Virus and Spyware Removal Guides, uninstall instructions

What kind of software is "Drinking Well"?

Our researchers found the Drinking Well browser extension while inspecting dubious sites. It is endorsed as a tool for tracking and improving users' hydration habits.

However, our analysis of Drinking Well revealed that it is a browser hijacker, i.e., the extension modifies browser settings to promote (via redirects) the finddbest.co illegitimate search engine.

What is H3r ransomware?

H3r is a ransomware discovered by our researchers during a routine inspection of new submissions to VirusTotal. This program is part of the Dharma ransomware family and operates by encrypting data in order to demand ransoms for its decryption.

On our testing system, H3r renamed the encrypted files by appending their titles with a unique ID assigned to the victim, the cyber criminals' email address, and a ".h3r" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.id-9ECFA84E.[herozerman@tutanota.com].h3r". Afterwards, H3r ransomware displayed/created a ransom note in a pop-up window and a text file titled "info.txt".

What kind of malware is MIMUS?

MIMUS is ransomware that encrypts files, replaces their filenames with a string of random characters and appends the ".encrypted" extension, and drops the "READ_TO_DECRYPT.html" file that contains a ransom note. Our malware researchers discovered MIMUS during an examination of samples submitted to VirusTotal.

An example of how MIMUS modifies filenames: it changes "1.jpg" to "ZGVza3RvcC5pbmk=.encrypted", "2.png" to "HpLtY4PcsT6uwpe=.encrypted", and so forth.

What is BOOM (Phobos) ransomware?

While inspecting new submissions to VirusTotal, our researchers discovered BOOM – a malicious program belonging to the Phobos ransomware family. Malware within this classification is designed to encrypt data and demand ransoms for its decryption.

After we executed a sample of BOOM (Phobos) ransomware on our test machine, it encrypted files and altered their filenames. Original files were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".BOOM" extension. For example, a file initially titled "1.jpg" on our testing system appeared as "1.jpg.id[9ECFA84E-3344].[shadow1779@tutanota.com].BOOM" following encryption.

Once this process was completed, the ransomware created/displayed ransom notes in a pop-up window ("info.hta") and text file ("info.txt").

What kind of page is opencaptchahere[.]top?

Upon our inspection of opencaptchahere[.]top, it was found to use a deceitful approach to convince visitors to permit it to send notifications. Also, opencaptchahere[.]top may redirect visitors to questionable websites. Opencaptchahere[.]top was encountered while examining pages that employ shady advertising networks.

What is LOBSHOT?

LOBSHOT is a type of malware with a feature called hVNC (Hidden Virtual Network Computing) that allows attackers to access a victim's computer without being noticed. The hVNC component is effective in evading fraud detection systems. Also,  LOBSHOT is being used to carry out financial crimes through the use of banking trojan and information-stealing functionalities.

What kind of malware is Fofd?

Fofd is a type of ransomware that belongs to the Djvu family. It encrypts files on the victim's computer and demands a ransom payment for the decryption tools. Our team discovered Fofd while reviewing recently submitted malware samples on the VirusTotal site. It is important to note that Fofd may be distributed along with other malware, such as RedLine or Vidar.

Once Fofd infects a computer, it appends the ".fofd" extension to the filename of every encrypted file. For example, a file named "1.jpg" will be renamed to "1.jpg.fofd", and "2.png" will become "2.png.fofd". Additionally, Fofd creates a ransom note ("_readme.txt").

What kind of malware is Sato?

During our analysis of malware samples submitted to VirusTotal, our team came across Sato ransomware, which belongs to the Djvu family. Once a computer is infected, Sato encrypts the files and adds the ".sato" extension to their filenames. Moreover, it generates a ransom note (creates a text file named "_readme.txt").

It is worth noting that Sato is likely to be distributed alongside information stealers such as RedLine or Vidar. As an example of how Sato renames files: it changes "1.jpg" to "1.jpg.sato" "2.png" to "2.png.sato" and so on.

What kind of malware is Saba?

While examining malware samples submitted to VirusTotal, we encountered Saba, a ransomware variant from the Djvu ransomware family. Saba encrypts files and modifies their filenames by adding the extension ".saba". Additionally, it generates a ransom note, a text file named "_readme.txt".

An example of how Saba renames files: it changes "1.jpg" to "1.jpg.saba", "2.png" to "2.png.saba", and so forth. It is worth mentioning that ransomware belonging to the Djvu family is often distributed with information stealers like Vidar and RedLine.

What kind of page is bumperskiner[.]com?

Bumperskiner[.]com is a rogue webpage that our research team found while investigating suspicious sites. Two appearance variants were discovered, both using fake CAPTCHA to promote browser notification spam. Additionally, bumperskiner[.]com is capable of redirecting users to other (likely unreliable/malicious) websites.

Users primarily access pages like bumperskiner[.]com via redirects caused by sites using rogue advertising networks, mistyped URLs, spam notifications, intrusive ads, or installed adware.