ByteFence tries to get rid of the negative reputation

ByteFence ditches its shady distribution method and stops changing browser’s settings

If you are following latest security news or always look up for high-end protection for your computer, you may have heard about ByteFence. However, most likely you read hundreds of negative reviews and questions asking if this anti-malware can be trusted.

Indeed, a couple of years ago, this security program grabbed cyber community’s attention. Many people reported about sudden system scans which ended up with threatening malware reports. No one remembered about installing ByteFence or asking it to check the system.

The research has shown that developers of the program used software bundling which allowed it to get into the system unnoticed during the installation of freeware and shareware. Soon after silent installation, it started scanning the system and scaring users with the results.

Those who decided to check what is this program, why it offers it cleaning services, and how to uninstall it, were surprised one more time. Once they opened their web browsers, they found an unknown homepage –

But it seems that developers of the security program decided to stop these aggressive marketing activities. According to the recent analysis, ByteFence no longer actively is promoted in freeware and shareware bundles. It also does not ask to change homepage/default search engine.

Security program no longer gives false positives in order to make people pay for the license

In the official download website, the program is advertised as:

Ultimate protection against Malware, Spyware and Crapware, for Free

This security software has a free version that can identify crapware and malware infections. However, in order to remove cyber threats, you will need to obtain a license. Developers used to spread free version that displayed false positives on the computers. In this way, people were threatened into buying the license in order to clean their machines.

According to the latest research data, the free version does not deliver false positives anymore. Moreover, after downloading the program, you can enjoy the perks of paid version for two weeks. It’s enough time to check if is worth spending almost $30 for 12 months license key.

We have downloaded ByteFence and give this tool one more chance to prove us that developers finally learned from their past mistakes. After quick and successful installation, the program started scanning the system.

Despite the fact, it was supposed to take only “a few minutes,” we waited for the scan results for almost half an hour. No, our computer is not cluttered! The good news is that during the system scan, computer’s performance hasn’t diminished significantly.

After the scan, the program warned about detected infections. We were quite surprised, but it managed to find two potentially unwanted applications. However, the fact that they were marked as “critical risks” and called “malware” tells that the developers still one to threaten users at least a little.

However, we let ByteFence clean these threats and kept it on the PC for more than two weeks in order to check if the program starts some aggressive activities. We only received a few notifications to upgrade to the paid version: no annoying pop-ups every single hour, no sudden system scans that ends up with detected hazardous viruses.

Reputation improved, but it’s still not the best security software

We are happy that Byte Technologies learned from the mistakes and started working on ByteFence’s reputation. There’s no doubt that it takes time to change user’s and security specialists’ opinion. Meanwhile, it is also important to work on the functionality of the program.

Free version works only as a scanner, but ByteFence Pro offers more features:

  • real-time protection from crapware and malware;
  • quarantine infected files;
  • malware removal;
  • scheduled system scans;
  • file whitelisting;
  • online protection for the browser;
  • proxy settings.

However, compared to other security programs, this one does not show the best results. It takes quite a long time to scan the system. Additionally, it may fail to protect machines from ransomware, zero-day malware, rootkits or bootkits. Software does not offer anti-phishing, anti-fraud, anti-theft, webcam or USB protection too.

Indeed, there’s plenty of space to improve. However, we expect to see more positive changes. Maybe we will soon have another great security tool in the market.

Antivirus detects idp.alexa.51 malware: what should you do about it?

Idp.alexa.51 – malware detected by popular antivirus programs

During the past couple of years, computer users were chatting on various forums about strange malware detection. Idp.alexa.51 was a hot topic and a major problem for popular AV engines AVG, Avira, and Avast. These security programs displayed a false positive and warned about the non-existent cyber threat.

Idp.alexa.51 file is a part of online games and applications, such as “EasySpeedUpManager2,” “Plants vs. Zombies,” and “SeaMonkey.” However, after the installation of these apps, antivirus programs displayed threatening alert – a computer is infected.

