Petya aftermath: a month after the virus outbreak

The damage of Petya virus attacks is still being estimated

A month has passed since the new Petya virus version rolled through the cyber world in a wave of terror and confusion. Victims are still counting their losses which presumably reach millions if not billions of dollars.

Major manufacturing, telecommunication, and other social service companies say that at the moment it is quite difficult to estimate the full extent of the inflicted damage. Currently, the victimized businesses fearfully await the end of the year when the last and final calculations will be completed.

The recovery of older Petya versions leave hope for NotPetya decryption

Luckily, cyber security experts do not intend on leaving the Petya outbreak story on a bad note. Well-known antivirus researchers have already managed to come up with working decryptors for three initial Petya virus version Red Petya, Green Petya/ Mischa and Goldeneye.

These decryption tools are not magical. They may freeze the computer or cause errors with a risk of damaging data. That’s the reasons experts always advice making backup copies of the files in case the recovery failed.

Nevertheless, in most cases, decryptors work fine, and if you still have some of your data that you can’t access, you should definitely give them a try.

Unfortunately, we have no good news for the users who have been infected with NotPetya or other hybrid Petya versions. At the moment, at least. These ransomware variants are not developed by Janus Cybercrime which means that the decryptors which work for the original versions are useless when applied for NotPetya.

However, you should not lose hope! There are numerous cases which prove that ransomware decryption is possible and it is only a matter of time when the security experts find a way to work around the encryption and give back your files.

Protecting your data is important: backups are the key

Sadly as it sounds, ransomware developers get more advanced as time goes by Once the security experts patch up one vulnerability, the criminals find another and the cycle continues.
The best way to actually protect your data is to keep backups of it, preferably a few copies of the documents in a few different places. Depending on the importance of your data and your needs, you can invest in automatic backup making software or create extra copies of your most essential files manually.

Protect your Android device from Xavier virus

The updated Xavier Android malware was noticed spreading in Google Play store

Today we would like to introduce a new Android virus called Xavier. The virus belongs to the AdDown family that was first discovered in 2015. The virus itself was spotted in September 2016. However, authors updated it in order to spread it widely via Google Play Store.

The majority of victims who downloaded one of 800 infected applications were from Vietnam, Philippines, and Indonesia. Nevertheless, the virus mostly causes problems to Southeast region; several cases were reported in the United States and Europe.

The purpose of malware – stealing personal information

Xavier is a malicious ad library that enters the system as a Trojan. Malware might not only affect Android smartphones or tablets but TVs and game consoles as well. However, the majority of infections were noticed in mobile devices.

Among infected applications were photo manipulators, antivirus utilities, volume and speed boosters, etc. Applications seemed useful and millions of times users downloaded them from Google Play without thinking that their privacy might be at risk.

The success of the malware is based on its feature to evade detection. This sophisticated virus can bypass regular smartphone’s security. Thus, regular security software installed on the mobiles may not detect it.

On the affected smartphone Xavier might install APK files and initiate remote code access. Thus, hackers might get full access to the device and do whatever they want. They might clone your phone or install additional malware. Malware’s behavior depends on what tasks it receives from the remote Command and Control (C&C) server.

Protecting your smartphone from Xavier and other Android viruses

The main security tip to avoid Android malware was to avoid downloading apps from third-party websites and stick to Google Play. However, it seems that this tip is no longer very helpful. Of course, you should still keep away from unknown app sites, but you need to put more attention to smartphone’s security.

  1. Check information about publishers before installing a new app. Well-known developers are the ones you can trust.
  2. Read reviews of the app before installing. Pay attention to users’ complaints and do not install app with negative feedback.
  3. Read what permissions the app requires. If an application wants to get lots of information, you should not download it to protect your privacy.
  4. Invest in professional mobile security software.

Facebook community – still an easy target for hackers

Nothing new: the same old deception techniques

Though the majority of Facebook netizens originate from modernized countries, they remain easy targets for scammers. Regarding the scam rate, several scams in a row have shaken the Facebook community. Surprisingly, crooks are targeting netizens with the same old tricks: Facebook video virus, Facebook Message scam, free flight tickets giveaway, etc. Why do users keep falling for them?

