Virus and Spyware Removal Guides, uninstall instructions

What kind of page is getbrowbeatgroup[.]com?

Getbrowbeatgroup[.]com is a rogue page that our research team found while inspecting questionable websites. It is designed to push browser notification spam and redirect visitors to other (likely unreliable/hazardous) sites.

Users typically access webpages like getbrowbeatgroup[.]com through redirects caused by websites that employ rogue advertising networks.

What is AttackSystem ransomware?

Our research team discovered the AttackSystem ransomware-type program while investigating new submissions to the VirusTotal website. This program is part of the MedusaLocker ransomware family.

On our testing machine, AttackSystem encrypted data. The filenames of the affected files were appended with a ".attacksystem" extension. To elaborate, a file initially named "1.jpg" appeared as "1.jpg.attacksystem", "2.png" as "2.png.attacksystem", and so on.

Afterwards, this ransomware created a ransom note titled "How_to_back_files.html". Based on the message therein, it is evident that AttackSystem targets large entities rather than home users.

What is CrypBits256 ransomware?

While investigating new submissions to VirusTotal, our researchers discovered the CrypBits256 ransomware. This program belongs to the Xorist ransomware family. It is designed to encrypt data and demand payment for its decryption.

When CrypBits256 was executed on our test system, it began encrypting files and appending their filenames with a ".CrypBits256PT2" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.CrypBits256PT2", "2.png" as "2.png.CrypBits256PT2", etc.

After this process was finished, CrypBits256 created identical ransom notes in a pop-up window and text file named "HOW TO DECRYPT FILES.txt". The message was in Portuguese.

What kind of application is CyclinGuru?

Upon examination of the CyclinGuru browser extension, we found that it takes over a web browser by altering its settings with the aim of promoting a fake search engine called privatesearchqry.com. As a result, we have classified CyclinGuru as a browser hijacker.

What kind of page is npdnnsgg[.]com?

Npdnnsgg[.]com is a rogue webpage that we discovered while investigating suspicious sites. It operates by promoting spam browser notifications and redirecting visitors to different (likely untrustworthy/harmful) websites. Most users access pages like npdnnsgg[.]com via redirects generated by sites that use rogue advertising networks.

What kind of software is "Drinking Well"?

Our researchers found the Drinking Well browser extension while inspecting dubious sites. It is endorsed as a tool for tracking and improving users' hydration habits.

However, our analysis of Drinking Well revealed that it is a browser hijacker, i.e., the extension modifies browser settings to promote (via redirects) the finddbest.co illegitimate search engine.

What is H3r ransomware?

H3r is a ransomware discovered by our researchers during a routine inspection of new submissions to VirusTotal. This program is part of the Dharma ransomware family and operates by encrypting data in order to demand ransoms for its decryption.

On our testing system, H3r renamed the encrypted files by appending their titles with a unique ID assigned to the victim, the cyber criminals' email address, and a ".h3r" extension. For example, a file originally named "1.jpg" appeared as "1.jpg.id-9ECFA84E.[herozerman@tutanota.com].h3r". Afterwards, H3r ransomware displayed/created a ransom note in a pop-up window and a text file titled "info.txt".

What kind of malware is MIMUS?

MIMUS is ransomware that encrypts files, replaces their filenames with a string of random characters and appends the ".encrypted" extension, and drops the "READ_TO_DECRYPT.html" file that contains a ransom note. Our malware researchers discovered MIMUS during an examination of samples submitted to VirusTotal.

An example of how MIMUS modifies filenames: it changes "1.jpg" to "ZGVza3RvcC5pbmk=.encrypted", "2.png" to "HpLtY4PcsT6uwpe=.encrypted", and so forth.

What is BOOM (Phobos) ransomware?

While inspecting new submissions to VirusTotal, our researchers discovered BOOM – a malicious program belonging to the Phobos ransomware family. Malware within this classification is designed to encrypt data and demand ransoms for its decryption.

After we executed a sample of BOOM (Phobos) ransomware on our test machine, it encrypted files and altered their filenames. Original files were appended with a unique ID assigned to the victim, the cyber criminals' email address, and a ".BOOM" extension. For example, a file initially titled "1.jpg" on our testing system appeared as "1.jpg.id[9ECFA84E-3344].[shadow1779@tutanota.com].BOOM" following encryption.

Once this process was completed, the ransomware created/displayed ransom notes in a pop-up window ("info.hta") and text file ("info.txt").

What kind of page is opencaptchahere[.]top?

Upon our inspection of opencaptchahere[.]top, it was found to use a deceitful approach to convince visitors to permit it to send notifications. Also, opencaptchahere[.]top may redirect visitors to questionable websites. Opencaptchahere[.]top was encountered while examining pages that employ shady advertising networks.