Problems were also reported during the installation of HitMan Pro – a secondary anti-virus scanner and malware removal tool. One of the files that belong to a software, HitmanPro.exe, was also identified as Idp.alexa.51 malware.

The issue was widely reported by Windows 8.1 and Windows 10 users since 2016. It was nothing else than a bug that displayed false positives. Despite the fact, security vendors fixed the problem and offered updates, reports about the same problems keep emerging in 2018. However, specialists warn that such virus detections should not be overlooked.

Idp.alexa.51 might be malicious

When security program displays alert of detected cyber threat, you should not avoid it. Indeed, in some cases, it might malfunction and display fake threats. However, if you noticed your computer acting oddly, you should take security warning under consideration.

Some security specialists report that idp.alexa.51 file might be associated with malware. Some Trojan horses are using this misleading name to infiltrate machines and perform harmful activities in the background. This cyber threat sometimes is also called as Alexa virus.

Therefore, if you think that there might be a chance that your computer may have been infected, you should update your security program or obtain a new one in order to inspect the file and whole system.

Identify malware on your computer

How should you know if idp.alexa.51 is actually malicious? Obviously, you cannot trust your antivirus program only. Unfortunately, even the best tools tend to fail. However, infected computers are not hard to recognize. Computer infections can be often recognized from the following symptoms:

  • Unresponsive programs,
  • Installation of unknown applications, tools, browser extensions or add-ons,
  • Sluggish computer’s performance,
  • Various Windows errors popping up on the screen,
  • Random programs are opening without your permission,
  • An increased amount of ads,
  • Encrypted, corrupted or deleted files.

If you notice at least a few of these symptoms, you should not avoid a virus detection. We highly recommend updating you AVG, Avira, Avast or another security program you use and run a full system scan with it. However, if this doesn’t help, you might consider obtaining a new professional malware removal tool to fix computer properly.

GandCrab attacks might stop in the near future

GandCrab ransomware is the first to accept DASH cryptocurrency

GandCrab is a dangerous cyber threat which is designed to encrypt important files on the targeted computer and demand a ransom. Victims are asked to pay 1.54 DASH within four days, or the amount of the payment will double. The information about the data encryption is presented in GDCB-DECRYPT.txt file which is considered to be the ransom note.

Since people whose computers are infected with GandCrab ransomware are unable to open files with .gdcb extension, they start feeling desperate and agree to make the transaction. However, such actions only motivate the criminals to invent new versions of their malicious programs.

Likewise, you should NOT pay the ransom under any circumstances. Note that the experts have not only developed an official GandCrab decryptor but also there are alternative data recovery methods which might help you get back the access to the encrypted files. Likewise, the era of this file-encrypting virus might come to an end.

Criminals hurried to release a new version of the ransomware — GandCrab2

Shortly after GandCrab hit the cyberspace, its developers upgraded the original version to GandCrab2. Even though both of the file-encrypting viruses are based on the same source code, there are slight changes which allow us to differentiate those two variants. Fortunately, both of them are decryptable with a professional decryption software.

The easiest way to recognize GandCrab2 ransomware is by the file extension it uses to lock the data — .CRAB. Additionally, the victims are no longer asked to pay an enormous 1.54 DASH ($1200) ransom for the decryptor. Now, the amount of the payment has decreased to $500 in DASH cryptocurrency.

Also, the information on how to decrypt files encoded by GandCrab2 is delivered in the same CRAB-DECRYPT.txt ransom-demanding message. However, remember that both versions of this cyber threat are decryptable with an official software which is generated by professional IT experts. Thus, you do NOT need to pay the criminals.

Ways how crypto-malware reaches its victims’ computers

Ransomware infections are highly sophisticated ones, so they usually do not act alone — the file-encrypting virus enters the targeted system with the help of RIG and GrandSoft Exploit kits. They are developed to identify vulnerabilities in the system and help infiltrate ransomware.

