BugsFighter

ZipRar is ad-supproted file-archiving utility for Mac. Program itself has basic functionality and design, similar to well-known Keka and iZip utilities. Unlike its reputable analogs, installer of ZipRar (ZipRar.dmg) is bundled with adware and hijackers for example: search.festovshade.com. Security specialists categorize this application as adware and relate it to notorious Genieo. In this article we prepared easy guide to remove ZipRar from different versions of MacOS.

If you see "Ads X" ads in Google Search, there is high possibility, that your PC is infected with adware. These ads resemble native Google ads, however they belong to doubtful advertising networks. Usually, such ads, pop-ups and banners are generated by SearchAwesome (in Windows), MacPerformance, MacVX (in MacOS) extensions, however, advertising add-on can be named differently. Extensions can be installed in Safari, Google Chrome, Mozilla Firefox and sometimes in Internet Explorer, Opera and Edge browsers. Links in such ads often lead to potentially unwanted downloads, malicious pages and doubtful online services. We do not recommend you to click on such advertisements, for your safety, privacy and PC security.

Combo Ransomware is new reincarnation of Dharma/Cezar/Crysis Ransomware family. The successor of Arrow and Bip Ransomware. This version appends complex extension, that ends with .combo or .cmb and contains e-mail address and unique ID. Combo Ransomware encrypts all sensitive files including documents, images, videos, databases, archives, project files, etc. Windows files stay untouched for stable operation. Combo Ransomware uses AES-256 encryption, which makes the victim's files inaccessible without decryption key. As for today, decryption is not possible, however, you can attempt to decrypt files from backups or trying file recovery software. There is also chance of decryption after using methods explained in this article.

Search.hogwarin.com is another typical representative of search hijackers for Mac, that installs in Safari, Google Chrome and Mozilla Firefox. It infects browsers using Hogwarin extensions, that controls and modifies browser settings, such as homepage, default search engine and new tab. Settings cannot be changed by users, unless this malicious add-on is removed. As well as other hijackers of this type, Search.hogwarin.com redirects user's queries to search.yahoo.com. Special removal tool for Hogwarin called Uninstall.dmg is offered on their website. It will presumably remove extension and reset the settings. However, we do not recommend downloading additional software from developers of adware and hijackers.

RYUK Ransomware is virulent ransomware threat, based on the code of Hermes 2.1 and BitPaymer viruses. Researchers believe, that famous Lazarus Group is responsible for the development and implementation of the virus. Latest variations of this virus append .RYK or .rcrypted extension to encrypted files. Hackers demand 15-50 BTC for decryption, which is great amount. RYUK Ransomware does not bypass UAC, requires permission to run, which means user granted access to the computer for virus executable file. Ransomware encrypts all files except ones in following folders: "Windows", "Mozilla", "Chrome", "RecycleBin", "Ahnlab". Before the onset of destructive activity, malware stops more than 180 services and 40 processes, by using taskkill and net stop commands. Stopped services and processes mainly belong to antivirus software, running databases, software for backup and editing documents that can prevent file encryption.

This is fourth iteration of notorious STOP Ransomware, that was launched in November, 2018. Now it adds .DATAWAIT, .INFOWAIT or .shadow extensions to encrypted files. Virus uses new name for ransom note: !readme.txt. It pretends to be a Windows update and uses the TeamViewer resource. Ransomware still uses RSA-1024 encryption algorithm. Current version of STOP Ransomware was developed in Visual Studio 2017. This variation of STOP Ransomware demands $290 ransom for decryption. Malefactors offer 50% discount, if users pay in 72 hours. At the moment, there are no decryption tools availabe for STOP Ransomware.

QIP.ru is potentially unwanted third-party russian search engine and news website, powered by Yandex.ru. It infects user's computers along with QIP Surf browser, built on Chromium platform. It installs without user's permission and replaces default browser. QIP.ru is also spread separately in Google Chrome, Mozilla Firefox or Internet Explorer and replaces default search and homepage in this browsers.

Puma Ransomware, that started to hit thousands of computers in November, 2018, is, actually, nothing but another variation of STOP Ransomware. Current version appends .puma, .pumax or .pumas extensions to encrypted files, and that is why it has such nickname. Virus uses the same name for ransom note file: !readme.txt. Developers tried to confuse ransomware identification services and users by adding new extensions, but using the same templates, code and other signs unequivocally indicate belonging to a certain family. As we see from the name of the executable: updatewin.exe, it pretends to be a Windows update. Puma (STOP) Ransomware still uses RSA-1024 encryption algorithm. Current version of Puma Ransomware was developed in Visual Studio 2017.