FreeFoam Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
| Threat Level: | 80 % (High) |
| Infected Computers: | 15 |
| First Seen: | July 31, 2017 |
| Last Seen: | September 2, 2022 |
| OS(es) Affected: | Windows |
The FreeFoam Ransomware is an encryption ransomware Trojan that was first observed on July 27, 2017. The FreeFoam Ransomware is being used to target Russian speakers in Russia, Ukraine, Belarus, and other neighboring countries mainly. The FreeFoam Ransomware is based on HiddenTear, an open source ransomware platform that has been around since August 2015. It is not known who is responsible for the current wave of the FreeFoam Ransomware attacks currently. The most common way in which the FreeFoam Ransomware is being delivered is through the use of spam email attachments that take the form of macro-enabled documents delivered to computer users in Russia and other targeted countries. These spam email messages are disguised as messages related to Vkontakte, the most popular social network in the region.
Table of Contents
How this Unwanted Free Foam Affects Your Files
The FreeFoam Ransomware uses an attack method that is typical of these infection and identical to countless others. Using a double encryption method, which includes the AES and RSA encryptions, the FreeFoam Ransomware will make the victim's files inaccessible. The FreeFoam Ransomware communicates with Command and Control servers that are on the Dark Web, using the TOR browser. The files encrypted by the FreeFoam Ransomware attack will be identified with the file extension '.freefoam,' which is added to the end of each affected file's name. During its attack, the FreeFoam Ransomware will target a wide variety of file types, including files with the following extensions:
.3gp, .7z, .apk, .avi, .bmp, .cdr, .cer, .chm, .conf, .css, .csv, .dat, .db, .dbf, .djvu, .dbx, .docm, ,doc, .epub, .docx .fb2, .flv, .gif, .gz, .iso .ibooks,.jpeg, .jpg, .key, .mdb .md2, .mdf, .mht, .mobi .mhtm, .mkv, .mov, .mp3, .mp4, .mpg .mpeg, .pict, .pdf, .pps, .pkg, .png, .ppt .pptx, .ppsx, .psd, .rar, .rtf, .scr, .swf, .sav, .tiff, .tif, .tbl, .torrent, .txt, .vsd, .wmv, .xls, .xlsx, .xps, .xml, .ckp, .zip, .java, .py, .asm, .c, .cpp, .cs, .js, .php, .dacpac, .rbw, .rb, .mrg, .dcx, .db3, .sql, .sqlite3, .sqlite, .sqlitedb, .psd, .psp, .pdb, .dxf, .dwg, .drw, .casb, .ccp, .cal, .cmx, .cr2.
Apart from encrypting the victims' files, the FreeFoam Ransomware also will delete the Shadow Volume Copies of the affected files, which could be used to recover files encrypted in the attack occasionally.
The FreeFoam Ransomware and Its Demanded Ransom Payment
After encrypting the victim's files, the FreeFoam Ransomware will deliver a ransom note in a text file named 'MESSAGE.txt,' which is dropped on the infected computer. This ransom note is written in Russian and demands that the victim purchase a decryption program by communicating with the FreeFoam Ransomware's creators via email. The following is an English translation of the ransom note used by the FreeFoam Ransomware in its attack:
'You can ask for the cost of the decryption by writing a letter to the address: freefoam@protonmail.com
In the subject of the letter, write your ID: [RANDOM DIGITS]
Letters without an ID are ignored.
Please do not try to decrypt files with third-party tools.
You can ruin them completely and even the original decryptor will not help.
You can buy the decrypt by [DATE]
Submissions are processed by an automated system.'
Because the FreeFoam Ransomware uses Protonmail and the TOR network in its implementation, the people responsible for the FreeFoam Ransomware are allowed to remain anonymous, making it very difficult for malware researchers to track down the FreeFoam Ransomware's creators and bring them to justice.
Dealing with the FreeFoam Ransomware
Paying the FreeFoam Ransomware ransom or communicating with the people responsible for the FreeFoam Ransomware isn't a recommended course of action. These con artists will very rarely keep their promise to provide the decryption key and often target the victim for additional attacks. Instead, it is necessary to have file backups on an external memory device to recover easily from the FreeFoam Ransomware. File backups give computer users a way to recover from these infections, removing any leverage the con artists have over the victim that would allow them to demand a ransom payment.
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.