Virus and Spyware Removal Guides, uninstall instructions

What is H0lyGh0st ransomware?

H0lyGh0st, also known as HolyGhost, is a ransomware-type program. It is designed to encrypt data and demand ransom for the decryption. Furthermore, H0lyGh0st infections are known to involve double extortion tactics (i.e., additional threats involving data leaks).

This malware has been linked to North Korean cyber criminals targeting small to medium sized businesses; Microsoft Threat Intelligence Center has been tracking this activity.

After we launched a sample of H0lyGh0st on our testing system, it encrypted files and modified their names. The original filenames were changed to a random character string and were appended with the ".h0lyenc" extension. For example, a file titled "1.jpg" appeared as "U3RhcnQgVG9yIEJyb3dzZXIubG5r.h0lyenc", "2.png" as "SVBWYW5pc2gubG5r.h0lyenc", etc.

Afterwards, an HTML file named "FOR_DECRYPT.html" was dropped onto the desktop. This file contained the ransom-demanding message.

What kind of page is cleancaptcha[.]top?

Cleancaptcha[.]top is a deceptive website that we discovered while inspecting websites that use rogue advertising networks. It displays deceptive content (a fake CAPTCHA) to trick visitors into agreeing to receive notifications. Additionally, cleancaptcha[.]top redirects to scam websites.

What is Strength adware?

While inspecting scam webpages, our researchers discovered one promoting the Strength rogue application. After analyzing this app, we determined that it operates as advertising-supported software (adware).

What is ApolloRAT?

ApolloRAT is a piece of malicious software categorized as a RAT (Remote Access Trojan). Malware of this kind enables remote access and control over infected devices.

ApolloRAT is written in Python. Programming languages like Python typically rely on compilers. The developers of this RAT used the Nuitka source-to-source compiler, which is uncommon - but its complexity does make ApolloRAT difficult to reverse engineer.

It is also noteworthy that this malware uses the Discord messaging platform as its C&C server, which adds yet another layer to ApolloRAT's qualities that hinder its detection.

What is Ggwq ransomware?

Our researchers discovered the Ggwq ransomware-type program during a routine inspection of new malware submissions to VirusTotal. This malicious program is part of the Djvu ransomware family.

After being launched onto our test machine, Ggwq encrypted files and appended their names with the ".ggwq" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.ggwq", "2.png" as "2.png.ggwq", and so forth. Following the completion of this process, a ransom note - "_readme.txt" - was created.

What kind of malware is Xrom?

While examining malware samples submitted to the VirusTotal page, our team came across ransomware called Xrom, which belongs to the Dharma family. Xrom encrypts files and appends the victim's ID, money21@onionmail.org email address, and the ".xrom" extension to filenames. Also, it drops the "FILES ENCRYPTED.txt" file and displays a pop-up window containing ransom notes.

An example of how Xrom ransomware modifies filenames: it renames "1.jpg" to "1.jpg.id-9ECFA84E.[money21@onionmail.org].xrom", "2.png" to "2.png.id-9ECFA84E.[money21@onionmail.org].xrom", and so forth.

What is Ggew ransomware?

Ggew is yet another ransomware belonging to the Djvu family, which our researchers discovered while inspecting new malware submissions to VirusTotal.

We executed a sample of Ggew on our test machine, it encrypted files and appended their filenames with a ".ggew" extension. For example, a file initially titled "1.jpg" appeared as "1.jpg.ggew", "2.png" as "2.png.ggew", etc. Once this process was finished, a ransom-demanding message named "_readme.txt" was created.

What kind of malware is Ggyu?

While examining malware samples submitted to VirusTotal, our malware researchers came across Ggyu - ransomware designed to encrypt files. We also found that Ggyu appends the ".ggyu" extension to filenames and drops the "_readme.txt" file (a file containing a ransom note). Our other finding was that this ransomware belongs to the Djvu family.

An example of how Ggyu renames files: it changes "1.jpg" to "1.jpg.ggyu", "2.png" to "2.png.ggyu", "3.exe" to "3.exe.ggyu", and so forth.

What kind of malware is Ggeo?

While inspecting malware samples submitted to the VirusTotal page, we discovered ransomware (belonging to the Djvu family) called Ggeo. It encrypts files and appends its extension to filenames. For example, Ggeo renames "1.jpg" to "1.jpg.ggeo", "2.png" to "2.png.ggeo", etc. Also, it drops the "_readme.txt" file. This file has a ransom note in it.

What kind of page is easydating[.]top?

Our research team found the easydating[.]top rogue webpage during a routine inspection of questionable websites. This page promotes browser notification spam and redirects visitors to different (likely untrustworthy and/or malicious) websites.

Most users enter easydating[.]top and similar webpages via redirects caused by sites that use rogue advertising networks.