Mr403Forbidden Ransomware
Posted: July 19, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 50 |
| First Seen: | July 19, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Mr403Forbidden Ransomware is a file-encoding Trojan based on the FTSCoder family, which some security sector organizations refer to as the 'Stupid' Ransomware. Attacks from this threat can block you from opening different types of files, alter their filenames, and create pop-ups alerting you to its demands for ransom payments. You should remove the Mr403Forbidden Ransomware with a trusted brand of anti-malware tool before recovering any damaged media through either a backup or a free decryptor, in your own time.
Seeing Error Messages in an Unusual Context
While a 403 error page is an in-browser response to some failures of loading a website data, a new team of threat actors is taking the label for illicit business ventures. Their Trojan, the Mr403Forbidden Ransomware, is an update of previous versions of the FTSCoder, a family of file-locking threats that includes the BlackSheep Ransomware, the WhyCry Ransomware, and a handful of other specimens. Their campaign seems to be targeting Indonesian systems with the by-now traditional attempt at holding data hostage to extort money.
While the Mr403Forbidden Ransomware includes some English-based components, such as its ransom notes, its authors appear to have limited fluency with the language and may be using a translation service. The infection methods the Mr403Forbidden Ransomware is using for its distribution are, as of yet, unidentifiable, but a majority of this class of attacks use spam e-mails, corrupted websites, or a combination of the two. Once it does have system access, the Mr403Forbidden Ransomware launches a file-encrypting routine meant to lock your digital content with a cipher.
The Mr403Forbidden Ransomware adds 'alosia' extensions to every file that it blocks this way, which can include various formats of text documents, compressed archives, pictures, audio, and databases or spreadsheets. It also may use an additional string that identifies the source of the encryption by name, which malware analysts note as an unusual characteristic from Trojans of this payload type.
Once it's blocking your files, the Trojan creates a Windows message box, with the included text being in English primary. Its authors ask you to contact them at one of two, free e-mail addresses for paying to unlock your data. Like most FTSCoder variants, the Mr403Forbidden Ransomware includes the decryption component with the rest of the program, which means that the threat actor only needs to provide the password.
Forbidding a Trojan Free Access to What's not Theirs
Although a regular 403 message is no more harmful than a stop sign, its employment as a con artist's alias gives the term a new context for otherwise old styles of cyber attacks. Before paying or making other, rash decisions regarding its threat actors' demands, victims should consider investigating all free recovery options, including the FTSCoder-specific decryption programs currently available. Specialized security researchers also may provide further assistance with samples of the encoded content and the Mr403Forbidden Ransomware.
FTSCoder isn't known for being evasive particularly, and malware analysts find no new features with the Mr403Forbidden Ransomware to alter that conclusion in any meaningful way. Many anti-malware products may block this threat immediately or remove the Mr403Forbidden Ransomware after an infection happens. With foresight, users also can deprive this Trojan of any leverage by dutifully backing up their content beforehand.
The Mr403Forbidden Ransomware only is just starting its attacks against Indonesian PCs and their owners. However, FTSCoder isn't a family that's shy about crossing borders, and the Mr403Forbidden Ransomware could turn into a more widespread problem for the unprepared.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.