FUCKMEDADDY Ransomware

FUCKMEDADDY Ransomware Description

The FUCKMEDADDY Ransomware is a data encryption threat that is packed as a Trojan. The payload is propagated via spam emails that welcome users to open a corrupted Microsoft Word document. The text includes a macro script that instructs Windows to connect to a remote server and download an encrypted package. The encrypted object is loaded into the system memory, and it is decrypted and launched without leaving too many traces on the local disks. The FUCKMEDADDY Ransomware Trojan is classified as a generic file encoder that resembles many other threats of the same class such as the Jaff Ransomware and the Retis Ransomware. Judging by the reports received in the second week of January 2018, the FUCKMEDADDY Ransomware is aimed at Polish-speaking users. The threat is known to use the name DUPA Ransomware as well when it loads the ransom note.

The FUCKMEDADDY Ransomware is programmed to encipher the user-generated content with a custom AES-256 encryption algorithm and make data unreadable. Affected users may notice that file names and icons are changed as well. The name used widely by cybersecurity experts is derived from the fact that the Trojan adds the '.FUCKMEDADDY' extension to the file names and loads a program window titled 'FUCKMEDADDY.' The threat at hand disables the System Recovery feature in Windows and makes sure to delete the Shadow Volume snapshots. That way the recovery options for users are limited, and you will need a backup repository created with third-party tools. For example, the enciphered version of 'Pieskowa Skała.pptx' is renamed to 'Pieskowa Skała.pptx.FUCKMEDADDY', lacks a thumbnail and Windows Explorer may use a generic white icon for the file. Lab tests showed that the creators of the FUCKMEDADDY Ransomware demand an absurd payment of 100,000,000 USD worth of Bitcoins that makes ≈6570 BTC. AS mentioned above, the ransom alert is generated as program window, which includes the image of a naked woman, a twenty-four-hour timer and the Bitcoin wallet address. The text message shown to users reads (translated version):

'OOPS! YOUR FILES ARE ENCRYPTED BY DUPA RANSOMWARE !!!
Your documents, photos, videos etc ... And after 72 hours, all your files will be removed permanently !!! But you do not have to worry about it 🙂 it will happen only when you fuck up. Every hour I remove one randomly selected file and delete it permanently !!! I can not recover such a file even after payment !!! For the first 24 hours you will lose only a few files but the next day a few hundred, the third day there will be several thousand, etc ... If you turn off the computer or try to shut me down it restarts automatically and I delete 1000 files permanently for trying to fuck with me !! ! Remember that even the best anti-virus is unable to recover encrypted files! If you have any questions, please contact us via e-mail ransomsupport@2tor.com !!! Payment for decrypting files is only possible in BITCOINS !!! If you do not know how to buy bitcoins, visit www.4coin.pl !!!
Now make a choice !!! pay and recover your files, or say goodbye to them'

Do not contact the FUCKMEDADDY Ransomware operators via 'ransomsupport@2tor.com.' It is recommended to seek help from a computer technician if you are not confident in your cybersecurity skills. The FUCKMEDADDY Ransomware should be terminated using a trusted anti-malware scanner, and the encrypted data can be recovered using system restore disks, backup images, and archived copies of the lost files. AV engines recognize the FUCKMEDADDY Ransomware and use the following detection names:

  • Artemis!44F42DC610BC
  • Generic.MSIL.Ransomware.Jigsaw.35149BFF
  • Ransom_JigsawLocker.R002C0DA718
  • TR/Ransom.JigsawLocker.dzptg
  • Trojan ( 004e289f1 )
  • Trojan.Generic.bwtbs
  • Trojan.Win32.Generic!BT
  • Win32:Malware-gen
  • malicious_confidence_100% (W)
  • malware (ai score=95)