Observing recent Facebook scams, it seemed unbelievable that fraudsters expected to fool netizens with the same tricks. Unfortunately, they did. One of the most recent deceptions evolved around Facebook video virus.

You might recall that the same story happened last year. Users received a message with the video link which included their profile picture and name. Once they clicked on the supposed YouTube video, they were asked to install a shady browser extension to watch the video.
This year, crooks employ alternative “material” – a corrupted file.

This version of scam is currently spread in North Wales, but taking into account that users fell for the same trick twice or even thrice, the infection might soon disperse to other virtual regions.

Jayden K. Smith wants to be friends with you

Lately, some of your friends might have been posting warnings not to accept the friend request from mysterious Jayden K. Smith. He is said to be a mysterious hacker, who is able to hack your account the very moment you befriend him. The message might seem quite an ordinary warning except that it is another scam.

If you have seen several of them, you might recall that the content of the text does not differ, except the names. Other intimidating “hackers” are Anwar Jitou, Maggie from Sweden, Bobby Roberts, Simon Ashton, and many others.

Unfortunately, Facebook community members have good reflexes sharing things and clicking “Like” button without even giving a thought. Though in this case, this scam did not result in any financial losses, in overall, scam amounts for 50 million dollars.

Other recent scans were not so harmless. Fraudsters released fake posts supposedly published by well-known flight airline companies offering free airline tickets. The posts quickly went viral which turned out to be an expected surprise for the very companies. However, much more bothersome malware disguised under these threats.

Best advice? Think before sharing a post

As in everyday life, an action should follow the thought. No matter how powerful anti-virus you may have, if you tend to surf Facebook clicking here and there mindlessly, you mind end up as a scam victim either.

Naturally, no one enjoys the role of a loser. Thus, double-check the content you receive or confirm the authenticity of the fact you are about to share. Likewise, Facebook might become a safer place.

Decrypt Master file extension files

Master ransomware victims can now decrypt their files for free

The developer of Master ransomware leaks private keys before launching Aleta ransomware campaign

Master ransomware is a version of BTCWare virus. The ransomware has compromised thousands of computers worldwide, taking data stored on them, hostage. This version of the ransomware used to create !#_RESTORE_FILES_#!.inf files as ransom notes and demand a ransom in Bitcoins. Master virus always appended a particular file extension to files that consisted of criminals’ email address and the aforementioned extension, giving a final result of .[email].master.

The developer of the ransomware mysteriously emerged in online forums and on June 30th posted an announcement that within 5 days Master’s decryption keys will be published. Although some did not believe in such words and thought that the message was fake, the private keys were actually leaked.

It is believed that the developer of the ransomware leaked the keys because he was planning to release an updated version, which turned out to be Aleta ransomware. The new virus drops !#_READ_ME_#!.inf ransom note and demands 2 Bitcoins in exchange for a decryption tool. It also marks each file with .[].aleta extension.

A free Master decryption software is available

Using the leaked keys, a security researcher Michael Gillespie updated Master Decryptor, making it capable of decrypting BTCWare versions using these extensions on encrypted data:

  • .btcware;
  • .onyon;
  • .master;
  • .theva;
  • .cryptobyte;
  • .cryptowin;
  • .xfile.

However, the researcher points out that the ransomware contains a bug that prevents some files from being decrypted successfully. It appears that files smaller than 10MB will contain 16b of junk added to their decrypted versions. However, files larger than that will be successfully decrypted. To remove Master virus and decrypt your files, follow instructions provided on 2-Spyware site.

Reasons not to pay the ransom

If your computer was affected by Aleta or any other BTCWare version, we suggest staying patient. So far, many victims managed to recover their files without paying, although they had to wait for the free decryption tools. However, we believe that it is worth waiting, especially when the cyber frauds ask for such an enormous ransom larger than 5000 USD.

For data recovery solutions and virus removal guidelines, we suggest visiting NoVirus web page. You can find a lot of great cyber security related tips here.

