FriedEx Ransomware

The FriedEx Ransomware is a file-locker Trojan that blocks your media by encrypting it. This Trojan's campaign is targeting for-profit entities and may include attempts to force ransom payments on your part by threatening to leak confidential information. Traditional anti-malware products should intercept or remove the FriedEx Ransomware in safety, but any files that this threat locks may not be recoverable without any preexisting copies of their non-locked versions.

Files Getting Fried by Revamped Spyware

The authors behind both the Necurs botnet and Dridex spyware aren't resting on their laurels, although their latest works borrow from the past. Seemingly having taken the majority of Dridex's code and stripped out the data-collecting features, they've replaced that threat's attack routines with file-ransoming behavior, thereby creating the FriedEx Ransomware. The most infamous attack deploying it, so far, has been against the NHS Lanarkshire board of Scotland, with similar attacks also targeting other business and government entities.

The FriedEx Ransomware's identifying feature is encoding content, such as text documents, images, spreadsheets, and other media, to lock it. Even though the FriedEx Ransomware uses a hard-coded key, which usually is a sign of vulnerability, its threat actors are using a secure encoding combination of RC4 and RSA, which impedes any free decryption attempts. The Trojan also creates a text file as part of its ransom-delivering process, and requests Bitcoins, under the bluff of leaking the server's data to the public.

As per our malware experts' analyses, what makes the FriedEx Ransomware unique isn't that part of its payload, but the rest of its characteristics. Most of them are identical to the anti-security features of Dridex, and include:

• The FriedEx Ransomware uses encryption, not just for blocking the PC's files, but also for obscuring it's internal text strings. One entry holds a machine-specific identifying tag with an organization identical to the same feature in Dridex.
• The FriedEx Ransomware resolves API calls and isolates Registry values indirectly, by searching for them via hashes, which conceals the activity from conventional threat analysis partially.
• The Trojan also uses an additional, data-packing utility to obfuscate its code. Malware experts note that the same packing app also is in use in the campaigns of threats not associated with either the FriedEx Ransomware, Necurs or Dridex directly.

Plucking Your Data out of the Frying Pan

Threat actors are installing the FriedEx Ransomware by using brute-force methods to gain system access and, then, infect each accessible PC via manual commands. Network password security is critical for blocking attacks by brute-force hacking software, although the cybercrooks also utilize spam e-mails for file-ransoming campaigns frequently. There is no decryption solution for the FriedEx Ransomware's hostage files, which it flags with the '.locked' extension and tries to ransom for hundreds of thousands of dollars.

Backups are a mainstay defense against any file-locker Trojan but become especially important when dealing with Trojans like the FriedEx Ransomware, which only possess premium, black market decryptors. Maintaining segregated network security protocols also might prevent the campaign's threat actors from infecting more machines besides the initial one they target in any RDP attack. Patching the databases of any anti-malware software also can heighten the detection rates and delete the FriedEx Ransomware with optimal accuracy, which malware experts highly recommend.

Although victims may identify a threat by the ways it chooses to attack them, what passes for efficient programming practices can make two supposedly different programs into close relatives. The generalized features of Dridex and the FriedEx Ransomware campaigns are a good point for showing how con artists can swerve their attacks while not needing to put much work into it.