FLYU Ransomware

The FLYU Ransomware is a file-locking Trojan that can hold media such as documents hostage by encrypting them. As part of Dharma Ransomware's Ransomware-as-a-Service, its encryption or locking method is presumed secure, and victims will typically require backups for recovering. Professional anti-malware utilities should block most infection attempts or remove the FLYU Ransomware after an attack.

Software Flying for Your Files with Encrypting Talons

The data-encrypting business of the Dharma Ransomware has more variations in store for Windows users this year, as of the surprisingly unobfuscated the FLYU Ransomware, whose installer merely reads 'payload.' Besides being unusually upfront about its nature in its name, the FLYU Ransomware is quite similar to old versions of this family that malware experts spy in databases, such as the biashabtc@redchan.it Ransomware, the Aim Ransomware, the Php Ransomware or LDPR Ransomware. Its campaign also reaffirms a feature that's helpful to this family's attacks: disabling interfering programs.

The Dharma Ransomware or the Crysis Ransomware family, as it's also known, is exclusive to Windows environments. Most installers, including the FLYU Ransomware executable, are small, at less than a megabyte. Upon installing and setting up its Registry-based persistence, the FLYU Ransomware launches data-blocking attacks that encrypt files ranging from documents and images to music, archives and other media. The custom extension that it adds into their names is one of the few symptoms users have for separating the FLYU Ransomware from other examples of its prolific Ransomware-as-a-Service family.

The FLYU Ransomware also may wipe backups related to the Shadow Volume Copies or the Restore Points and demonstrates a feature more particular to its family: terminating third-party programs that might interfere with its file access. The Windows Media Player's network-sharing service is one such case in point, although it also may stop security features like the Windows Firewall. In any case, our malware experts continue finding few signs that would alarm users before the encryption finishes locking their files and holding them hostage for the ransom.

Ending the Services that Only Profit Hackers

Ransomware-as-a-Services like the FLYU Ransomware family can be extensive in their choices of exploits for distribution. Many of the most lucrative targets (enterprise-grade entities) experience e-mail-based attacks and exposure to customized documents wielding malicious macros. Most networks and web servers are also at risk of being brute-forced by threat actors using semi-automated tools to crack weak or mundane passwords. More randomly, even torrents and fake applications can distribute file-locker Trojans to home users.

In all instances, the presence or absence of a backup is the factor making the recovery of files without the ransom possible or not. Paying the FLYU Ransomware currently-unknown ransom fee, as it demands through both HTA and TXT notes, may not provide victims with the decryption help they're purchasing necessarily. Some threat actors even use these payments as excuses for launching additional attacks, such as sending Trojans disguised as samples of unlocked files.

Users can save backups on devices that the FLYU Ransomware can't reach to recover any documents and other encrypted content. Disinfection usually uses dedicated cyber-security tools, which should detect and remove the FLYU Ransomware.

As the FLYU Ransomware flies to its next targets by any means it so pleases, users should work towards the ideal of regularly-updated backups in safe storage. It might be the only thing keeping them from being an entry in a Ransomware-as-a-Service's lamentable successes list.