AdsKeeper and Stack Player continue bombarding web browsers with ads

Researchers noticed an increased activity of adware programs

Recently, cyber security experts noticed an increased activity in AdsKeeper and Stack Player distribution. These two ad-supported programs are well-known for a while. They have already made browsing the web complicated for hundreds of thousands of computer users.

These programs are known for:

  • being capable of entering the system in software bundles;
  • altering browser’s settings;
  • using “virtual layer” to display third-party ads;
  • delivering an excessive amount of ads;
  • delivering misleading and malicious ads;
  • redirecting to high-risk websites;
  • tracking information about users.

All these negative features disturb browsing the web and make the system vulnerable. For this reason, infected computers become easily accessible to other cyber threats and malware.

We want to point out that you should be careful when installing freeware or shareware. This two adware are widely spreading with PDF converters, video players, and other free programs. Thus, in order to avoid it, you should:

  • choose reliable sources for software installation;
  • use Advanced/Custom installation settings;
  • do not rush to click “Next” button;
  • unmark all third-party entries offered to download together with the primary program.

The major issues caused by AdsKeeper adware

Nevertheless, AdsKeeper is a legitimate advertising program; it might pose a danger to computer users. Some of the ads delivered by this ad-supported application might redirect to potentially dangerous websites.

The problems begin then adware enters the system silently. It might alter targeted browser’s settings in order to display third-party commercial content on various sites. The PUP might deliver ads even on well-known sites. Thus, you can be easily tricked that offer is reliable and safe to click.

However, research has shown that some of the AdsKeeper ads have nothing in common with safety and credibility. Cybercriminals and scammers often take advantage of this advertising platform in order to spread malicious ads.

Within one click, you might end up on tech support scam or phishing website. Crooks might convince you into installing bogus software or revealing personal information. Thus, this adware might be responsible for helping criminals to reach innocent computer users.

It doesn’t matter that it’s not an intended purpose of the adware program. You should take care of your privacy and computer by performing AdsKeeper removal.

The main characteristics of Stack Player virus

Stack Player is advertised as useful video streaming tool that allows browsing through the huge library of video content and watching it straight through the desktop. Indeed, this free application might seem interesting for those who spend hours watching videos.

However, it’s hard to talk about this program’s functionality because it’s impossible to keep it for a long on the computer. After the installation, it instantly starts tracking information about users and delivers suspicious ads on each visited website.

One of the main problems is that Stack Player ads redirect to high-risk websites or promote bogus antivirus, PC optimization software or suspicious browser extensions. Misleading security alerts and offers to install crucial updates might hide malware as well.

Thus, we want to remind that you should stay away from this program and be careful with installation of freeware or shareware. This program might enter the system bundled too. However, if you already made a mistake and allowed this program to settle in your PC, we recommend following Stack Player removal instructions and getting rid of adware immediately. marketing platform comes to life again ads are looking for new victims

If you have run into the website having a ridiculously long URL domain name starting with, you are likely to see a congratulatory alert. It might come from a supposed Google Rewards Center or most recent one – Facebook Reward Center.

Before you hit the ceiling with joy for supposedly having won an iPhone or another valuable product, let us remind you that it is simply a fake alert. Alternatively, other users may encounter alerts suggesting to update their browsers, Java or Adobe Flash Player.

Advertising intertwines with malvertising

Even though the domain is entitled as Ad Network Performance, it has been one of the oldest spam and adware samples. Originally, such alerts may have simply annoyed you to death, but recent findings suggest that they divert towards a new trend – malvertising.

Due to the popularity of social networks, such as Twitter or Facebook, you might notice the number of supposedly affiliated websites which offer you to reclaim their free giveaways.

A while ago, another spam felony infiltrated Facebook deceiving users with supposedly free flight tickets. It was not only a surprise for netizens but for the very companies which have been mentioned.

Then, users had to fill up a short survey. Then, they would be redirected to an affiliate website which requires entering private information – phone numbers or email address. functions the same. If you disclose any of such details in one of the affiliated websites, get ready for the stream of ads popping up during browsing sessions or cramming your Spam folder.

Another key problem is that this domain is only the tip of the iceberg. There are multiple others:,,,,, etc.

