FileFrozr Ransomware

The FileFrozr Ransomware is a Trojan that can encode your files with a cipher so that only the holder of its decryption key can unlock them. Its attacks enable the file-ransoming strategies seen in previous attacks of this type, which one can defeat most easily by backing your files up to a location the Trojan can't encrypt. Competent anti-malware protection also could delete the FileFrozr Ransomware before it finishes encrypting the contents of your hard drive.

A Chilly Spring for Someone's PC

The nature of the Ransomware-as-a-Service industry means that much of the development work of a Trojan is front-loading from the original threat actor, who passes off the final work of distribution onto others, from which he profits indefinitely. This model can result in a single Trojan like the FileFrozr Ransomware quickly splitting into numerous variants with subtle modifications by other people with interest in encrypting your files for money. At the moment, the FileFrozr Ransomware only appears to in its self-marketing phase, but malware experts anticipate deployment in the coming weeks of April.

The FileFrozr Ransomware uses a double-layered AES and RSA encryption method of locking the victim's files; an attack that, by now, is archetypal among many file-encrypting threats. It may block over two hundred separate formats of data (based on their extensions, such as '.DOC' or '.TXT'). While its author claims to be working on adding other features, malware analysts can only confirm the following ones in current releases of the FileFrozr Ransomware:

• The FileFrozr Ransomware uses original code not affiliated with past families of threats to better disguise itself from anti-malware databases. Additional, server-side code obfuscation also is available.
• The Trojan also includes a built-in Bitcoin panel for receiving payments from its victims without requiring the threat actor acting as admin to set up an independent server. As usual, the author opts to use the TOR browser's anonymity features to protect the Website.
• The FileFrozr Ransomware includes multi-threading features to use different processors, depending on the phase of operation.
• The original author also claims that the FileFrozr Ransomware can evade detection by current versions of some specific brands of anti-malware products.

Thawing Your Files out of an Icy Situation

Currently, the FileFrozr Ransomware requires Internet connectivity to finish its payload. However, its author is announcing his intention to update the Trojan with an offline version, along with such potential features as text-to-speech, new encryption ciphers, and a Windows UAC bypassing exploit. Even if he fails to honor his word on these promises, the version of the FileFrozr Ransomware that malware experts are seeing is a fully-functioning threat, capable of encrypting various data types on your PC permanently.

The FileFrozr Ransomware's author sells this product to other people who may distribute it in whatever fashion they prefer. While not all of its possible infection vectors are predictable, malware experts often find attacks of this type exploiting spam e-mails, Remote Desktop settings, and passwords protected inadequately. In other cases, other threats, like the RIG Exploit Kit, could install the FileFrozr Ransomware without your consent after your browser loads a hacked Website.

Removing the FileFrozr Ransomware and other Trojans like it, while essential to regaining a baseline of security on your PC, does nothing to undo any of its encryption attacks. Continue maintaining your backup strategies to keep variants of this threat from profiting off of your files in the coldest of ways.

Technical Details