named "_readme.txt".

An example of how Xash changes filenames: it renames "1.jpg" to "1.jpg.xash", "2.png" to "2.png.xash", and so forth. It should be noted that Djvu ransomware is often distributed alongside RedLine and Vidar information stealers.

What kind of page is misground[.]com?

Our research team found the misground[.]com rogue webpage while investigating suspect sites. This page is designed to push browser notification spam and redirect users to different (likely unreliable/malicious) websites.

Visitors to misground[.]com and similar webpages access them primarily via redirects generated by sites that use rogue advertising networks, spam notifications, mistyped URLs, intrusive adverts, or installed adware.

What kind of page is misarea[.]com?

Misarea[.]com is a rogue page that we discovered while inspecting untrustworthy websites. It operates by promoting browser notification spam and redirecting visitors to other (likely unreliable/hazardous) webpages. Most users access misarea[.]com and similar pages via redirects caused by websites that use rogue advertising networks.

What kind of page is mafirst[.]site?

Discovered by our researchers during a routine investigation, mafirst[.]site is a rogue webpage. It promotes spam browser notifications and redirects visitors to other (likely untrustworthy/harmful) sites. Users typically enter pages like mafirst[.]site via redirects caused by websites that use rogue advertising networks.

What kind of email is "Review Pending Messages"?

After inspecting the "Review Pending Messages" email, we determined that it is spam. The letter makes false claims about received messages in order to trick users into disclosing their email account log-in credentials (passwords) to a phishing website.

What kind of page is chotorexsurvey[.]space?

During our examination of chotorexsurvey[.]space, we found that it is an unreliable website that shows a fake survey and asks for permission to show notifications. Also, chotorexsurvey[.]space, leads users to other websites. Our team discovered chotorexsurvey[.]space while inspecting sites that use rogue advertising networks.

What kind of page is aumsuthysurvey[.]space?

While inspecting suspect websites, our research team discovered the aumsuthysurvey[.]space rogue page. It is designed to promote questionable content and spam browser notifications. Additionally, this webpage can redirect users to other (likely unreliable/harmful) sites.

Pages like aumsuthysurvey[.]space are most commonly accessed through redirects generated by websites that employ rogue advertising networks.