Virus and Spyware Removal Guides, uninstall instructions

What is Mmpu ransomware?

Our research team discovered yet another ransomware belonging to the Djvu family - called Mmpu, during a routine investigation of new submissions to VirusTotal.

Once we launched a sample of Mmpu ransomware on our test machine, it encrypted files and appended them with a ".mmpu" extension. To elaborate, a file initially named "1.jpg" appeared as "1.jpg.mmpu", "2.jpg" as "2.jpg.mmpu", etc. Once the encryption process was finished, a ransom note - "_readme.tx" - was created.

What kind of malware is Icarus?

Icarus is the name of a stealer-type malicious program. It is designed to extract a wide variety of vulnerable data from infected machines. The threats posed by malware of this kind can vary depending on the cyber criminals' goals and the sensitivity of the data stored on victims' devices.

What is Key Group ransomware?

Key Group is a piece of malicious software classified as ransomware. Our researchers discovered this program while inspecting new submissions to VirusTotal. It is noteworthy that Key Group belongs to the Xorist ransomware family.

There are two variants of Key Group - hence, encrypted files are appended either with a ".keygroup", ".keygroup777" or ".keygroup777tg" extension. For example, a file initially titled "1.jpg" would appear as "1.jpg.keygroup", "1.jpg.keygroup777" or "1.jpg.keygroup777tg" - depending on the ransomware's version.

Afterwards, the ransomware displays a pop-up window and drops a text file named "HOW TO DECRYPT FILES.txt". The pop-up and text file contain identical ransom notes. Additionally, Key Group changes the desktop wallpaper.

What is CommandAccess?

CommandAccess is a piece of rogue software that our researchers found while investigating new submissions to VirusTotal. Our analysis of this application revealed that it operates as advertising-supported software (adware). Additionally, we learned that CommandAccess is part of the AdLoad malware family.

What is CRYPTCAT ransomware?

While inspecting new malware submissions to VirusTotal, our researcher team discovered the CRYPTCAT ransomware-type program.

After we launched a sample of CRYPTCAT on our test system, it encrypted files and altered their names. Original filenames were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".crxxx" extension; e.g., a file titled "1.jpg" appeared as "1.jpg.[cb377ac18f].[hopeandhonest@smime.ninja].crxxx".

Following the completion of the encryption process, a ransom note titled "#_README-WARNING_#.TXT" was created on the desktop.

What are "Cookie Stuffing Browser Extensions"?

"Cookie Stuffing Browser Extensions" refers to malicious browser extensions designed to insert affiliate IDs into the Internet cookies of specific websites.

We have inspected four such extensions. "AutoBuy Flash Sales, Deals, and Coupons" - with the promised functionality of making automatic purchases on limited-time offers. "FlipShope - Price Tracker Extension" - capable of tracking and notifying users when discounts and other deals are available.

"Full Page Screenshot Capture - Screenshotting" - webpage screenshot taking and editing tool. "Netflix Party" - allowing users to remotely group-watch Netflix shows.

It must be stressed that the features offered by such software seldom work as promised, and in most cases - they do not work at all. These four extensions placed affiliate IDs into popular e-commerce website cookies. Furthermore, they all have data tracking abilities.

What kind of email is "Declined Debit"?

Our inspection of the "Declined Debit" email revealed that it is malspam (malicious spam). This letter aims to trick recipients into opening a virulent attachment by claiming that it contains a declined payment note from the sender's bank.

Once the file attached to this fake email is opened, it initiates the download/installation process of BluStealer malware.

What is ChipSynergy?

Our research team found the ChipSynergy app during a routine inspection of new submissions to VirusTotal. After analyzing this application, we determined that it is adware belonging to the AdLoad malware family.

What is CHEAPLAMINATE ransomware?

While inspecting new submissions to VirusTotal, we discovered the CHEAPLAMINATE malicious program, which is based on another ransomware called Chaos. Malware within this category operates by encrypting data and demanding ransoms for the decryption.

Once we executed a sample of this ransomware on our test machine, it encrypted files and appended their filenames with a ".CHEAPLAMINATE" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.CHEAPLAMINATE", "2.png" as "2.png.CHEAPLAMINATE", and so on.

After the encryption process was finished, CHEAPLAMINATE dropped a ransom note titled "DECRYPTION" onto the desktop.

What is PIZZASUCKER ransomware?

While inspecting new submissions to VirusTotal, our research team found a ransomware based on Chaos - called PIZZASUCKER.

When we executed a sample on our test machine, this ransomware encrypted files and appended their filenames with a ".ICQ@PIZZASUCKER" extension (which is also the attackers' contact info). For example, a file initially titled "1.jpg" appeared as "1.jpg.ICQ@PIZZASUCKER", "2.png" as "2.png.ICQ@PIZZASUCKER", etc.

Afterwards, PIZZASUCKER ransomware changed the desktop wallpaper and created a ransom-demanding message named "read_it.txt".