Virus and Spyware Removal Guides, uninstall instructions

What is .SYS?

Discovered by Michael Gillespie, .SYS is another ransomware-type infection. As with most of these infections, it is designed to block access to files by encryption and keep them locked until ransom demands are met. Once the computer is infected and files are encrypted, .SYS replaces extensions with a 16-character hexadecimal string filename.

For example, "1E857D004DFB70F474DFF1B265DAB864.SYS". All encrypted files receive a different string. Note that .SYS places a ransom-demand text file ("_HELP_INSTRUCTION.TXT") in each folder containing encrypted files.

What is Mercury?

Discovered by Michael Gillespie, Mercury is malicious software (ransomware) that encrypts data and prevents victims from accessing it. Once encryption is finished, all infected files are renamed by adding the ".Mercury" extension. For example, a file with the filename "1.jpg" becomes "1.jpg.Mercury".

Mercury also generates the "!!!READ_ME!!!.txt" text file containing a ransom-demand message. This file is placed in each folder containing encrypted data.

What is Kali?

Kali ransomware is malicious software that cyber criminals (the developers of the software) use to block access to data on an infected computer by encryption. Once encrypted, files become unusable. Kali renames every affected file by changing the extension and adding ".kali".

For example, "sample.jpg" becomes "sample.jpg.kali". Kali's victims are provided with a ransom message within a text file called "HOW TO DECRYPT FILES.txt", which can be found in each folder that contains encrypted data.

What is Forma?

Discovered by GrujaRS, Forma is a high-risk computer infection that is classified as ransomware. Forma's developers use it to affect computers by encrypting data, thus making files unusable. Files are encrypted using SHA-2 (SHA-256) cryptography and victims cannot use their files unless a ransom is paid.

Every encrypted file is renamed by addition of the ".locked" extension. For example, "1.jpg" is renamed to "1.jpg.locked". This ransomware also opens a full-screen pop-up window, changes the desktop wallpaper, and generates a text file (containing a ransom message).

What is "Brexit Email Virus"?

These email scams are often used to trick recipients into downloading and opening an attachment. In this case, users are encouraged to click a link that leads to a malicious file. Scammers/cyber criminals use "Brexit Email Virus" to distribute Ursnif, a trojan-type computer infection used to record personal/sensitive details.

If you have received this email, we strongly recommend that you ignore it and certainly do not click/open any links.

What is Doubleoffset?

Doubleoffset is a computer infection that belongs to the Cryakl ransomware family. Typically, cyber criminals attempt to infect computers with ransomware for the purposes of blackmail - they demand ransom payments in return for decryption tools or keys.

Doubleoffset renames all encrypted files by prepending the "email-biger@x-mail.pro.ver-CL 1.5.1.0.id-[victim's_ID].fname-" string and adding the ".doubleoffset" extension. For example, "1.jpg" might be renamed to a filename such as "email-biger@x-mail.pro.ver-CL 1.5.1.0.id-512064768-82822172792612420478100.fname-1.jpg.doubleoffset". 

Doubleoffset also generates a "README.txt" text file and opens a pop-up window. Other variants of this ransomware use "email-coolguay@tutanota.com.ver-CL 1.5.1.0.id-512064768-82822172792612420478100.fname-1.jpg.doubleoffset" extension for encrypted files.

What is barbitinnovans.info?

The internet is full of untrustworthy, rogue websites including barbitinnovans.info. This site is very similar to many other dubious websites such as touchpushthen.info, googlo.co, and hotchedmothe.club. Its main purpose is to redirect users to other dubious/untrustworthy websites.

Users often visit barbitinnovans.info unintentionally, since they are redirected to it by potentially unwanted applications (PUAs). These apps are usually installed without users' knowledge, cause redirects, deliver advertisements, and collect browsing-related information.

What is "FORTUNADIGITAL Email Virus"?

"FORTUNADIGITAL Email Virus" is an email scam used by cyber criminals who attempt to trick recipients into downloading and installing Remcos RAT, a remote access tool. Like most spam email campaigns, this one contains an attachment presented as a legitimate document.

Once opened, however, it installs the remote access tool. Remcos RAT is a legitimate tool, however, it is often used by cyber criminals to generate revenue in malicious ways. Therefore, we strongly recommend that you ignore "FORTUNADIGITAL Email Virus" scam email messages.

What is Gerber?

Discovered by Emmanuel_ADC-Soft, Gerber is categorized as malicious software (ransomware) that blocks access to data by encryption. Once a computer is infected, it renames each locked file by adding the ".gerber5" extension (the extension contains a unique ID that is assigned to each victim individually).

For example, "1.jpg" might become "1.jpg.!!BVINO!!.MrAlex.gerber5", and so on. Gerber also generates a "Decrypt.TXT" text file, a pop-up window, and changes the desktop wallpaper, all of which present ransom messages.

What is Outsider?

Outsider is classified as a ransomware-type computer infection designed make files unusable by encryption. This virus was discovered by GrujaRS, and like most programs of this type, renames each encrypted file by adding a specific extension - in this case, ".protected".

For example, "1.jpg" becomes "1.jpg.protected". Outsider also generates a "HOW_TO_RESTORE_FILES.txt" ransom message and places it in every folder that contains locked files.