Fopra Ransomware
Cybersecurity researchers have uncovered another hurtful malware threat belonging to an established ransomware family, the Phobos Ransomware family. Although it is another variant, the threat tracked as the Fopra Ransowmare is potent enough and its destructive potential should not be underestimated. If deployed successfully onto the targeted computers, Fopra will activate its encryption process and leave nearly all of the victim's documents, PDFs, archives, databases, photos, etc., in an unusable state.
Each locked file will have its name changed drastically. Affected users will notice that their files now carry an ID string, an email address, and a new file extension as part of their names. The email used by the Fopra Ransomware is 'poshix@tfwno.gf,' while the file extension is '.fopra.' When all targeted file types have been encrypted, the malware will create two files on the system - 'info.txt' and 'info.hta.' These files carry ransom notes with instructions from the cybercriminals.
The message delivered in the text file mainly consists of the methods that victims can use to contact the operators of the Fopra Ransomware. Besides the email found in the names of the encrypted files, the message also mentions two additional addresses - 'rootma@cyberfear.com' and 'usupmail@webmeetme.com.' Alternatively, users can contact a representative of the cybercriminals via the Wire messenger app.
Reading the main ransom note displayed as a pop-up window reveals that the attackers will only accept ransom payments made using the Bitcoin cryptocurrency. They also are willing to unlock up to 3 files for free as a demonstration. However, the chosen files must not contain any important information and should have a total size of less than 4 MB.
The full text of the ransom note is:
'All your files have been encrypted!
'All of your files have been encrypted. If you want to restore them, write to us by e-mail: poshix@tfwno.gf
Write this ID in the title of your message -
To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails:rootma@cyberfear.com or usupmail@webmeetme.com
For quick and convenient feedback, write to the online operator in the Wire messenger: zexor (The username of the Wire account must be exactly the same as above,beware of fake accounts.)
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/Attention!
To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise we are not responsible for the decryption!
Do not rename encrypted files.
Do not try to decrypt your data using third-party software, as this may result in irreversible data loss.
Decrypting your files with the help of third parties may increase the price (they add their fee to ours) or you risk losing money without receiving files decryption in return.
!!! When contacting third parties, we do not give a guarantee for decryption of your files !!!The instructions delivered as a text file are:
!! All your files are encrypted !!!
To decrypt them, send an email to this address: poshix@tfwno.gf
To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails:
rootma@cyberfear.com or usupmail@webmeetme.com
For quick and convenient feedback, write to the online operator in the Wire messenger: @zexor
(The username of the Wire account must be exactly the same as above, be vigilant any accounts that differ even by one letter are fakes.)Attention!
To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise, we are not responsible for the decryption!'
