BugsFighter

Search.yourmapsnow.com or Your Maps Now is misleading browser hijacker, that replaces default search engine and homepage in Safari, Google Chrome or Mozilla Firefox on Windows or Mac. Often, it is accompanied with browser extension or application called "Your Maps Now". This add-on sneaks in browsers and takes control over main browser settings. Of course, it installs without user permission using the deceptive tactic. After installation, user search queries are redirected to query.yourmapsnow.com and then to search.yahoo.com. This allows the hijacker to collect private browser data and share it with advertising companies. The homepage also changes to Search.yourmapsnow.com and, besides search, provides quick links to main map resources such as Google Maps and Bing Maps. Page looks similar to normal search engine page, and some users don't even see the difference until they start searching for something.

Obfuscated Ransomware (BigBobRoss Ransomware) is dangerous encryption virus, that uses AES-128 encryption algorithm to cipher user's files. After successful encryption it appends .obfuscated, .cheetah, .encryptedALL or .djvu extensions (latest versions also add prefix [id={8-digit-code}]). Obfuscated Ransomware creates ransom note called Read me.txt, and puts it on the desktop and in the folders with encoded data. It also modifies desktop wallpaper, placing text on white background. Malefactors allow to decrypt 1 files under 1 Mb of size for free, as a proof of operability. Obfuscated Ransomware attacks sensible files, such as photos, videos, documents, databases, etc. Virus focuses on English-speaking users, which does not prevent spread throughout the world. The first victims are from Moldova. It is currently unknown, how much they want for decryption. Of course, we do not to pay the ransom, as there are many cases when hackers don't send master keys or decryptors. There is still a chance decryption tool will be released by antivirus companies or security enthusiasts.

MegaLocker Ransomware (NamPoHyu Virus) is new ransomware virus, that encrypts data from sites, servers, using AES-128 (CBC mode), and then requires $250 ransom for individuals ($1000 for companies) in BTC to return files. Any Windows computers, Linux devices and Android devices connected to computers and network devices used to access the Internet are subject to attack. After encryption MegaLocker adds .crypted or .NamPoHyu extensions to affected files. MegaLocker Ransomware was first spotted in March, 2019, when multiple sources stated they were infected with MegaLocker Virus, that encrypted files on NAS devices with .crypted extension. In April, 2019 name was changed to NamPoHyu Virus and now .NamPoHyu extension is appended. Developers are from Russia (or Russian-speaking country). It is not recommended to pay the ransom to malefactors as there is no guarantee, they will send decryptor in return. Paying the ransom also stimulates the hackers to run malvertising campaign and infect new victims.

GandCrab v5.3 Ransomware is probably imposter of original GandCrab Ransomware family. However, it still encrypts files in similar fashion to GandCrab v5.2 Ransomware. Encrypted files get .[5-6-7-8-random-letters] extension and ransom note file has different name: [5-6-7-8-random-letters]-MANUAL.txt, however, still looks identical to previous generation. After debugging executable files security specialists find ironical comments "Jokeroo, new ransom", "We rulez!!". Jokeroo is a new Ransomware-as-a-Service, that is promoted on underground hacking sites and via Twitter that allows affiliates to allegedly gain access to a fully functional ransomware and payment server. GandCrab Ransomware grows into separate industry, where people with bad intentions and basic computer knowledge can earn money with this criminal schemes. Some of the previous versions of GandCrab Ransomware could be decrypted with speciql decryptor from BitDefender, we will provide download link for this tool below.

PDF Converter Hub (a.k.a. PDF Converter Hub New Tab, Search.hpdfconverterhub.com) is potentially unwanted browser extension for Google Chrome, Mozilla Firefox and Safari. Malware originates from Cyprus and was developed by Eightpoint Technologies Ltd. (some sources indicate SpringTech Ltd.) It modifies search and homepage settings in these browsers and controls them not allowing users to make changes. Hijacker sets search.hpdfconverterhub.com as default search engine, new tab and home page. However, search queries typed in the search box are redirected to search.yahoo.com, so there can be some kind of affiliation or partnership between large search provider and developer of the add-on. PDF Converter Hub also constantly offers users to subscribe to its notifications, which will lead to getting unwanted advertising as desktop notifications. Main page itself consists of toolbar, search box, informational links and shortcuts to popular shopping sites and social networks. PDF Converter Hub is promoted as convenient tool for converting various file formats to PDF and vice versa.

Planetary Ransomware is harmful file-encrypting virus, that blocks access to user's files by encoding them and adding .mira, .yum, .neptune or .pluto extensions. After encryption malware developers extort ransom to be paid in bitcoins. Planetary Ransomware creates ransom note called !!!READ_IT!!!.txt, where decryption routine and contact information are described. As our experience shows, ransom varies between $500 and $1500. Malefactors send cryptocurrency wallets to receive payment in Bitcoins or Ethereum. There are no way to track the payments, as such wallets are anonymous. Of course, we never advise to pay the ransom, as there are many cases when hackers don't send master keys or decryptors. There is still a chance decryption tool will be released by antivirus companies or security enthusiasts.

Matrix Ransomware is ransomware virus that encrypts user files with either symmetric or asymmetric cryptography. It adds .matrix extension to encrypted files. After finishing encryption process, Matrix creates a text file matrix-readme.rtf or Readme-Matrix.rtf. Virus places this files in every folder with affected files. This text file contains instruction to pay the ransom, where malefactors encourage users to contact them via e-mails: bluetablet9643@yandex.ru, matrix9643@yahoo.com or redtablet9643@yahoo.com.

MacAppExtensions (Adware.MAC.Linkury.C) is malware related to Search.tapufind.com hijacker, that we described in some of our earlier articles. It works in MacOS and targets Safari, Google Chrome and Mozilla Firefox browsers. The main symptom is, that your browsers search and homepage settings change to search.tapufind.com, and this setting cannot be modified until MacAppExtensions is removed. However, this virus not only hijacks the browser, but also gathers private information about its user (collects data related to browsing activity: geolocations, entered search queries, URLs of visited websites, IP addresses etc.).