FabSysCrypto ransomware belongs to the HiddenTear family of infections. It is a common crypto virus that drops the malicious file fabsyscrypto.exe on the system and executes it to start the encryption of important target data. For the enciphering purposes, FabSysCrypto implements the strong AES algorithm. Upon encryption, it appends the malicious extension .locked to all corrupted files. Then it drops a TXT file / called _HELP_instructions.txt/ that is designed to guide the victim in getting the private decryption key that is expected to restore the files.
This article aims to help all victims of FabSysCrypto ransomware by providing consistent removal guide. Even if you are not a victim of the threat, we advise you to meet the specifics of a ransomware infection in order to stay cyber safe in future and avoid getting malware.
Features of FabSysCrypto Ransomware
The infection process starts once the malicious file fabsyscrypto.exe is running on your system. What follows is a scan of the entire system that aims to find particular file types and encrypt them. Afterwards, all corrupted files get the malicious extension .locked and remain unusable until there is a decryption key to restore them. Currently the list of all file types targeted by FabSysCrypto ransomware counts 20 and includes:
.asp, .aspx, .csv, .doc, .docx, .html, .jpg, .mdb, .odt, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xml
All these files get encrypted via AES encryption algorithm and receive the extension .locked. Each file with appended .locked extension cannot be opened with any program until it is decrypted.
The extortionists urge victims to follow specific TOR and ONION links in a view to pay a ransom and receive the private key that is claimed to restore encrypted data. The links are included in the FabSysCrypto ransom note that is known under the name _HELP_instructions.txt. It depicts the following text:
!!! IMPORTANT INFORMATION !!!!
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More Information about the RSA and AES can be found here:
Decrypting of your files Is only possible with the private key and decrypt program, which Is on our secret server.
To receive your private key follow one of the links:
If all of this addresses are not available, follow these steps:
1. Download and Install Tor Browser: xxxxs://www.torproject.org/download/download-easy.html
2. After a successful Installation, run the browser and wait for Initialization.
3. Type In the address bar: 32kl2rwsjvqjeul7.onlon/56D592DC7A9DDlDB
4. Follow the Instructions on the site.
!!! Your personal Identification ID: – !!!
It is notable that the creators of FabSysCrypto are trying to mimic the ransom note of the infamous Locky ransomware. However, FabSysCrypto is based on the HiddenTear source code so the statement “All of your files are encrypted with RSA-2048 and AES-128 ciphers“ is not valid as HiddenTear is programmed to implement only AES encryption algorithm. Eventually, FabSysCrypto is less dangerous than Locky ransomware, and there is a chance that some third party tools might help you to recover some .locked files after the removal process.
The further impact caused by FabSysCrypto ransomware infection may be modifications of the Windows registry keys. The most common targeted locations are:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\RunOnce
- HKEY_USERS\DEFAULT\Control Panel\Desktop
If FabSysCrypto creates value in Run folder, it will allow the ransomware to activate itself anytime the system is started. Changed values in the Desktop folder usually lead to the replacement of the current wallpaper with the ransom message file.
As regards the ransom amount we have found information that the crooks demand 0.5 BTC for the decryption tool and key. We want to remind you that any negotiations with cyber criminals are inadvisable.
Methods of FabSysCrypto Delivery
How can the executable application fabsyscrypto.exe land on your computer?
Among the most common ways of FabSysCrypto ransomware infection are:
- Spam email campaigns – the message is most likely to urge you to download and interact with a ZIP archive or document attachment that contains the ransomware payloads. It could be hard to recognize the malicious intention of such emails as cyber criminals are good at impersonating legal services that we use in our everyday life. So we recommend thinking twice before a click and better refraining from opening attachments that look suspicious. One way to understand whether a file is malicious or not is to check it with online scanning services like ZipeZip and VirusTotal.
- Malicious web links – such web links may be posted on e-mail messages with convincing notes to click them immediately or in spammed comments on sites that are not adequately secured against spam. Another method of spreading malicious URLs is on social media sites like Facebook and Twitter. The malware can be hidden in a fake notification, counterfeit shares from compromised accounts, spammed private messages, etc.
- Freeware software – be careful when you decide to download and install free applications choose wisely the sources and if you find the wanted app on the official website of the vendor better download it from there. Sometimes the malicious ransomware payloads may be bundled with the freeware package so threats like FabSysCrypto may land on the system unnoticed.
Summary of the FabSysCrypto Ransomware
| 0.5 BTC|
|You can skip all steps and remove FabSysCrypto ransomware with the help of an anti-malware tool.|
|FabSysCrypto ransomware can be removed manually, though it can be very hard for most home users. See the detailed tutorial below.|
|Spam Email Campaigns, malicious ads & etc.|
You can try the help of third party software to recover .locked data. Just accomplish the entire removal process of FabSysCrypto ransomware following the step-by-step guide below. It is important to notice that a backup of all encrypted data is highly advisable because it will prevent total data loss in case that something goes wrong during the recovery process.
FabSysCrypto Ransomware Removal
STEP I: Start the PC in Safe Mode with Network
This will isolate all files and objects created by the ransomware so they will be removed efficiently.
- 1) Hit WIN Key + R
- 2) A Run window will appear. In it, write “msconfig” and then press Enter
3) A Configuration box shall appear. In it Choose the tab named “Boot”
4) Mark “Safe Boot” option and then go to “Network” under it to tick it too
5) Apply -> OK
Or check our video guide – “How to start PC in Safe Mode with Networking”
STEP II: Show Hidden Files
- 1) Open My Computer/This PC
2) Windows 7
- – Click on “Organize” button
– Select “Folder and search options”
– Select the “View” tab
– Go under “Hidden files and folders” and mark “Show hidden files and folders” option
3) Windows 8/ 10
- – Open “View” tab
– Mark “Hidden items” option
4) Click “Apply” and then “OK” button
STEP III: Enter Windows Task Manager and Stop Malicious Processes
- 1) Hit the following key combination: CTRL+SHIFT+ESC
2) Get over to “Processes”
3) When you find suspicious process right click on it and select “Open File Location”
4) Go back to Task Manager and end the malicious process. Right click on it again and choose “End Process”
5) Next you should go folder where the malicious file is located and delete it
STEP IV: Remove Completely FabSysCrypto Ransomware Using SpyHunter Anti-Malware Tool
SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter
STEP V: Repair Windows Registry
- 1) Again type simultaneously the Windows Button + R key combination
2) In the box, write “regedit”(without the inverted commas) and hit Enter
3) Type the CTRL+F and then write the malicious name in the search type field to locate the malicious executable
4) In case you have discovered registry keys and values related to the name, you should delete them, but be careful not to delete legitimate keys
STEP VI: Recover Encrypted Files
- 1) Use present backups
- 2) Use professional data recovery software
- – Stellar Phoenix Data Recovery – a specialist tool that can restore partitions, data, documents, photos, and 300 more file types lost during various types of incidents and corruption.
- 3) Using System Restore Point
- – Hit WIN Key
– Select “Open System Restore” and follow the steps
- 4) Restore your personal files using File History
- – Hit WIN Key
– Type “restore your files” in the search box
– Select “Restore your files with File History”
– Choose a folder or type the name of the file in the search bar
- – Hit the “Restore” button
STEP VII: Preventive Security Measures
- 1) Enable and properly configure your Firewall.
2) Install and maintain reliable anti-malware software.
3) Secure your web browser.
4) Check regularly for available software updates and apply them.
5) Disable macros in Office documents.
6) Use strong passwords.
7) Don’t open attachments or click on links unless you’re certain they’re safe.
8) Backup regularly your data.