If you believe that such software was remotely infused into your computer, you are wrong. Usually, criminals send fake spam emails which hold a malicious attachment. Unfortunately, those letters look innocent, and people are often lured into clicking on file. This is the moment when the bogus program is delivered to your system.

Additionally, hackers try to create websites which insist on downloading fake Chrome Font Pack Updates to view the full content of the site. Sadly, this is another trick to make you manually install a malicious program on your system. Therefore, experts recommend you to pay extreme attention when browsing the Internet.

Learn how to uninstall GandCrab virus and recover your data

Since GandCrab decryptor is already here, there is no need to keep the virus on your system or agree to pay the ransom. On the contrary, you must get rid of it as soon as possible to start data recovery. However, we want to warn you that it is a complicated procedure and you should get assistance.

If you don’t have time to meet an IT specialist you can remove GandCrab with the help of the elimination instructions. Although, they might be tricky so you should not skip steps and read them attentively to avoid any further damage to your operating system.

Additionally, in case after GandCrab removal you are still unable to use the decryption software, try alternative recovery ways which are presented together with the elimination guidelines. We hope that the decryptor will help to bring this ransomware down.

Things to consider before using Wikibuy

Wikibuy is an extension which offers cheaper alternatives to your purchases

If you are looking for a shopping assistant, WikiBbuy may have caught your eyes. This Google Chrome browser add-on is a quite popular tool that helps to save money when shopping online.

Wikibuy is a comparison service which looks up the internet for a better deal for you. For example, if you are looking for a sofa on Amazon, the pop-up shows you a better deal somewhere else. Additionally, Wikibuy searches for coupons and offers that might be offered online by the original retailer and presents them to you to apply.

Developers of this shopping assistant also thought of other useful features, such as Wikibuy Checkouts which allows purchasing in different e-shops without having to log in to their accounts, filling forms and letting retailers know your personal information.

Moreover, users are offered order tracking feature, money back guarantee and loyalty rewards. All of these features are not unique. However, this basic functionality allows trusting the developers and trying their free application.

The service is free, and the developers generate revenue whenever a customer chooses the item suggested via Wikibuy extension. Therefore, you will not find this extension causing intrusive ads or redirects. However, users report about this extension is not as good as promised.

Downside of Wikibuy: doing your research might help to save more money

Wikibuy developers claim to have over 1 million happy customers. However, the reviews and comments online reveal that not all users are very pleased with this Chrome extension. Among negative opinions are:

  • the add-on does not tell where you can get the same goods for the lowest price;
  • longer shipping time compared to buying directly from buying directly from specific e-shops;
  • data tracking and sharing that might put user’s privacy at risk.

According to some users, developers of the add-on are not genuine. This shopping assistant does not provide the lowest price in the market. Some reports tell that doing your researcher helps to save more money than relying on Wikibuy.

The latter situation seems to be related to developer’s participation in affiliate marketing programs. It means that they get revenue if Wikibuy users buy a specific “low-priced” product. This activity makes developers look untrustworthy.

Another serious problem with Wikibuy is that it keeps a whole bunch of personal and non-personal information. According to the Privacy Policy, the following information is tracked and recorded:

  • User-provided information;
  • Cookies and automatically collected information;
  • Location information;
  • Third-party web beacons and third party buttons;
  • Information from other sources;
  • Payment information;
  • Transaction data.

What is more, aggregated details might be shared with affiliates. As a result, you might start noticing a bunch of ads based on your recently search items or bought products. However, interest-based ads might be not only annoying but in some cases dangerous too, for instance, they might redirect to phishing or infected websites.

Things to remember if you decide to install and try Wikibuy

Just like many other programs and browser add-ons, Wikibuy has its pros and cons too. If you are a user who takes his or her privacy seriously, probably you won’t consider installing it to your browser and testing it out.

