Virus and Spyware Removal Guides, uninstall instructions

What is Rkhwhrogq ransomware?

Our research team discovered the Rkhwhrogq ransomware-type program during a routine inspection of new submissions to VirusTotal. We determined that this program is part of the Snatch ransomware family.

After we launched a sample of Rkhwhrogq on our test system, it encrypted files and appended their filenames with a ".rkhwhrogq" extension. For example, a file initially titled "1.jpg" as "1.jpg.rkhwhrogq", "2.png" as "2.png.rkhwhrogq", etc.

Once the encryption was completed, a ransom note - "HOW TO RESTORE YOUR FILES.TXT" - was created. The message within this file indicates that this ransomware targets companies rather than home users.

What kind of application is Action Colors?

While analyzing the Action Colors application, we learned that it is a browser extension that shows intrusive advertisements and can read and change all data on all web pages. Apps that generate unwanted advertisements are classified as adware. We discovered Action Colors on a shady website offering to download a "useful" extension.

What is CentralGeo?

CentralGeo is a piece of rogue software. After we installed this app on our test machine, we learned that it operates as adware. CentralGeo runs intrusive advertisement campaigns, and it might cause redirects and collect private data. Additionally, this application is part of the AdLoad malware family.

What is Checkmate ransomware?

Checkmate is the name of a malicious program classified as ransomware. It is designed to encrypt data and demand payment for the decryption.

After we executed a sample of Checkmate on our test machine, it encrypted files and appended their filenames with a ".checkmate" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.checkmate", "2.png" as "2.png.checkmate", and so on.

Once the encryption process was completed, this ransomware created a ransom-demanding message named "!CHECKMATE_DECRYPTION_README.txt" on the desktop.

What kind of malware is Readlockfiles?

While examining malware samples submitted to the VirusTotal website, we discovered Readlockfiles ransomware that encrypts files. Readlockfiles belongs to the MedusaLocker ransomware family. It not only encrypts files but also renames them by appending the ".readlockfiles" extension to filenames and drops the "HOW_TO_RECOVER_DATA.html" file (a ransom note) on the desktop.

An example of how Readlockfiles modifies filenames: it renames "1.jpg" to "1.jpg.readlockfiles", "2.png" to "2.png.readlockfiles", and so forth.

What kind of application is HorizonElite?

After examining HorizonElite, we learned that it is a useless application that generates intrusive advertisements. Apps that show ads are classified as adware. We discovered HorizonElite while analyzing deceptive web pages suggesting that installed software is outdated. This app is distributed via a fake installer.

What kind of malware is Watch?

Watch is the name of ransomware belonging to the Dharma ransomware family. Our team discovered Watch while examining malware samples submitted to the VirusTotal site. The purpose of Watch ransomware is to encrypt files. Additionally, it modifies filenames, displays a pop-up window containing a ransom note, and drops another ransom note ("info.txt") on the desktop.

Watch ransomware appends the victim's ID, watch@msgden.net email address, and ".watch" extension to filenames. For example, it renames "1.jpg" to "1.jpg.id-9ECFA84E.[watch@msgden.net].watch", "2.png" to "2.png.id-9ECFA84E.[watch@msgden.net].watch", and so forth.

What is Filmedia?

While inspecting dubious software-promoting websites, our researchers discovered the Filmedia browser extension. This piece of software is endorsed as an easy-access tool for movies. It is supposedly capable of providing the appropriate streaming services when users enter a film's title. However, our analysis of Filmedia revealed that it operates as adware.

What is brutusptCrypt ransomware?

brutusptCrypt is a ransomware-type program. It is designed to encrypt data and demand payment for the decryption. When we executed a sample of this malware on our system, we learned that it appends the names of the encrypted files with a ".brutusptCrypt" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.brutusptCrypt", "2.png" as "2.png.brutusptCrypt", etc.

Afterwards, a pop-up window was displayed, and a text file - "Payment_Instructions.brutusptCrypt.txt" was created on the desktop. While these ransom notes mention and imply that the attackers are from Airbus Cybersecurity, it must be emphasized that the actual company with this name is in no way associated with the brutusptCrypt ransomware.

Fortunately, current versions of brutusptCrypt are decryptable; Avast has released a free decryption tool for this ransomware (more information below).

What is PLAY ransomware?

PLAY is the name of a ransomware-type program. Malware categorized as such operates by encrypting data and demanding ransoms for the decryption.

After we executed a sample of this ransomware on our test machine, it encrypted files and appended their filenames with a ".PLAY" extension. For example, a file titled "1.jpg" appeared as "1.jpg.PLAY", "2.png" as "2.png.PLAY", etc. Once the encryption process was completed, PLAY created a text file named "ReadMe.txt" on the desktop.