FORMA Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Ranking: | 14,708 |
Threat Level: | 100 % (High) |
Infected Computers: | 170 |
First Seen: | December 14, 2018 |
Last Seen: | July 21, 2023 |
OS(es) Affected: | Windows |
The FORMA Ransomware is an encryption ransomware Trojan that was first observed on December 11, 2018. The FORMA Ransomware is a variant of HiddenTear, an open source encryption ransomware engine that has been around since August 2015. Since it was first released, HiddenTear has become the basis of countless encryption ransomware Trojans.
Table of Contents
The FORMA Ransomware will Deform Your Files
The FORMA Ransomware carries out a typical encryption ransomware attack, which seems to target computer users located in Poland. The FORMA Ransomware is delivered via spam email messages mainly, often in file attachments that take the form of Microsoft Office documents with corrupted embedded macros that install the FORMA Ransomware onto the victim's computer. Once the FORMA Ransomware is installed, the FORMA Ransomware will use the AES 256 encryption to make the victim's files inaccessible. The FORMA Ransomware's attack targets the user-generated files, which may include numerous media files, document types, databases and configuration files. The files that threats like the FORMA Ransomware target in these attacks include:
.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.
The FORMA Ransomware marks each affected file with the file extension '.locked,' which is added to the file's name. The FORMA Ransomware makes the victim's files inaccessible and delivers a ransom note in the form of a text note written in Polish named 'ODSZYFRFUJ_PLIKI_TERAZ.txt' (DECRYPT_FILES_NOW.txt). The FORMA Ransomware's ransom note displays the following text, which translated into English reads:
'ATTENTION !I! ALL YOUR FILES WERE CALLED WITH AN ENCRYPTION KEY! RECOVERY OF FILES IS POSSIBLE ONLY WITH THE AID OF A DECRYPTION KEY. NOTHING LOST, BY THE NEXT 48h, WE HAVE YOUR KEY THAT IS TRANSFERED TO OUR SERVER! CONTACT US ON EMAIL: deszyfrujacy@yandex.com
TO RECOVER ACCESS TO FILES
ATTENTION! AFTER 48 HOURS FROM FILE ENCRYPTION, YOUR DECRYPTION KEY IS AUTOMATICALLY DELETED FROM OUR SERVER AND THE RECOVERY OF FILES IS NOT POSSIBLE. IN NO EVENT, DO NOT POWER OFF THE COMPUTER OR A DECRYPTION PROGRAM - IT MAY CAUSE A LOSS OF DATA. WE GUARANTEE THE RECOVERY OF ALL FILES!'
Dealing with the FORMA Ransomware Infection
The experts strongly advise computer users to refrain from paying the FORMA Ransomware ransom or contacting the criminals responsible for the FORMA Ransomware attack. Instead, computer users should use file backups to restore any files that may have been lost as a result of the FORMA Ransomware infection. The FORMA Ransomware infections should be handled by trustworthy security programs, which will remove this threat if it was installed on your computer.