Fob Ransomware

Fob Ransomware is the name of one of the most recently spotted data-lockers. This ransomware threat was not built from scratch. Instead, the authors of the Fob Ransomware have opted to base this threat on the DarkCrypt Ransomware. This is a common tactic used by authors of ransomware threats. Building a file-locker from the ground up required a fair amount of technical skills and effort, so borrowing the code of an already established ransomware threat is a method preferred by many cyber crooks.

Propagation and Encryption

According to security researchers, it is likely that the Fob Ransomware creators have used phishing emails that would either contain a corrupted link or a macro-laced attachment that would compromise one's system upon launching. Other commonly used propagation techniques include torrent trackers, corrupted advertising, fake application updates and downloads, bogus social media operations and others. When the Fob Ransomware infiltrates your computer, it will scan your data and locate the files that will be selected for encryption. Next, the Fob Ransomware will execute the encryption process and lock the targeted data. All the newly locked files will have their names altered. This file-locker appends the '.[<VICTIM ID>][decrypt25@protonmail.com]. Fob' extension to the names of the encrypted files. This means that a file that you had named 'golden-waves.pdf,' will be renamed to 'golden-waves.pdf.[<VICTIM ID>][decrypt25@protonmail.com].Fob.' This ransomware threat is likely to target documents, images, audio files, videos, presentations, databases, archives, spreadsheets and other popular files.

The Ransom Note

The Fob Ransomware drops a ransom note named 'ReadMe.txt' on the compromised host. In the ransom message, the attackers state that the ransom fee depends on how quickly the victim contacts them. They make it clear that the payment should be made in Bitcoin. To prove to the user that they have a working decryption tool, the authors of the Fob Ransomware offer to unlock five files free of charge, as long as they do not exceed 4MB in size total. The attackers also provide instructions on how to buy Bitcoin. There are two email addresses provided as a means of contacting the creators of the Fob Ransomware – ‘decrypt52@protonmail.com' and ‘decrypt25@protonmail.com.'

It is not advisable to contact cybercriminals. Such individuals keep their promises rarely, which means that even if you pay the ransom fee, it is likely that you will not receive the decryption key you need. It is best to remove the Fob Ransomware from your PC with the assistance of a genuine, up-to-date anti-malware solution.