In this article we descrbe third generation of STOP Ransomware, previous two versions were described by our team earlier. This variation was actively spreaded in August and September, 2018. Virus already attacked users from 25 countries including Brazil, Chile, Vietnam, USA, United Arab Emirates, Egypt, Algeria, Indonesia, India, Iran, Poland, Belarus, Ukraine. This variation uses uses symmetric and asymmetric cryptography and adds .KEYPASS, .WHY or .SAVEfiles extensions to the files after encryption. Intruders demand $300 ransom for decryption. They offer to decrypt up to 3 random files for free, to prove that decryption is possible. Hackers also warn, that if amount is not paid within 72 hours data restoration will be impossible.
Facebook.com (a.k.a Facebook App or just Facebook) is advertising application for Mac, that opens Facebook.com website on MacOS startup and adds itself to the Dock. At a first sight, it seems harmless, however with this application malefactors can get access to browser data and settings, and use it to display targeted advertising, pop-ups in Safari or Google Chrome. We recommend you to remove Facebook.com virus application from Mac and remove residual data.
Magniber My Decryptor Ransomware is wide-spread crypto-virus, that targets Windows-PCs. Focuses on English and South Korean users. Since June 2018, Magniber attacks have shifted to other countries in the Asia-Pacific region: China, Hong Kong, Taiwan, Singapore, Malaysia, Brunei, Nepal and others. Virus got its name from the combination of the two words Magnitude + Cerber. Here, Magnitude is a collection of exploits, the last for Cerber is the vector of infection. With this threat, the Cerber malware ended its distribution in September 2017. But on the Tor site of the ransomware it is stated: My Decryptor, here is where second part of the name came from. After encryption Magniber My Decryptor Ransomware can add 5-6-7-8 or 9 random letters as file extension. Magniber My Decryptor Ransomware demands 0.2 BitCois for file decryption. Hackers threaten to double the amount in 5 days. Virus can encrypt almost any file on your computer, including MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives.
"YOUR COMPUTER HAS BEEN BLOCKED" is fake pop-ups alert or message, that may appear in Google Chrome, Mozilla Firefox, Edge or Internet Explorer. It is categorized as Tech support scam, as in many cases it compels or provokes users to dial some "toll free" number. Virus can imitate virus infection or Windows error directly in browser. On the other end of the line you will hear an experienced Indian fraudster, who will introduce himeself as "technical support specialist", who will encourage you to pay cetain fee to fix problems with your computer, that did not ever existed. "YOUR COMPUTER HAS BEEN BLOCKED" pop-up has many variations of design, texts and reasons of its appearance can also be different. In some cases, such alerts may offer some rubbish "windows optimization" software for download.
Gamma Ransomware is file-encrypting virus, categorized as ransomware and belonging to Crysis-Dharma-Cezar family. This is one of the most widespread ransomware families. It got its name due to file extension it adds to encrypted files. Virus uses complex extenion that consists of e-mail adress and unique 8-digit identification number (randomly generated). Gamma Ransomware developers demand from 0.05 to 0.5 BTC (BitCoins) for decryption, but offer to decrypt 1 non-archived file for free. The file should be less than 1 Mb. We recommend you to recover 1 random file, as it can help fo possible decoding in future. Keep the pair of encrypted and decrypted samples. Currently, there is no decryption tools available for Gamma Ransomware, however, we recommend you to use instructions and tools below. Often, users remove copies and duplicates of docmunets, photos, videos - infection may not affect deleted files. Some of removed files can be restored by using file recovery software.
Java Ransomware is extremely harmful file-encrypting virus, that belongs to the family of Dharma/Crysis ransomware. It adds .java extension to all encrypted files. Usually, this is complex suffix that contains unique id and e-mail. Java Ransomware uses spam mailing with malicious .docx attachments. Such attachments have malicios macros, that runs when user opens the file. This macros downloads executable from the remote server, that, in its turn, starts encryption process.