Home Malware Programs Ransomware 'decryptFox@protonmail.com' Ransomware

'decryptFox@protonmail.com' Ransomware

Posted: October 9, 2018

The 'decryptFox@protonmail.com' Ransomware is a file-locking Trojan that may encrypt the pictures, documents, and other media on your computer to keep you from opening it. Its attacks include overwriting the names and extensions of all of these files, as well as displaying ransom notes and pop-ups. Victims of infections should avoid the ransoming payments for a potentially unworkable or fictitious decryption service, have a dedicated anti-malware product uninstall the 'decryptFox@protonmail.com' Ransomware, and recover their files through backups.

The Hostages' Identities are Anyone's Guess

File-locker Trojans are, often, identifiable by nothing more than the cosmetic symptoms that they create circumstantially, alongside their more meaningful attacks, such as encrypting media for preventing it from opening. A new version of such a threat, however, is employing behavior that's not in-line with any of the old families that malware experts are familiar with, such as Hidden Tear, the Jigsaw Ransomware or any of the Ransomware-as-a-Service businesses. The 'decryptFox@protonmail.com' Ransomware is, nevertheless, after the same thing as almost every other file-locker Trojan: a ransom.

Windows-using victims of the 'decryptFox@protonmail.com' Ransomware's attacks go back no farther than the eighth of October, with the infection vectors not yet knowable, but probably using either e-mail or brute-force-based attacks. The 'decryptFox@protonmail.com' Ransomware blocks the files of its victims' PCs by unidentifiable methods similarly, although a variant of the AES or RSA encryptions is extremely likely. While doing so, it also displays different symptoms that malware experts only find tentative analogs for in old, unrelated threats.

The 'decryptFox@protonmail.com' Ransomware removes the filename and replaces it with a series of semi-random, hexadecimal characters completely, which are broken up with one dash per two characters (such as '9A-16-16-8D-1D-E1-1D-CF'), and also adds the '.encr' extension to the end. While malware researchers do know of file-locker Trojans with similar format tags, like the LazagneCrypt Ransomware, and a variety of threats that use hexadecimal values, like the Phobos Ransomware or the CryptConsole Ransomware, none of them use the same, overall pattern as the 'decryptFox@protonmail.com' Ransomware. Although this renaming feature isn't the cause of the files being non-openable, it does interfere with the user's identifying what content the Trojan is keeping captive.

Outfoxing the Newest in File-Enslaving Software

Along with graphical UI elements for its encryption warnings and decryptor, the 'decryptFox@protonmail.com' Ransomware also drops a Notepad file with most of the ransoming directions. Malware analysts can't confirm the 'decryptFox@protonmail.com' Ransomware's warning that five failed decryption attempts will cause the file-locker Trojan's deletion of media. However, users should keep the possibility in mind, and always create copies of any essential, blocked files before testing any form of decryption solution.

Decryptors aren't always available to counteract a file-locker Trojan's impact on any personal files. Users can back their content up to another location, such as protected, network-based storage, or detachable devices, for all but guaranteeing that a file-locker Trojan can't inflict any permanent harm. Dedicated anti-malware products also include features for identifying and removing the 'decryptFox@protonmail.com' Ransomware, and threats like it, either during the installation exploit or after the fact.

The 'decryptFox@protonmail.com' Ransomware's wiping out all naming conventions may be an effort to keep the value of its extortionist offer questionable to the victim. However, sufficiently prepared Windows users shouldn't be in a position to need their files decrypted, in the first place.

Loading...