Old tricks along with new strategies

It is surprising that such adware and malvertising techniques are quite old and there have been numerous articles written on this topic, still a high number of users take the bait. It explains why fraudsters have revived marketing technique.
Besides this well-known strategy, keep in mind that crooks come up with new astounding techniques.

Felons have developed a way how to foist malware for users. They do not need to click on a corrupted link or a file – hovering over it is enough. Despite how elaborate spam techniques might emerge, cautiousness remains the ultimate weapon escaping such felony.

The name of Zeus Trojan is widely used by scammers

Tech support scammers send fake alerts about Zeus infection

Zeus Trojan is one of the oldest banking Trojans that started its career in July 2007. Malware has already affected hundreds of thousands of companies, banks, and governmental institutions. Nevertheless, criminals ended their career in 2011; their followers continued spreading new variants of the Trojan.

Meanwhile, scammers, who lack of imagination or creativity, took the name of the trojan in their illegal projects. The name of the banking Trojan is widely used in various technical support scams.

Undoubtedly, the purpose of such scams is to scare people and make them call to fake tech support line where “certified technicians” are willing to help to clean a virus from the computer.

Examples of tech support scams

Getting infecting with Zeus is a terrifying experience. Scammers are aware of human psychology and fear of catching computer infections. Thus, the name of the dangerous banking Trojan should help to commit another cyber crime.

Such scams usually deliver messages in the browser’s window, such as “Windows Defender Alert: Zeus Virus”, “Windows Detected ZEUS Virus” or “You Have A ZEUS Virus.” All these fake alerts state the same – your computer is infected; call the provided number.

However, none of these messages are true. Only antivirus program installed on your PC can inform about malware attack in a program notification window.

All other alerts that appear on the browser are fake, and most probably, created by cyber criminals who are willing to take control over your computer, obtain your personal information or sell a useless software.

Signs of the real Zeus attack

If you ever find yourself on the website that informs about dangerous banking Trojan residing on the system, you should not take any spontaneous actions. Especially, do not grab your phone to call the provided number.

As we have already mentioned, online security alerts are fake. What is more, usually crooks introduce themselves as Microsoft technicians. However, Microsoft does not have a phone support line. Thus, it’s the main sign that you have been scammed.

The real Zeus malware attack is followed by slow computer’s performance, disabled security software, unknown system errors, increased amount of aggressive online ads, and of course, suspicious financial transactions or even empty bank account.

We want to remind that once you suspect that your computer is infected, you should run a full system scan with an updated security tool immediately.

Good news for victims of Jaff ransomware: free decryptor is already available

As Virus Activity blog reports, there’s no need to worry about Jaff ransomware anymore. This recently emerged cyber threat is already decryptable.

This ransomware was noticed spreading via Necrus botnet at the end of spring 2017. Crooks send numerous malicious spam emails that included obfuscated PDF attachment. These files were renamed as copies, scans, invoice and similarly. Apparently, too many users believe that these documents cannot pose harm to their computer.

Unfortunately, these naïve assumptions were wrong. A safely-looking PDF file was actually a DOCM document. This macro-enabled document asked to click “Enable Content” button and clicking it lead to the installation of ransomware.

During its quite short lifetime, malware was updated several times. Different versions of the virus marked encrypted files with .jaff, .wlu and .sVn extensions that made them impossible to open.

However, malware researcher from Kaspersky Labs found the flaw in ransomware’s code. This discovery helped to create a decryption software that can unlock encrypted files for free. Meanwhile, developers of virus offered to use their questionable decryptor for 1.82-2 Bitcoins.

Victims were never encouraged to have business with cyber criminals. However, desperate need for files might have lead thousands of people to pay the ransom. Fortunately, obtaining a decryption key from hackers is no longer an option. Free and secure decryption software can be downloaded from here.

Nevertheless, data recovery seems the most important task after ransomware attack; it’s not quite true. Before taking advantage of the newly created decryptor, you have to make sure that Jaff malware is no longer on your computer.

While crypto-malware resides on the system, all attempts to recover your files might fail. The virus might encrypt decrypted files again. It goes without saying that this malicious program running on your computer also makes the system vulnerable and easily accessible to other cyber threats. Thus, first of all, you have to focus on virus removal.

