Virus and Spyware Removal Guides, uninstall instructions

What kind of malware is Arcus?

We have examined Arcus and found that it is ransomware with two variants, one of which is based on Phobos ransomware. It encrypts files and appends an extension to filenames (the extension depends on the ransomware variant). Also, Arcus provides a ransom note (the Phobos variant generates an "info.txt" file and displays a pop-up window; the second one drops the "Arcus-ReadMe.txt" file).

The Phobos variant renames files by appending the victim's ID, an email address, and the ".Arcus" extension to filenames. For instance, it renames "1.jpg" to "1.jpg.id[9ECFA84E-3537].[arcustm@proton.me].Arcus" and "2.png" to "2.png.id[9ECFA84E-3537].[arcustm@proton.me].Arcus". The second variant appends "[Encrypted].Arcus" to filenames (e.g., "1.jpg[Encrypted].Arcus").

What kind of malware is MrBeast?

MrBeast ransomware is malware designed to encrypt files to extract money from victims. Additionally, this ransomware renames files by appending the ".MrBeastOfficial@firemail.cc-MrBeastRansom" extension and provides two ransom notes (displays a pop-up message and creates a text file named "MrBeastChallenge.txt").

An example of how MrBeast ransomware changes filenames: it renames "1.jpg" to "1.jpg.MrBeastOfficial@firemail.cc-MrBeastRansom", "2.png" to "1.jpg.MrBeastOfficial@firemail.cc-MrBeastRansom", and so forth. It is important to clarify that MrBeast is an online alias of a popular YouTuber who has nothing to do with the ransomware.

What is "Server Detected Network Error #404"?

Our team has examined this email and found that it masquerades as a notification from an email service provider. The scammers behind this fraudulent email seek to steal personal information via a deceptive page. Such emails are known as phishing emails, and recipients should ignore them.

What kind of page is traversol.co[.]in?

While investigating suspect sites, our researchers discovered the traversol.co[.]in rogue page. After inspecting this webpage, we learned that it endorses browser notification spam and redirects users to different (likely untrustworthy/hazardous) websites.

The majority of visitors enter traversol.co[.]in and pages of this kind via redirects caused by sites that utilize rogue advertising networks.

What is the fake "Seedify Regstration" website?

While browsing suspicious websites, our researchers discovered the "Seedify Regstration" scam. It imitates the Seedify website (seedify.fund). The scheme operates as a cryptocurrency drainer and steals funds from exposed digital wallets. It must be emphasized that this scam is not associated with Seedify.

What is the fake "Claim SatoshiDEX (SATX)" website?

"Claim SatoshiDEX (SATX)" is a scam that is almost a perfect visual copy of SatoshiDEX (satoshidex.ai). Upon inspection, we determined that this fake page (satoshidex-ai[.]org and potentially others) is a cryptocurrency drainer. The scheme lures users into exposing their digital wallets to steal the assets stored therein.

What is "Payroll Report Status"?

We have inspected this email and learned that its purpose is to extract personal information from recipients. Emails of this type are classified as phishing emails. This particular email is disguised as a letter regarding a change in the payroll report status to appear legitimate and lure recipients into opening a deceptive website.

What is the fake "Aethir ($ATH) Allocation" website?

"Aethir ($ATH) Allocation" is a scam imitating the Aethir platform (aethir.com). This scheme entices users to inadvertently expose their digital wallets to a crypto drainer by promoting an allocation increase of ATH cryptocurrency. Victims of this scam experience financial loss.

What kind of malware is UnicornSpy?

UnicornSpy is malware used to steal sensitive information. Cybercriminals have been observed using UnicornSpy to target energy companies, factories, and suppliers (and developers) of electronic components. The channel used for the distribution of this malware is email. However, threat actors may also deliver UnicornSpy using other methods.

What is guardflares.com?

We have inspected guardflares.com and discovered that it is a fake search engine. We also found that guardflares.com is promoted through a browser hijacker, an extension known as SpeedyLook. Search engines promoted through such extensions should not be trusted. If guardflares.com and (or) SpeedyLook are present within a browser, they should be removed.