Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


FunFact .cry File Virus (Restore Encrypted Files)

This article will help you to remove FunFact ransomware using the .cry file extension. It will also help you try and restore some of the .cry encrypted files.

A ransomware virus has appeared out in the wild, encrypting archives, pictures, Microsoft office documents and other important files. The virus is dubbed FunFact and has a note.ini ransom note which it opens after encrypting the files. In the ransom notes, clear demands are made by the cyber-criminals to pay a requested amount in around 1.6 BitCoin in a 7-day deadline. In case you have become a victim of this ransomware virus, advises are to focus on removing it immediately and trying to restore files encrypted via RSA and AES ciphers by FunFact.

Threat Summary

Name

FunFact

Type Ransomware
Short Description The malware encrypts users files using a combination of the AES and RSA encryption algorithms.
Symptoms The user may see a ransom note named note.ini asking to pay in BTC to an address. Files may be encrypted with the .cry file extension.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by FunFact

Download

Malware Removal Tool

User Experience Join our forum to Discuss FunFact.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

FunFact Ranosmware – How Does It Infect Users

FunFact is no different than any other ransomware virus. It could be spread via e-mail spam and the spam may contain malicious attachments which have:

  • Exploit kits embedded.
  • Malicious JavaScript or .js types of files.
  • Files that are legitimate .doc, .docx, xls or .pdf format, containing malicious macros.

To cause an infection, the criminals may make it seem as if the spammed messages are sent out as if they are legitimate messages from well-known companies or organizations.

Once they open the e-mail attachment and become infected by the malware, the virus may establish contact with multiple domains and addresses:

  • 23.239.26.248:80 (to get your IP address)
  • ocsp.usertrust.com
  • ocsp.comodoca.com
  • crl.comodoca.com

After this has been done, the payload of FunFact ransomware may be downloaded. It consists of the following files:

Word.D.exe
note.ini
clsign.dll
trc.dll
tst.tst
rar.exe
wallet.jpg
%TEMP%\{random A-Z 0-9}.tmp
%LOCALAPPDATA%\ow\Microsoft\CryptnetUrlCache\MetaData\

FunFact Ranosmware – Post-Infection and Encryption

Besides obtaining the IP address of the infected computer, the FunFact virus may begin to scan for various files to encrypt. Amongst the encrypted files by this virus may be the following file types:

.7z, .ace, .arj,. bz2, .cab, .gz, .jpeg, .jpg, .lha, .lzh, .mp3, .rar, .taz, .tgz, .z, .zip, .xls, .docx, .doc, .xml

The encrypted files may be encoded with the Advanced Encryption Algorithm (AES) and for the encryption key, an algorithm called RSA may be used. The files are reported to possibly have the .cry file extension added to them. They may appear like the following:

After encryption, the FunFact ransomware adds it’s distinctive note.ini ransom note and automatically opens it. The note has the following message for the victim:

Remove FunFact Ransomware and Try Restoring Your Files

In order to remove this ransomware virus completely from your computer, it is strongly recommended to follow our removal instructions posted down below. They are specifically designed to perform effective removal by either manually look for the files or automatically taking care of them via an advanced anti-malware tool (recommended).

After having already removed FunFact ransomware from your computer, it is strongly recommended to focus on restoring your data via some of the alternative methods which we have mentioned below in step “2. Restore files encrypted by FunFact”. These methods may not work on 100 percent but they may also restore some of your files, it really depends on the situation.

Manually delete FunFact from your computer

Note! Substantial notification about the FunFact threat: Manual removal of FunFact requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove FunFact files and objects
2.Find malicious files created by FunFact on your PC

Automatically remove FunFact by downloading an advanced anti-malware program

1. Remove FunFact with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by FunFact
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.