FORMA Ransomware

The FORMA Ransomware is an encryption ransomware Trojan that was first observed on December 11, 2018. The FORMA Ransomware is a variant of HiddenTear, an open source encryption ransomware engine that has been around since August 2015. Since it was first released, HiddenTear has become the basis of countless encryption ransomware Trojans.

The FORMA Ransomware will Deform Your Files

The FORMA Ransomware carries out a typical encryption ransomware attack, which seems to target computer users located in Poland. The FORMA Ransomware is delivered via spam email messages mainly, often in file attachments that take the form of Microsoft Office documents with corrupted embedded macros that install the FORMA Ransomware onto the victim's computer. Once the FORMA Ransomware is installed, the FORMA Ransomware will use the AES 256 encryption to make the victim's files inaccessible. The FORMA Ransomware's attack targets the user-generated files, which may include numerous media files, document types, databases and configuration files. The files that threats like the FORMA Ransomware target in these attacks include:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The FORMA Ransomware marks each affected file with the file extension '.locked,' which is added to the file's name. The FORMA Ransomware makes the victim's files inaccessible and delivers a ransom note in the form of a text note written in Polish named 'ODSZYFRFUJ_PLIKI_TERAZ.txt' (DECRYPT_FILES_NOW.txt). The FORMA Ransomware's ransom note displays the following text, which translated into English reads:

'ATTENTION !I! ALL YOUR FILES WERE CALLED WITH AN ENCRYPTION KEY! RECOVERY OF FILES IS POSSIBLE ONLY WITH THE AID OF A DECRYPTION KEY. NOTHING LOST, BY THE NEXT 48h, WE HAVE YOUR KEY THAT IS TRANSFERED TO OUR SERVER! CONTACT US ON EMAIL: deszyfrujacy@yandex.com
TO RECOVER ACCESS TO FILES
ATTENTION! AFTER 48 HOURS FROM FILE ENCRYPTION, YOUR DECRYPTION KEY IS AUTOMATICALLY DELETED FROM OUR SERVER AND THE RECOVERY OF FILES IS NOT POSSIBLE. IN NO EVENT, DO NOT POWER OFF THE COMPUTER OR A DECRYPTION PROGRAM - IT MAY CAUSE A LOSS OF DATA. WE GUARANTEE THE RECOVERY OF ALL FILES!'

Dealing with the FORMA Ransomware Infection

The experts strongly advise computer users to refrain from paying the FORMA Ransomware ransom or contacting the criminals responsible for the FORMA Ransomware attack. Instead, computer users should use file backups to restore any files that may have been lost as a result of the FORMA Ransomware infection. The FORMA Ransomware infections should be handled by trustworthy security programs, which will remove this threat if it was installed on your computer.