Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Knight?

Knight ransomware is the rebrand of Cyclops. Malware within this classification is designed to encrypt files and demand ransoms for their decryption.

When we executed a sample of Knight on our test system, it began encrypting files and appended their filenames with a ".knight_l" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.knight_l", "2.png" as "2.png.knight_l", etc. Afterward, a ransom note – "How To Restore Your Files.txt" – was dropped into every encrypted folder on the system.

It is pertinent to mention that the group behind Knight operates it as Ransomware-as-a-Service, and these threat actors also offer information-stealing malware. Hence, there is a possibility that these ransomware infections could have a double-extortion element to them. The variant we investigated mentioned the use of such tactics.

What kind of malware is Tasa?

While inspecting new submissions to the VirusTotal website, our researchers discovered the Tasa malicious program. It is part of the Djvu ransomware family. Programs within this classification operate by encrypting data and making ransom demands for its decryption.

After we launched a sample of Tasa ransomware on our test machine, it encrypted files and added the ".tasa" extension to their filenames. For example, a file initially named "1.jpg" appeared as "1.jpg.tasa", "2.png" as "2.png.tasa", etc. Once this process was finished, a ransom note titled "_readme.txt" was created.

It is worth mentioning that Djvu ransomware commonly infiltrates systems alongside data stealers such as RedLine, Vidar, and others.

What kind of malware is Taoy?

Our research team discovered another ransomware from the Djvu family called Taoy during a routine inspection of new submissions to the VirusTotal website. Ransomware is designed to encrypt data and demand payment for its decryption.

On our test machine, Taoy encrypted files and appended their titles with a ".taoy" extension. To elaborate, a file initially named "1.jpg" appeared as "1.jpg.taoy", "2.png" as "2.png.taoy", and so on for all of the affected files. Once the encryption process was completed, Taoy ransomware created a ransom-demanding message titled "_readme.txt".

It is pertinent to mention that Djvu ransomware is commonly distributed alongside information-stealing malware such as RedLine, Vidar, or others. Therefore, in addition to data loss, these infections may seriously threaten victims' privacy.

What kind of software is MediaScape - New Tab?

Our research team found the MediaScape - New Tab browser extension while investigating dubious websites. This extension promises to display browser wallpapers.

After analyzing this piece of software, we determined that it is a browser hijacker. MediaScape - New Tab make the changes to browser settings in order to promote (through redirects) the tubeextension1.com fake search engine.

What kind of malware is S.H.O?

Our researchers discovered S.H.O ransomware during a routine review of new submissions to the VirusTotal website. Malicious programs within the ransomware classification are designed to encrypt data and demand payment for its decryption.

Once we executed a sample of S.H.O on our test system, it began encrypting files and altered their filenames. Original titles were appended with an extension comprising a ransom character string, e.g., a file initially named "1.jpg" appeared as "1.jpg.5zsMS", "2.png" as "2.png.s6NmE", etc. Afterwards, the ransomware changed the desktop wallpaper and created a ransom note titled "Readme.txt".

What kind of email is "Capital One SECURITY MESSAGE"?

"Capital One SECURITY MESSAGE" is a phishing email. It is disguised as a notification from Capital One regarding an incoming payment to the recipient's account. Supposedly, the payment verification process requires them to sign in through an attached HTML document, which is a phishing file that records entered information.

It must be stressed that this fake email is in no way associated with the real Capital One bank holding company.

What kind of software is New Tab Nature?

Our researchers discovered the New Tab Nature browser extension while investigating untrustworthy sites. This piece of software promises to display nature-themed browser wallpapers. After analyzing this extension, we determined that it is a browser hijacker. New Tab Nature makes modifications to browser settings in order to generate redirects.

What kind of software is Joyful Quotes?

Joyful Quotes is a browser extension promising to display quotes from famous writers and figures. Our research team discovered this piece of software while inspecting dubious websites.

After analyzing Joyful Quotes, we determined that it is a browser hijacker. This extension modifies browser settings to promote (via redirects) the goog.joyfullquotes.com fake search engine.

What kind of application is VantageGains?

VantageGains is a rogue application that our researchers discovered while investigating VirusTotal website. After analyzing this piece of software, we determined that it is adware. VantageGains is part of the AdLoad malware family. This app operates by running intrusive ad campaigns.

What kind of malware is Alock?

During a routine inspection of new submissions to the VirusTotal website, our research team discovered the Alock ransomware-type program. It is part of the MedusaLocker ransomware family.

On our test system, Alock ransomware encrypted files and appended their filenames with a ".alock" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.alock", "2.png" as "2.png.alock", and so on for all of the locked files.

After the encryption process was completed, a ransom-demanding message titled "HOW_TO_BACK_FILES.html" was created. Based on the message therein, it is evident that Alock targets companies rather than home users. This ransomware also uses double extortion tactics.