Otherwise, you might just give this free extension a try. However, if you decide to use it, we want to remind that you should be careful. First of all, make sure that you are installing safe and legit Wikibuy extension. For this reason, you have to install it from the official website, Chrome app store or iTunes.

Note that this extension is not compatible with Safari, Mozilla Firefox or Android operating system. Thus, if you find offers to download such versions of Wikibuy, you might be targeted by the cyber criminals.

Additionally, be careful with ads that you notice online. Do not rush to click them. Offers that seem “too good to be true” typically are not real and designed to get your click only. Additionally, if you decide not to show through Wikibuy, make sure that you are not on a phishing website.

Finally, when shopping online, you should always do your research before entering your personal information and paying for the good. All free shopping assistants might have the same problem – their financial wealth might depend on affiliates. Hence, they might not be very honest with you.

Chrome Search browser hijacker and its versions keep actively spreading in the cyberspace virus is nothing more than an impersonator of Google Chrome operates as a fraudulent search directory which is remarkably similar to Google Chrome. In other terms, it aims to imitate this famous search engine to trick users into believing its legitimacy. While there are numerous claims about how this unreliable program respects your privacy, research shows the opposite — it collects private details related to your browsing sessions on purpose.

We want to warn you not to fall into the trap of an attractive description because the authors of Chrome Search explicitly point out that this is the privacy-respecting program. However, if you attentively check the Privacy Policy, its developers state that they save the personal information you provide them despite whether it happened on their request or not. Likewise, you have no guarantees that your private details will not be sold to third-parties or misused in other ways.

Note that any of the browser hijacker versions mentioned below and those still not identified, perform similar or exact activities which might put your privacy and computer security at risk. Therefore, you should remove right away and do not believe in the fraudulent claims about its usefulness.

The activity of Chrome Search and its versions

It is essential to mention that currently, virus is on the rise. Experts have successfully identified Clean My, and as the offsprings of the mother program. Additionally, is the newest variant which has reached the cyberspace at the beginning of December. This rapid development indicates that users should not expect this browser hijacker to stop taking over their browsers.

Furthermore, once the browser hijacker enters the system, it takes over, such popular browsers as Google Chrome, Mozilla Firefox, Internet Explorer, Safari, etc. In other terms, every time you open a new tab/window or click on your homepage, you are redirected to hxxp://

You should not let these browser modifications to slip through since after ChromeSearch hijack happens, its developers gain full access to collect various information which might be misused to deliver annoying and intrusive ads. They look genuine and attractive. Likewise, people are lured into clicking on one after another.

Also, be aware that ChromeSearch redirect is another potentially dangerous action since it might lead you to highly suspicious websites which increase the risk of getting infected with malware. Thus, avoid clicking on any types of advertisements that appear among the query results displayed by this fake search engine.

We highly recommend you to complete removal right after you notice its presence. Note that the easiest way is to employ a professional security software to help you with different and more sophisticated variants of this potentially unwanted program. Do not hesitate and clean your computer from browser hijackers!

Learn how this PUP stealthily enters your system

While you can manually install Chrome Search extension on the Chrome Web Store, you can also unconsciously let it to your computer without notice. Developers of such browser hijackers aim to take advantage of people who are in a rush and infuse the PUP into the installers of free applications.

Likewise, if the user opts to finish the download/installation procedure as soon as possible, he or she picks Quick/Recommended settings which do not show the hidden PUP inside. Thus, we recommend you to pay more attention to this process and choose Advanced/Custom options. It is vital to de-select the marks which have been selected before and allow to install the potentially unwanted program.

Additionally, you should scan your computer afterward and make sure that the security software will perform removal if necessary. This way you will fully protect not only your privacy but computer security as well.


Necurs botnet helps spread Scarab ransomware via spam emails

The developers of Scarab ransomware employ Necurs botnet for distribution

While the infamous Necurs botnet was staying silent for some time, on November 23, it came back sending 12.7 million spam emails in the first several hours. According to the analysts, they were used to spread Scarab ransomware virus. The crypto-malware campaign started its malicious activity at 7 in the morning and continued until 1.30 p.m.