For ransomware elimination, you will need to use a professional malware removal program and run a full system scan. However, this ransomware is designed to prevent from simple deletion from the system. Thus, you may need to take extra steps before running security software. In this case, Jaff removal instructions on 2-spyware will be handy to you.

May 2017: WannaCry causes the most of the headache

Nearly a month has passed since the first reports about WannaCry ransomware started flooding the Internet. And there were definitely some intense few weeks. Home users, businesses and even major organizations such as hospitals or telecommunication services have been losing large quantities of data and money to this parasite. Some had to suspend or limit their daily operations because of the attacks. For now, the initial wave of WCry attacks seems to have ceased, so we can look back on it in a more of structured manner and highlight the things that have been causing the most headache to the online community.

For a large portion of May after the virus showed up, WCry has been peaking rapidly and infecting thousands of devices a day. Reports about new targeted countries would also emerge daily, causing panic across the world. Over the span of a month, the malware managed to infect over 400,000 machines, making the history as the biggest ransomware attack to this day. The virus would probably have not made it this far if not for the ETERNALBLUE exploit which the hacker group called Shadow Brokers have leaked from the NSA’s secret servers earlier in April. The exploit specifically targeted MS17-010 vulnerability found Windows operating systems. In particular, 98 percent of the affected machines were outdated Windows 7 versions which no longer receive security patches from Microsoft. This security hole is still a major threat for the users who have are using an expired software or have not updated their Windows 10 to the latest version. Undoubtedly, ransomware will thrive as long as the criminals will be able to take advantage of such vulnerabilities.

Despite the fact that security experts managed to come up with a killswitch and decryptor which partially immobilized WannaCry, the virus success has spiked a new wave of interest in ransomware development. Experts say, that spin-off versions such as XData or WannaCry 2.0 are just a beginning and the grim legacy this nasty cyber infection will continue in the future. Thus, it is important to brace ourselves for the potential attacks, protect our devices with professional security software, regularly look for system updated and keep backups.

Things to consider before installing Amazon Assistant is one of those sites where you can find almost everything you need. Undoubtedly, it’s easy to get lost in a variety of products and find the best deal. In order to help users, the company created the Amazon Assistant browser extension. However, if you are one of the online shopping lovers, you should not get excited. Security experts had concerns about this tool and categorized it as a potentially unwanted program (PUP). The main reason why include: the ability to sneak inside the computer unnoticed, tracking data and sharing with third-parties, displaying an excessive amount of online ads and having complicated removal procedure. If you are looking for an honest opinion whether it’s worth installing or not, we can assure that this add-on should not find a place in your browser’s extension list. Former users even call it an Amazon Assistant virus.

Before installing any new program, it’s important to read the Privacy Policy. This document reveals how much information the application collects and how it treats aggregated data. Amazon Assistant doesn’t mind to share details about your to third-parties. Undoubtedly, this information will be used for advertising purposes, and soon you will see lots of ads when browsing the web. Indeed, it’s disturbing and annoying. However, it might be dangerous too. Some of the ads might deliver fake Amazon deals and redirect to the suspicious websites where you can get infected with computer viruses. However, it may not be the only threat. Once you install this tool, you will receive lots of emails and shopping offers. Undoubtedly, they might be useful, but the problem is that cyber criminals send identical emails. The only difference is that they are infected. For several years, cyber criminals have been sending emails informing about order update, shipping problems, and other similar problems. Crooks uses thousands of different emails to spread various versions of so-called Order update virus.

The last problem related to Amazon Assistant is complicated removal procedure. It doesn’t matter whether users installed it directly from the website, or it sneaked with a software bundle. Plenty of people complains that they are unable to get rid of it. Some say that this program does not have “Uninstall” option, and other claims that it is magically reinstalled on the computer again and again. Thus, if we convinced you to get rid of this program or you are dealing with uninstallation problems, you might find these Amazon Assistant removal instructions handy. Well, if you are one of those people who are still considering its installation, bear in mind that you will need to work hard if this extension does not meet your expectations.