Virus and Spyware Removal Guides, uninstall instructions

What is Ety ransomware?

While inspecting new submissions to VirusTotal, our researchers found a new ransomware that belongs to the Xorist ransomware family, which is named Ety. Ransomware is designed to encrypt data and demand payment for decryption.

Once executed on our test system, Ety began encrypting files and changing their filenames. Original titles were appended with a ".ety" extension, e.g., a file named "1.jpg" appeared as "1.jpg.ety", "2.png" as "2.png.ety", and so on for all of the affected files.

Afterward, Ety ransomware created ransom notes in a pop-up window and "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt" text file. It must be noted that since the messages are in Russian if the victim's system does not have the Cyrillic alphabet - the text in the pop-up will appear as gibberish.

What kind of website is theupgradedata[.]com?

While analyzing theupgradedata[.]com, we learned that it is a deceptive website designed to lure visitors into agreeing to receive notifications. Also, theupgradedata[.]com redirects to other untrustworthy pages. Our team discovered theupgradedata[.]com while examining pages that use rogue advertising networks.

What kind of email is "Used Memory Account Storage"?

After examining this email, our team concluded that it is a phishing email sent by scammers who seek to extract sensitive information from recipients. This scam email is disguised as a letter from an email service provider. It contains a link to a phishing website. Thus, it should be marked as spam and deleted.

What kind of email is "New Update On Your Account"?

Our analysis of the "New Update On Your Account" email revealed that it is spam. This letter states that the recipient's email needs to be updated and redirects them to a phishing website targeting the account's log-in credentials. In addition to losing their email accounts, successfully scammed victims may also lose the content registered through the email.

What kind of malware is CRASH?

CRASH is ransomware (one of the Dharma ransomware family's variants). It encrypts files, modifies filenames (by appending the victim's ID, netcrash@msgsafe.io email address, and the ".CRASH" extension to filenames), and provides two ransom notes (displays a pop-up window and drops the "info.txt" file.

An example of how CRASH renames files: it changes "1.jpg" to "1.jpg.id-9ECFA84E.[netcrash@msgsafe.io].CRASH", "2.png" to "2.png.id-9ECFA84E.[netcrash@msgsafe.io].CRASH", and so forth. We discovered this ransomware while analyzing malware samples submitted to the VirusTotal website.

What kind of malware is Just?

Just is one of the ransomware variants belonging to the Dharma ransomware family. It encrypts files and appends the victim's ID, justdoit@onionmail.org email address, and ".just" extension to filenames. Also, Just drops "FILES ENCRYPTED.txt" file and displays a pop-up window (both containing a ransom note).

We discovered Just ransomware while checking VirusTotal for recently submitted malware samples. An example of how Just modifies filenames: it renames "1.jpg" to "1.jpg.id-9ECFA84E.[justdoit@onionmail.org].just", "2.png" to "2.png.id-9ECFA84E.[justdoit@onionmail.org].just", and so forth.

What kind of page is mydailydatareport[.]site?

Our researchers discovered the mydailydatareport[.]site rogue page while inspecting dubious websites. It promotes online scams and browser notification spam. Furthermore, it can redirect visitors to other (likely untrustworthy/malicious) sites. Most users enter webpages like mydailydatareport[.]site via redirects caused by sites using rogue advertising networks.

What kind of page is webfreshupdater[.]com?

Webfreshupdater[.]com is a rogue webpage that our researchers discovered while investigating suspicious sites. It promotes browser notification spam and redirects visitors to different (likely untrustworthy or malicious) websites. Users typically access pages akin to webfreshupdater[.]com through redirects caused by sites that use rogue advertising networks.

What kind of email is "Your Password Is About To Expire Tomorrow"?

After checking out the "Your Password Is About To Expire Tomorrow" email, we determined that it is spam. Letters belonging to this campaign operate as phishing scams targeting email account log-in credentials. These fake message urge recipients to avoid their password expiration and redirect to a website disguised as their email account sign-in page.

What is ComedyTab?

During a routine investigation of websites that use rogue advertising networks, our research team found a page endorsing the ComedyTab browser extension. It promises to display jokes from famous comedians on every new browser tab. However, our analysis revealed that in addition to working as advertised, ComedyTab operates as a browser hijacker. This extension alters browser settings and causes redirects.