Previously Necurs was spotted spreading the following computer infections:

  • Locky ransomware;
  • Dridex Banking Trojan;
  • GlobeImposter virus;
  • Jaff ransomware.

Spam emails: ransomware disguises under the deceptive name

The victims report that they have received a letter with the subject line “Scanned from [printer company name]” which contains a 7zip attachment. Once the credulous computer user clicks on it, the VBScript downloader connects to the network and drops %Application Data%\sevnz.exe file which is the executable of Scarab virus.

Note that the same delusional email name was used to trick gullible people in Locky campaign. Therefore, it was easy for the IT experts to track the links to Necurs botnet.

Cybersecurity analysts found out that the majority of the email letters were sent to the .com,,, .fr, .de, and .org addresses. In other terms, the most affected countries by Scarab ransomware are USA, UK, Australia, France, and Germany. However, it doesn’t indicate that computer users living elsewhere shouldn’t be cautious of the file-encrypting virus.

Scarab ransomware: encrypts data and asks for a ransom in exchange for recovering files

Scarab virus functions as any other ransomware — it encodes the most commonly used documents and files to swindle money from desperate computer users. Once it infects the system, the corrupted information is marked with a .[].scarab file extension. Moreover, the folders containing the compromised data also possess a IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT file which serves as a ransom note.

Besides, Scarab modifies the registry entries to autostart every time the victim turns on his or her computer. The alterations are the following:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce;
  • uSjBVNE = “%Application Data%\sevnz.exe.

IT technicians noticed that the word support was misspelled both in the file extension and in the ransom message. Likewise, it is believed that there are numerous email addresses used by Scarab ransomware to collect the demanded money. Besides, the .txt file provides an alternative way to contact the criminals — BitMessage. It raises an assumption that the email address might soon become unavailable.

After the successful infiltration the Scarab ransomware proceeds with the following commands:

  • cmd.exe /c vssadmin Delete Shadows /All /Quiet;
  • cmd.exe /c wmic SHADOWCOPY DELETE;
  • cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures;
  • cmd.exe /c wbadmin DELETE SYSTEMSTATEBACKUP -keepVersions:0.

Learn how to protect yourself from ransomware attacks

If you want to avoid not only Scarab virus but other ransomware as well, you should carefully monitor your browsing experience. It is important always double-check the files you attempt to install or emails you are going to open. Pay attention to the small details which indicate that the malicious program may hide inside — it can either be the unknown sender or a vague message. Despite what it says, avoid opening email letters from people you don’t know. Instead, delete them immediately.

Another great method to decrease the risk of malware infections is to do not get tricked to click on various advertisements. Note that they might appear as banners, in-texts or pop-ups. Usually, they also look genuine and offer great deals or effective system optimization tools. Do not fall into the trap of the hackers and never download software which is annoyingly pushed through ads.

Experts suggest using a professional antivirus system as well. It is important to update it regularly and scan the files you want to download beforehand. This way you will not only protect your system’s security from high-risk computer infections but also your privacy from banking trojans.



Developers of Zeus Panda virus present new distribution strategy

Zeus Panda virus used SEO to attack users

Security researchers warn about new and clever Zeus Panda virus distribution campaign. Developers of the malicious program used Search Engine Optimization (SEO) for poisoning specific financial and banking-related keywords. In order to succeed, crooks compromised business websites first to rank high in Google search results.

Zeus virus is known since 2017. However, for almost a decade new variants of the malicious program are emerging and trying to steal personal information about users. The Zeus Panda, or Panda Banker, virus has been detected in 2016. However, researchers from Cisco’s Talos reported about new distribution campaign at the beginning of November.

