fixfiles@protonmail.ch Ransomware

The 'fixfiles@protonmail.ch' Ransomware is a variant of Fantom Ransomware which is named after the contact details left inside 'RESTORE-FILES!.hta' which serves as the ransom notification. Security analysts reveal that the 'fixfiles@protonmail.ch' Ransomware features new obfuscation layers and its encryption procedure was modified. These changes are intended to hinder detection by AV software and allow the Trojan infect many users before researchers catch onto it. Slight modifications in the code, coupled with customized obfuscation techniques and encryption engine allows threats like the 'fixfiles@protonmail.ch' Ransomware and the DXXD Ransomware to remain persistent throughout 2016.

Spam Emails and Fake Updates to Browser Plug-Ins Are Used to Install the 'Fixfiles@Protonmail.ch' Ransomware on Systems

ESG experts note that malicious documents attached to spam emails continue to be the preferred method of dispersal for encryption Trojans like the 'fixfiles@protonmail.ch' Ransomware. Additionally, illegally obtained software may carry a dropper for ransomware since many users are interested in using pirated programs. It is best to avoid cracked applications which may be laid with the 'fixfiles@protonmail.ch' Ransomware. The 'fixfiles@protonmail.ch' Ransomware is equipped with a powerful encryption engine that uses AES-256 cipher to lock data stored on the local drives and USB drives connected to your machine. Samples of the Trojan show that it is designed to lock data containers associated with photos, video, music, office documents, books, databases and proprietary software like Adobe Photoshop, CorelDRAW, and DesignCAD 3D Max. The 'fixfiles@protonmail.ch' Ransomware works like the '.aesir File Extension' Ransomware and places a custom file marker '.locked4' on enciphered files. For example, 'Royal Opera London.pptx' is transformed to 'Royal Opera London.pptx.locked4'.

The Ransom Demands Are Loaded Within an HTA Application

A file named 'RESTORE-FILES!.hta' can be found on the desktop of infected users. The file is dropped by 'fixfiles@Protonmail.ch' Ransomware and contains instruction on how to deliver payment using Bitcoin. Evidently the contents of 'RESTORE-FILES!.hta' is the same as the message used by Fantom Ransomware but the email for contact is different. Computer users that have the Shadow Volume Service enabled may be able to restore their data back to normal. If that is not possible, backup images and archives should provide users with clean files to restore to. Cloud-based backup storage like Dropbox and Google Drive might not be affected by the 'fixfiles@Protonmail.ch' Ransomware as long as you did not enable the auto-sync option. Computer users might want to check on the latest cyber security news and consider installing a credible anti-malware suite that can block and delete threats like the 'fixfiles@protonmail.ch' Ransomware. AV tools can detect executables related to the 'fixfiles@protonmail.ch' Ransomware as:

• Gen:Variant.MSILPerseus.59449
• Trojan.MSILPerseus.DE839
• MSIL/Filecoder.DH
• backdoor.msil.bladabindi.al
• Artemis!FF03F63A234D
• HEUR/QVM03.0.0000.Malware.Gen
• Heur.AdvML.B