Virus and Spyware Removal Guides, uninstall instructions

What is JS ransomware?

Our researchers found the JS ransomware-type program during a routine inspection of new malware submissions to VirusTotal.

After launching a sample on our test machine, we learned that the JS program encrypts files and appends their filenames with a ".JS" extension (not to be confused with the .JS JavaScript file extension). For example, a file initially named "1.jpg" appeared as "1.jpg.JS", "2.jpg" as "2.jpg.JS", and so on.

Once the encryption was completed, the ransomware created a ransom note - "RESTORE_FILES_INFO.txt" - on the desktop. The text presented within it allows us to conclude that the JS malicious program targets companies rather than home users.

What kind of malware is Binwu?

Binwu is ransomware that belongs to a ransomware family called Xorist. Our team has discovered Binwu while examining the samples submitted to VirusTotal. After analyzing this ransomware, we have found that it encrypts files, appends the ".Binwu" extension to filenames, and creates the "КАК РАСШИФРОВАТЬ ФАЙЛЫ.txt" file/a ransom note.

An example of how Binwu modifies filenames: it renames "1.jpg" to "1.jpg.Binwu", "2.png" to "2.png.Binwu", "3.exe" to "3.exe.Binwu", and so on.

What kind of page is emolumentsurvey[.]top?

Emolumentsurvey[.]top is a rogue webpage that we discovered while inspecting untrustworthy sites. It is designed to load dubious content, promote browser notification spam, and redirect visitors to other unreliable/malicious websites. Most users access emolumentsurvey[.]top and similar pages via redirects caused by rogue advertising networks.

What is Best Converter Online?

During a routine inspection of untrustworthy websites, our researchers discovered the Best Converter Online browser extension. It is promoted as a tool for easy file format conversion. After analyzing it, we determined that it is a piece of advertising-supported software (adware).

What kind of website is profitsurvey[.]top?

Profitsurvey[.]top is a shady website that our team has discovered while examining torrent sites, illegal movie streaming pages, and other websites that use rogue advertising networks. We have analyzed profitsurvey[.]top and learned that it asks for permission to show untrustworthy notifications, displays a fake survey, and redirects to other shady pages.

What kind of scam is "Habib Bank AG Zurich"?

We have analyzed this email and found that scammers use it to trick recipients into providing email account login credentials. This email is disguised as a letter from Habib Bank AG Zurich - a Swiss multinational commercial bank. It contains an HTM file asking to verify email to view a payment receipt.

What is Letsgo600 ransomware?

Letsgo600 is a ransomware-type program designed to encrypt data and demand ransoms for the decryption. Our research team found it during a routine inspection of new malware submissions to VirusTotal. We have determined that Letsgo600 belongs to the ZEPPELIN ransomware family.

Once launched onto our test system, this ransomware encrypted files and appended their filenames with a ".@letsgo600 .[victim's_ID]" extension. For example, a file originally titled "1.jpg" appeared as "1.jpg.@letsgo600 .13D-8D4-F97", and so on. A different variant of this ransomware uses ".letsgo290" instead of ".@letsgo600".

Afterwards, a ransom-demanding message - "!!! ALL YOUR FILES ARE ENCRYPTED !!!.TXT" - was dropped onto the desktop.

What is ProcessRate?

Discovered by our researchers on VirusTotal, ProcessRate is an adware-type application. It also belongs to the AdLoad malware family. This app operates by running intrusive advertisement campaigns, and it may have other harmful abilities.

What kind of malware is Sorryitsjustbusiness?

We have discovered the Sorryitsjustbusiness ransomware while examining malware samples submitted to VirusTotal. Our team has analyzed Sorryitsjustbusiness and found that this ransomware encrypts files and appends a string of four random characters to filenames as the file extension. For example, it renames "1.jpg" to "1.jpg.bjeq", "2.jpg" to "2.jpg.8i9g".

Like most ransomware variants, Sorryitsjustbusiness provides a ransom note. It creates the "read_it.txt" text file and changes the desktop wallpaper. Both of them contain are ransom notes containing contact and payment information.

What is "Download all your blocked email messages"?

After inspecting the "Download all your blocked email messages" letter, our researchers determined that it is a phishing scam. This email makes false claims about incoming messages having failed to reach the recipient's mailbox, and it instructs to update the account to retrieve the letters.