FriedEx Ransomware
Posted: January 29, 2018
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 8/10 |
|---|---|
| Infected PCs: | 13 |
| First Seen: | October 28, 2023 |
|---|---|
| OS(es) Affected: | Windows |
The FriedEx Ransomware is a file-locker Trojan that blocks your media by encrypting it. This Trojan's campaign is targeting for-profit entities and may include attempts to force ransom payments on your part by threatening to leak confidential information. Traditional anti-malware products should intercept or remove the FriedEx Ransomware in safety, but any files that this threat locks may not be recoverable without any preexisting copies of their non-locked versions.
Files Getting Fried by Revamped Spyware
The authors behind both the Necurs botnet and Dridex spyware aren't resting on their laurels, although their latest works borrow from the past. Seemingly having taken the majority of Dridex's code and stripped out the data-collecting features, they've replaced that threat's attack routines with file-ransoming behavior, thereby creating the FriedEx Ransomware. The most infamous attack deploying it, so far, has been against the NHS Lanarkshire board of Scotland, with similar attacks also targeting other business and government entities.
The FriedEx Ransomware's identifying feature is encoding content, such as text documents, images, spreadsheets, and other media, to lock it. Even though the FriedEx Ransomware uses a hard-coded key, which usually is a sign of vulnerability, its threat actors are using a secure encoding combination of RC4 and RSA, which impedes any free decryption attempts. The Trojan also creates a text file as part of its ransom-delivering process, and requests Bitcoins, under the bluff of leaking the server's data to the public.
As per our malware experts' analyses, what makes the FriedEx Ransomware unique isn't that part of its payload, but the rest of its characteristics. Most of them are identical to the anti-security features of Dridex, and include:
- The FriedEx Ransomware uses encryption, not just for blocking the PC's files, but also for obscuring it's internal text strings. One entry holds a machine-specific identifying tag with an organization identical to the same feature in Dridex.
- The FriedEx Ransomware resolves API calls and isolates Registry values indirectly, by searching for them via hashes, which conceals the activity from conventional threat analysis partially.
- The Trojan also uses an additional, data-packing utility to obfuscate its code. Malware experts note that the same packing app also is in use in the campaigns of threats not associated with either the FriedEx Ransomware, Necurs or Dridex directly.
Plucking Your Data out of the Frying Pan
Threat actors are installing the FriedEx Ransomware by using brute-force methods to gain system access and, then, infect each accessible PC via manual commands. Network password security is critical for blocking attacks by brute-force hacking software, although the cybercrooks also utilize spam e-mails for file-ransoming campaigns frequently. There is no decryption solution for the FriedEx Ransomware's hostage files, which it flags with the '.locked' extension and tries to ransom for hundreds of thousands of dollars.
Backups are a mainstay defense against any file-locker Trojan but become especially important when dealing with Trojans like the FriedEx Ransomware, which only possess premium, black market decryptors. Maintaining segregated network security protocols also might prevent the campaign's threat actors from infecting more machines besides the initial one they target in any RDP attack. Patching the databases of any anti-malware software also can heighten the detection rates and delete the FriedEx Ransomware with optimal accuracy, which malware experts highly recommend.
Although victims may identify a threat by the ways it chooses to attack them, what passes for efficient programming practices can make two supposedly different programs into close relatives. The generalized features of Dridex and the FriedEx Ransomware campaigns are a good point for showing how con artists can swerve their attacks while not needing to put much work into it.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.