According to the report, criminals used a combination of SEO, compromised legit websites and malicious Word macro commands to install data-stealing malware on victim’s computer. Security researchers tell that malware targeted users of  these banks:

  • Nordea Sweden,
  • the State Bank of India,
  • India’s Bank of Barodia and Axis Bank,
  • the Commonwealth Bank of Australia,
  • Saudi Arabia’s Al Rajhi Bank.

Previously, Panda trojan targeted Australian and British banks. However, the interesting fact is, that malware uses geo-filtering. Once it gets inside the device, it checks computer’s language settings. The virus does not launch its activities if the default language is Russian, Ukrainian, Belarusian or Kazakh.

Criminals sophisticated and well-prepared attack

First of all, the attackers compromised legit business websites in order to rank higher in Google search. Then attackers poisoned specific keywords that were supposed to redirect to corrupted sites. According to the research, criminals managed to show their malicious results several times in Google results page when users entered these keywords:

  • “nordea sweden bank account number”
  • “how many digits in karur vysya bank account number”
  • “free online books for bank clerk exam”
  • “al rajhi bank working hours during ramadan”
  • “how to cancel a cheque commonwealth bank”
  • “free online books for bank clerk exam”
  • “salary slip format in excel with formula free download”
  • “bank of baroda account balance check”
  • “axis bank mobile banking download link”
  • “bank guarantee format mt760”
  • “sbi bank recurring deposit form”

The compromised websites included a malicious JavaScript code to initiate redirects until a macro-enabled document is installed on the system. Once opened, the document asks to enable macros to view the content. Indeed, clicking “Enable Content” button leads to the installation of Zeus Panda virus.

Developers of Panda Trojan used traditional malware distribution methods before

Since the appearance of Zeus Panda malware, authors tried several distribution methods until they came up with the idea to rely on SEO. They spread the trojan via malicious spam emails and three exploit kits – Angler, Nuclear and, Neutrino.

However, the malspam campaigns also included Word document that downloaded malware executable on the system. Other campaigns exploited CVE-2014-1761 and CVE-2012-0158 vulnerabilities to attack media and manufacturing corporations.

Magniber, Losers, Matrix ransomware keep attacking computer users

Crooks focus on distribution of Losers, Magniber and Matrix ransomware

Matrix, Losers and Magniber ransomware on a rise in November 2017

Security experts discovered cybercriminals boosting the distribution of well-known Matrix, Magniber and Losers ransomware again. Hackers came back employing even more successful methods to trick users into downloading the executable files of the viruses.

We have encouraged you to take precautionary measures before, but this time you have to be extremely careful. Cybercriminals have swindled enormous amounts of money from gullible people before, and they sure won’t stop now. Thus, check the key features and distribution methods explained below and make sure to protect your system from ransomware attack.

Matrix malware takes advantage of the Rig exploit kit

Matrix virus is designed to infiltrate on victim’s computer by disguising as a fake FBI alert. As soon as it reaches the system, it starts encrypting data. Later, it drops a matrix-readme.rtf file providing further information and urging to contact the attackers via or e-mail addresses. Victims report being demanded to pay a ransom to recover their data.

Developers of the malware employ sophisticated AES+RSA ciphers to make the files inaccessible and swindle money from desperate computer users. Experts recently spotted an increase in the distribution rate due to the usage of RIG exploit kit, which helps to detect system vulnerabilities and successfully infiltrate the Matrix ransomware.

Losers ransomware continue its malicious activity via fake DVD burning software experts report receiving many asks for help from the victims of Losers malware. This file-encrypting virus spreads as a fake DVD burning program called Burn4Free and encrypts data on the victimized computer. You can quickly recognize it from .losers file extension appended at the end of the filename.

Victims receive a ransom note in the form of HOWTODECRYPTFILES.txt file and are insisted on paying the ransom in Bitcoins for a decryption key. Since hackers already made considerable amounts of profit, we believe that they came back for even more. Thus, you should not consider paying the demanded amount of money as an option.

