Virus and Spyware Removal Guides, uninstall instructions

What is Royroy ransomware?

During a routine inspection of new malware submissions to VirusTotal, our researchers discovered the Royroy ransomware. Additionally, it has to be mentioned that this malicious program is part of the ZEPPELIN ransomware family.

On our test system, Royroy encrypted files and appended their filenames with the ".royroy.[victim's_ID]" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.royroy.1C1-98A-33A". Once this process was completed, a ransom note - "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT" - was created on the desktop.

What is "Unusual Sign-in Activity" email scam?

After examining this email, we learned that the scammers behind it attempt to trick recipients into providing their login credentials. They claim that the email account has been suspended due to unusual sign-in activity. They aim to trick recipients into opening the provided page and entering their passwords.

What is RoundEmporium?

While performing a routine inspection of new submissions to VirusTotal, our research team discovered the RoundEmporium rogue application. Our analysis of this app revealed that it operates as advertising-supported software (adware). Additionally, we learned that RoundEmporium belongs to the AdLoad malware family.

What kind of malware is FIXED?

FIXED ransomware is part of the Babuk ransomware family. We have discovered this ransomware while examining the samples submitted to the VirusTotal page. FIXED prevents victims from accessing/using files by encrypting them, appends the ".FIXED" extension to filenames, and drops the "How To Restore Your Files.txt" file (a ransom note) on the desktop.

An example of how FIXED ransomware modifies filenames: it renames "1.jpg" to "1.jpg.FIXED", "2.png" to "2.png.FIXED", "3.exe" to "3.exe.FIXED", and so forth.

What kind of software is ActivateOptimization?

ActivateOptimization is the name of an application discovered by our team during an examination of shady websites distributing fake Adobe Flash Player installers. We found that ActivateOptimization is designed to display annoying ads. Therefore, we classified this app as adware.

What is FIASKO ransomware?

FIASKO is a malicious program categorized as ransomware, which our researchers discovered while inspecting new submissions to VirusTotal. We determined that this program belongs to the Phobos ransomware family.

Once we executed a sample of FIASKO on our test system, it encrypted files and changed their titles. The original filenames were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".FIASKO" extension. For example, a file initially named "1.jpg" appeared as "1.jpg.id[9ECFA84E-3334].[decrypt2022@msgsafe.io].FIASKO".

Afterwards, ransomware notes were created - "info.hta" (pop-up) and "info.txt", which contained identical messages. The text presented in these notes indicated that FIASKO ransomware targets companies rather than home users.

Wha kind of malware t is Hhew?

Hhew is the name of ransomware belonging to the Djvu ransomware family. Our malware researchers discovered it while checking the VirusTotal page for recently submitted malware samples. Hhew is designed to encrypt files, append its extension (".hhew") to filenames, and create a text file ("_readme.txt") containing a ransom note.

An example of how Hhew renames files: it changes "1.jpg" to "1.jpg.hhew", "2.png" to "2.png.hhew", "3.exe" to "3.exe.hhew", and so forth.

What kind of malware is Hhwq?

Hhwq is ransomware belonging to the Djvu family. Our malware researchers discovered it during an analysis of samples submitted to the VirusTotal page. Hhwq encrypts files and appends ".hhwq" extension to filenames (for example, it renames "1.jpg" to "1.jpg.hhwq", "2.png" to "2.png.hhwq", and so forth). It also drops the "_readme.txt" file (a ransom note).

What is Lilith ransomware?

Lilith is the name of a malicious program categorized as ransomware. Malware within this category is designed to encrypt data and demand payment for the decryption.

When we executed a sample of Lilith on our testing machine, it encrypted files and appended their filenames with a ".lilith" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.lilith", "2.png" as "2.png.lilith", etc. Afterwards, a ransom-demanding message named "Restore_Your_Files.txt" - was created on the desktop.

What is NoMercy Stealer?

NoMercy is a piece of malicious software classified as a stealer. Malware within this classification operates by extracting a wide variety of sensitive information from infected machines. These programs can have a broad range of abilities for stealing data.