FakeCry Ransomware

The FakeCry Ransomware is a Trojan that imitates the family of the '.wcry File Extension' Ransomware while locking your files for ransom money. Although similar to that family visually, the FakeCry Ransomware is a new threat that uses different encryption methods and requires a different decryption solution for unlocking any data. Use anti-malware products for blocking and deleting the FakeCry Ransomware and non-local backups to keep your media out of reach of an encryption attacks.

Doubling Up on Ransom Deliveries for Twice the Profit

While the hijacking of the Medoc finance software's update channel is highly relevant to the now-notorious case of the Petya 2017 Ransomware, the same infiltration method also appears to be being exploited by a separate threat campaign. Whether the threat actors in question are connected to the Petya 2017 Ransomware or simply have access to the same resources, they also are holding the victim's files up for ransom payments. This second threat, the FakeCry Ransomware, is both less destructive and cheaper than the Petya 2017 Ransomware, although it's still threatening to any non-backed up media.

The FakeCry Ransomware earns its name by imitating the visual cues of the '.wcry File Extension' Ransomware, but, internally, is an independent program. The features that malware analysts find most worth noting with this Trojan include:

• The FakeCry Ransomware is modular and consists of an executable that 'drops' the encryption component onto the infected PC.
• The FakeCry Ransomware supports encryption with configurable AES and RSA combinations, using the resulting algorithm to block files such as DOC, MP3, ZIP, ISO and dozens of others.
• Very unusually, the FakeCry Ransomware also separates image-based files from other formats and may offer a working, free decryption 'trial' for any pictures. This particular function is one malware analysts haven't found in other file-encoding campaigns, and apparently, exists to motivate paying for unlocking more valuable data.
• The Trojan may gain access to normally protected files by auto-terminating any ongoing process.
• The FakeCry Ransomware's last feature (and its largest symptom) is the HTA pop-up window it generates in a format imitating the '.wcry File Extension' Ransomware. All of the usual features, such as a wallet address bar and buttons for checking ransoms or decrypting your media afterward, are present.

Stopping Real Tears over the FakeCry Ransomware

While hijacked Ukrainian software updates are the greatest culprit for the FakeCry Ransomware's attacks, to date, its threat actors could use other means of compromising future victims, such as attaching the dropper to spam e-mail messages or phishing for server logins. Because the FakeCry Ransomware deletes local backups, the files only can be certain of being safe when backed up to a device that's not at risk such as an unattached USB drive. Business sector entities should remain attentive in fighting the most exploitable infection vectors, which include forged messages and links to websites that host exploit kits.

The FakeCry Ransomware's ransom is much cheaper than that of the Petya 2017 Ransomware, and its authors are only asking for a small fraction of Bitcoins to unlock your files. However, their continuing to use the black market standard of a cryptocurrency does keep the victim from making a refund in cases of fraud. Prevention-based strategies and deleting the FakeCry Ransomware with anti-malware tools before it damages your computer are both less expensive and more likely to succeed.

Perhaps the most frightening aspect of the FakeCry Ransomware's campaign is the fact that more than one set of con artists seem to be using the same, update-hijacking methods of compromising the PCs of difficult to access businesses. Thanks to the indiscretions of third parties, even installing business software has the potential to open up exploits in your computer that can turn into extortion quickly.