Facebook Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 100 % (High) |
| Infected Computers: | 2 |
| First Seen: | June 20, 2017 |
| Last Seen: | July 23, 2019 |
| OS(es) Affected: | Windows |
There is no real relationship between the Facebook Ransomware and Facebook. The Facebook Ransomware is not delivered via Facebook or use any theme related to Facebook in its attack. Mainly, the Facebook Ransomware receives its name because its main executable seems to be named 'facebook.exe' and the Facebook Ransomware marks the files it encrypts in its attack with the file extension '.facebook.' The Facebook Ransomware carries out a typical ransomware Trojan attack by encrypting the victims' files and then demanding the payment of a ransom to provide the means to recover from the attack.
Table of Contents
Another Respected Social Network’s Name Used by Extortionists
The Facebook Ransomware is a typical encryption attack, mainly being used to target computers in Western Europe and the United States. The Facebook Ransomware was first observed carrying out attacks in mid-June 2017. The Facebook Ransomware attacks can infect most computers running the Windows operating system and will take advantage of vulnerabilities in macros and scripts to enter a computer. The most common way to deliver the Facebook Ransomware is through the use of corrupted email attachments that deliver a Microsoft Word Document with enabled macros that download and install the Facebook Ransomware when authorized by the victim. The Facebook Ransomware is based on HiddenTear, a well-known open source ransomware platform that has been responsible for countless ransomware variants since it first appeared in the Summer of 2015. The Facebook Ransomware is just one of many HiddenTear variants that are active today, with new variants released each day. This is the main danger of HiddenTear, that it has placed a highly- effective ransomware platform in the hands of anyone, allowing anyone with few resources or computer knowledge to carry out devastating, effective ransomware attacks.
How the Facebook Ransomware Carries out Its Attack
There is a slight change to the Facebook Ransomware's encryption method that may allow the Facebook Ransomware to bypass some anti-virus engines in use, making the Facebook Ransomware more effective than many other HiddenTear variants substantially. In its encryption routine, the Facebook Ransomware will use the AES-256 encryption in combination with the RSA encryption to make the victim's files inaccessible. The Facebook Ransomware will demand the payment of at least several hundred dollars to recover from the Facebook Ransomware attack. The Facebook Ransomware attack itself is typical of any HiddenTear variant or other encryption ransomware Trojan active currently. The Facebook Ransomware displays a ransom note that is themed after the Facebook layout and colors, delivering the following message in a program window that pops up on the infected computer:
'oops Your files are encrypted.
please click the button that says "How to decrypt my files"
[34 RANDOM CHARACTERS]
How to Decrypt your files.
Give me back my files!'
Perhaps the use of 'Facebook' as a theme may trick inexperienced computer users into believing that the Facebook Ransomware or its associated executable file are part of some official Facebook application. This is, of course, not the case.
Recovering from a Facebook Ransomware Infection
As with most encryption ransomware Trojans, having the ability to recover your files from backup copies is paramount. The most practical way to ensure that you are completely protected from the Facebook Ransomware, and other encryption ransomware Trojans nowadays is to have backup copies of your files on an external memory device, an external server, or the cloud. If there are backup copies of your files available, then recovering from the Facebook Ransomware infection is a simple matter of deleting the Facebook Ransomware infection itself with a reliable security program and then restoring the affected files from the backup copies. More advanced computer users may opt for wiping their hard drives entirely and restoring the entire system from a backup disk image.
