FRM Ransomware

The FRM Ransomware is a strain of the Dharma Ransomware family. The FRMRansomware encrypts files like documents, images, and video, and appends the '[hitsbtc@tuta(dot)io](dot)FRM' extension to their names. The encryption makes the files inaccessible to the victim. The FRM Ransomware demands the victim to pay a ransom in Bitcoin cryptocurrency, with the promise of access to the encrypted data.

After infecting a PC, the FRM Ransomware scans the machine for the aforementioned images, videos, and documents such as .doc, .docx, .xls, .pdf, etc. All files matching the criteria are encrypted and have their extensions changed to '.[hitsbtc@tuta(dot)io](dot)FRM.' Once the FRM Ransomware has encrypted the data on the victim’s computer, the FRM Ransomware creates and displays a 'FILES ENCRYPTED.txt' text file, which serves as a ransom note. It contains instructions on how to contact the FRM Ransomware operators. The cybercriminals demand a payment of $500 or more in Bitcoin and provide an email address for contact.

This is the FRM ransomware ransom note:

'YOUR FILES ARE ENCRYPTED

Don’t worry,you can return all your files!

If you want to restore them, follow this link email: hitsbtc@tuta(dot)io

If you have not been answered via the link within 12 hours, write to us by e-mail: hitsbtc@tuta(dot)io

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

When this post was written, there was no way to decrypt the files encrypted by the FRM Ransomware. However, it is advisable to make copies of the encrypted data or store it somehow, in case a decryption method is released in the future.