FakeCry Ransomware

The FakeCry Ransomware is also known as NotPetya. The people responsible for the FakeCry Ransomware have withdrawn the entire amount that had been paid by victims of the attack in Bitcoins. Unfortunately, although there was no way to help the victims of the FakeCry Ransomware attack recover their data, many computers paid the FakeCry Ransomware ransom, some as much as $300 USD in Bitcoins. Overnight, nearly 4 BTC (approximately $10400 USD) were withdrawn from the Bitcoin wallet associated with the FakeCry Ransomware. The people responsible for the FakeCry Ransomware have put out a message demanding a payment of 100 Bitcoins (approximately $250000 USD) in exchange for the master decryption key, which could help all victims of the FakeCry Ransomware recover their files. This makes it reasonable to assume that the people responsible for the FakeCry Ransomware attack are cashing out to move on to different ventures.

There's no Fake Cry When Attacked by the FakeCry Ransomware

Rather than using a normal ransomware attack where the victim's files are encrypted, the FakeCry Ransomware will infect computers running Windows and delete the victim's files. The most widespread attack was a result of a bogus update for MeDoc, a tax program that is used in Ukraine. This vector was used to deliver other ransomware Trojans apart from the FakeCry Ransomware. The FakeCry Ransomware is a copycat of WannaCry, the infamous ransomware Trojan responsible for thousands of infections around the world earlier in 2017. Since the bulk of these attacks occurred, many computer users have moved on and recovered their files or restored their systems in some way or another. The FakeCry Ransomware is a clone of WannaCry that uses .NET to create a version carrying out an attack that was similar superficially but with different characteristics.

How the FakeCry Ransomware Carries out Its Attack

The FakeCry Ransomware will delete the victim's Shadow Volume Copies of files, making it nearly impossible to recover the affected files this way. The FakeCry Ransomware will scan all drives, including external memory devices and directories shared on a network, for files with the following extensions:

doc,docx,xls,xlsx,ppt,pptx,pst,ost,msg,eml,vsd,vsdx,txt,csv,rtf,123,wks,wk1,pdf,dwg,onetoc2,snt,docb,docm,dot,dotm,dotx,xlsm,xlsb,xlw,xlt,xlm,xlc,xltx,xltm,pptm,pot,pps,ppsm,ppsx,ppam,potx,potm,edb,hwp,602,sxi,sti,sldx,sldm,sldm,vdi,vmdk,vmx,gpg,aes,ARC,PAQ,bz2,tbk,bak,tar,tgz,gz,7z,rar,zip,backup,iso,vcd,raw,cgm,tiff,nef,psd,ai,svg,djvu,m4u,m3u,mid,wma,flv,3g2,mkv,3gp,mp4,mov,avi,asf,mpeg,vob,mpg,wmv,fla,swf,wav,mp3,sh,class,jar,java,rb,asp,php,jsp,brd,sch,dch,dip,pl,vb,vbs,ps1,bat,cmd,js,asm,h,pas,cpp,c,cs,suo,sln,ldf,mdf,ibd,myi,myd,frm,odb,dbf,db,mdb,accdb,sql,sqlitedb,sqlite3,asc,lay6,lay,mml,sxm,otg,odg,uop,std,sxd,otp,odp,wb2,slk,dif,stc,sxc,ots,ods,3dm,max,3ds,uot,stw,sxw,ott,odt,pem,p12,csr,crt,key,pfx,der.

The FakeCry Ransomware will then encrypt the files using a strong encryption algorithm, displaying a program window named 'Wanna Decrypt0r 2.0.' to demand a ransom payment. This ransom note is also dropped in a ransom note named '@Please_Read_Me@.txt.' The message shown below is contained in the FakeCry Ransomware ransom note:

'Q: What's wrong with my files?
A: Oooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption. Please send 0.1 bitcoin to this bitcoin address: 13KBb1G7pkqcJcxpRHg387roBj2NX7Ufyf
Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users.
* If you need our assistance, send a message by clicking < Contact Us > on the decryptor window.

In its ransom note, the FakeCry Ransomware displays a countdown timer, giving the victim five days to pay and doubling the fee every day. Unfortunately, there is no practical way to recover the files encrypted by the FakeCry Ransomware, even if the ransom is paid, making the FakeCry Ransomware a nasty hoax particularly since even victims who pay the ransom will not receive any response from the people responsible for the attack. Malware analysts advise computers to install a reliable security program and have file backups on an external memory device or the cloud.