Magniber crypto-malware offers to purchase My Decryptor for 0.2 Bitcoins

Developers keep releasing new versions of the virus to create new methods of distribution. Magniber malware infiltrates on the computer with the help of Magnitude exploit kit and encrypts data on the system using AES algorithm. The latest extension marks detected are .skvtb, .vbdrj, .ihsdj, .kgpvwnr and .fprgbk.

But you should be aware that once the criminals decided to renew virus activity, they will create new extensions and ransom notes to confuse people and swindle money. Currently, the ransom note is displayed in READ_ME_FOR_DECRYPT_[id].txt file and attackers demand 0.2 Bitcoins for a decryption tool called My Decryptor.

Precaution measures are necessary to resist the new flow of ransomware attack

Cybercriminals work for a reason — they want more illegal profits. Thus, you should never trust them and decline all offers. Instead, focus on the ransomware removal and try to restore your files using backups.

Tips to avoid ransomware attack:

  • Use a reliable security software and make sure to update it regularly;
  • Enable the function on your computer automatically storing backup copies in the cloud;
  • You can also save them on other external storage devices, just don’t forget to unplug them from the computer;
  • Enable System Restore function to use alternative recovery methods in case of attack.

Bad Rabbit ransomware: tips to avoid the latest version of Petya

New variant of Petya emerged – Bad Rabbit ransomware virus

On the 24th of October, the new version of Petya ransomware was reported to attack Russian and Ukrainian organizations. Petya is known for attacking Ukraine companies and public sector. However, this time the recently discovered Bad Rabbit ransomware hit harder Russia.

According to the latest information, Bad Rabbit virus attacked Kiev Metro and Odessa International Airport. Even though there’s still not a lot of information about the damaged caused to these infrastructure’s systems, the attack is warning sign to all organizations and companies to make sure that their systems and networks are protected.

Additionally, reminding employees security tips is also recommended. The current version of Petya virus spreads as fake Adobe Flash update. Thus, inexperienced users can be easily tricked into downloading a malicious file and causing serious problems to the whole computer network.

However, security researchers did not take long to find a vaccine to prevent ransomware infiltration. Though, basic security tips are also recommended to follow.

Bad Rabbit malware masquerades as Flash update

Drive-by downloads are one of the distribution methods used for spreading Bad Rabbit ransomware virus. The fake Flash update is injected into compromised websites. If users end up on a malicious site, they receive a pop up asking to install the latest update. Once they hit “Install” button, the malicious executable is dropped to the Win32/Filecoder.D folder. Then the install_flash_player.exe file is executed, malware starts data encryption procedure.

However, malware might also exploit a vulnerability in Windows Server Message Block (SMB). At first, it was thought that malware uses EthernalBlue vulnerability. However, latest analysis data says that it’s not true. Malware just scans the internal network and looks for open SMB shares. If it finds, it might affect the whole network.

Protecting computers and networks from ransomware

Bad Rabbit ransomware might cause extreme damage to your company or paralyze important city infrastructures, such as public transportation. However, home computer users should be aware of security tips too.

After the infiltration, malware immediately locks files with a combination of RSA-2048 and AES-128-CBC encryption ciphers and makes them unable to open due to .encrypted file extension. In order to recover files, victims are asked to pay 0.05 Bitcoin. However, the size of the ransom might increase.

Security researchers discovered a vaccine that helps to protect devices from the latest version of the Petya ransomware:

  1. Create infpub.dat and cscc.dat files in c:\windows directory by running cmd.exe as an administrator and entering these commands:
    echo “” > c:\windows\cscc.dat&&echo “” > c:\windows\infpub.dat
  2. Right-click on each of the newly created files and select Properties.
Access Security tab in the appeared Properties window.
  4. Click Advanced option.
  5. In the newly appeared window click “Change Permissions…” button.
  6. Uncheck “Include inheritable permissions from this object’s parents” box (Windows 10 users have to choose “disable inheritance button” and then select “Remove all inherited permissions from this object”).
  7. You will receive a Windows Security pop up. Click Remove button.

