FRS Ransomware

The FRS Ransomware is an encryption ransomware Trojan that is used to trick computer users into paying a ransom after taking their files hostage. However, the FRS Ransomware only pretends to carry out an encryption attack onto the victim's computer but does not support encryption mechanisms. The FRS Ransomware simply renames the victims' files, pretending to carry out an attack that is associated with more harmful threats.

The FRS Ransomware Trojan and Similar Encryption Ransomware Trojans

Encryption ransomware Trojans are designed to use a strong encryption algorithm to make the victims' files inaccessible. Using strong encryption, these threats can take the victims' files hostage, preventing the victims from accessing the affected files until they pay a ransom. PC security researchers have noted that the FRS Ransomware pretends to do this, but does not alter the contents of the affected files' data, limiting its attack to simply renaming the files.

How the FRS Ransomware Trojan Works

The FRS Ransomware is quite simple and seems to be little more than a batch script. The FRS Ransomware will rename the victim's files and create a text file named 'READ_ME_HELP.txt' on the infected computer's desktop along with a PNG file with the same name located in the same place on the affected computer's drive. PC security researchers have noted that the FRS Ransomware is typically delivered through spam email attachments, commonly being included in Microsoft Word documents as an embedded script or fake software updates distributed through shady Web pages online.

It seems that the FRS Ransomware was a batch script that was converted into an executable program using the Quick Batch File Compiler initially. The FRS Ransomware receives its name because it adds the file extension '.FRS' to the end of each affected file's name. Once a file has been renamed, Windows will not open it because it will not recognize which tool should be used to open that file type. However, the contents of the file will not be changed; just its name. Computer users only need to rename affected the file with the correct extension to recover access to it. This is different from real encryption ransomware Trojans because these encrypt the files' data (in addition to renaming them), meaning that the file will be lost permanently unless one has access to the decryption key or software necessary to restore access to that file's data. The FRS Ransomware is attempting to trick computer users into believing that it has carried out this attack, more difficult to pull off substantially.

The Threatening Attack Executed by the FRS Ransomware

The FRS Ransomware will rename the files contained in the following directories:

C:\Users\%USERNAME%\Desktop\
C:\Users\%USERNAME%\Saved Games\
C:\Users\%USERNAME%\Links\
C:\Users\%USERNAME%\Favorites\
C:\Users\%USERNAME%\Searches\
C:\Users\%USERNAME%\Videos\
C:\Users\%USERNAME%\Pictures\

The FRS Ransomware will drop enciphered the files in a folder named 'FRSRANSOMWARE' on the main system drive on the affected computer after renaming the victim's files. The FRS Ransomware's ransom note contains an image of the Chinese flag. The following files have been linked to the FRS Ransomware attack:

C:\Users\FIFCOM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FRS.exe
C:\FRSRAMSOMWARE\Chinese_national_flag.png
C:\FRSRAMSOMWARE\READ_ME_HELP_ME.txt
C:\FRSRAMSOMWARE\READ_ME_HELP_ME.png
C:\FRSRAMSOMWARE\FRS_Decryptor.exe

The message contained in the FRS Ransomware's ransom note should be ignored. There is no reason to believe that the data was lost completely, and the people responsible for these attacks demand ransom payments ranging from 200 to 600 USD to be paid in Bitcoin. Although tedious, computer users can restore access to their files by renaming them so that they will recover their original file extensions. Computer users also can make use of backup methods, such as restoring the affected files from backup copies stored in the cloud or an external device. This, combined with a security program, and safe methods for handling spam email messages and other distribution vectors for this threat can help computer users recover from the FRS Ransomware attack.