Additionally, security experts do not recommend paying the ransom and advise to take precautions in order to avoid losing important data loss:

  • Enable automatic Adobe Flash Player updates. In this way, you or your employees will not be tricked into installing bogus update from the pop-up window.
  • Patch the Windows SMB protocol. Also, make sure that your operating system has all necessary security fixes. Install them as soon as they are offered by Microsoft.
  • Install available software updates. Enabling automatic software updates help to avoid misleading alerts. However, if you prefer monitoring updates, you should be careful and do not forget to install them regularly.
  • Do not open suspicious email attachments. Often ransomware-type viruses spread via malicious spam emails that include an infected attachment. Before opening any attached safely looking files, please check the information about the sender and provided an issue to make sure that it’s actually safe to open.
  • Backup data and update it regularly. Having extra copies of the most important files reduces the damage in case of ransomware attack.
  • Strengthen computer’s protection by installing reputable antivirus.
Identify and remove Chromium virus

Chromium virus is on the rise: Identify and remove rogue web browsers

Criminals use Chromium project to develop fake versions of Google Chrome

Chromium virus can be defined as a bogus version of Chrome browser developed by cybercriminals. Once a free access to the source code of Google Chrome was given, people were able to launch their own browsers using open-source Chromium project.

Researchers noted that today, Chromium adware spreads widely and users should be aware of the possible consequences, which may arise afterward. If you noticed any issues related to your Chrome browser, immediately scan your computer using a reliable security software.

Moreover, the project is entirely legitimate, but malevolent people can take advantage of an open-source tool to create and distribute fake browsers. Computer users may not even notice that their original Chrome browser is slightly different.

Typically, the potentially unwanted program (PUP) may overwrite the verified browser shortcuts and set fake Chrome version as a default search engine or homepage.

Afterwards, it promotes annoying advertisements or redirects to less than reliable sites. Once the user clicks on the ads or content displayed in a rogue page, s/he risks getting infected with various types of malicious programs.

Since developers of fake versions invest a lot of effort in order to make their copies look genuine, people are often misled when identifying the cause of intrusive ads or redirects to suspicious websites that Chromium virus generates.

Several best-known bogus versions of Chrome

There are many deceptive Chromium virus variants out here. Below, you can see a list of the most prevalent ones.

1. MyBrowser;
2. Torch Browser;
3. BrowserAir;
4. eFast;
5. Chroomium Browser.

These apps may claim to improve your browsing experience and offer “handy tools” to provide the functionality of your favorite social networking sites or even increase your security.

It is just a deceptive marketing trick to lure users into installing the adware. Instead, these fake browsers collect browsing-related data, that can be personally identifiable and cause serious privacy issues.

Therefore, if you noticed continuous pop-ups or other unwanted behavior, you can check the “About” section of your Chrome browser. It should open and display Google Chrome name.

If it fails to launch, we suggest seeking for unauthorized browser extensions or other unknown programs installed on your computer in order to remove so-called Chromium virus.

Potentially unwanted program infiltrates via quick installation of regular app

Developers of deceptive applications aim to generate revenue by promoting potentially unwanted programs (PUPs) via Quick/Recommended settings during the installation process.

Rushing users aim to finish the download/installation quickly and are unable to detect the presence of adware, which is hidden among “Optional Components” of free software.

Therefore, you should always opt for Custom/Advanced settings and carefully follow the steps of installation. If you are offered to install bundled apps from unauthorized developers, un-tick the box and do not permit the PUP to infiltrate.

Moreover, fake versions of Chrome can be promoted in suspicious websites or advertisements. Thus, you should avoid clicking on them in order to protect yourself from the hijack.

If you have already been infected, our IT specialists recommend downloading a security software from trusted sources and running a system check (choose full system scan option). It will quickly detect the compromised data and remove Chroomium virus. We advise looking for security software recommendations on 2-Spyware website.