.fff Files Virus - How to Remove and Restore-Data

.fff Files Virus – How to Remove and Restore Data

This article aims to show you instructions on how to remove the SoFucked ransomware, and how to restore files that have been encrypted with the .fff file extension added.

New ransom threat has appeared, encrypting files on the computers infected by it and appending the .fff file extension to them afterwards. The virus aims to perform multiple modifications on the computer of the user, including dropping it’s ransom note, named READTHISHIT.txt and changing the wallpaper with the same message as in the note which asks victims to contact the e-mail sofucked@freespeechmail.org. If you have become a victim off this ransom infection, it is advisable to read the article below and learn how to remove it from your computer and how to restore your files.

Threat Summary

Name.fff Ransomware
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the computers infected by it after which drops a ransom note, demanding payment for their decryption.
SymptomsFiles are no longer openable. The ransom note on the image above is displayed.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .fff Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .fff Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does .fff Files Ransomware Infect

In order to infect as many users as possible, the .fff files ransomware may be spread in a method, used by more than 80% of the ransomware viruses these days – malspam. The spammed messages may include either malicious e-mail attachments or links to external site from where the victim is supposed to download the malicious file. The e-mails are created in a way that they aim to deceive the victim into opening the malicious e-mail attachment, claiming it is a receipt, invoice or any other important document.

Besides this, other methods of infection include the usage of various different fake installers of programs, game patches, cracks, etc, that are downloaded instead of the real ones from suspicious sites.

.fff Ransomware – Malicious Activity

The first thing done by the .fff ransomware virus is to drop it’s payload. To do this, the ransomware may either connect to a malicious website and then download the payload or extract it on the computer. The payload of the .fff ransomware may consist of more than one malicious files and they may be located in the following Windows directories:

  • %AppData%
  • %Temp%
  • %Common%
  • %Roaming%
  • %Local%
  • %LocalLow%

After having dropped those files, the .fff file virus may execute them and they may perform the following activities on your computer:

  • Delete the shadow volume copies via administrative commands in Windows Command Prompt.
  • Add registry values with the location of the encryption file in the Run and RunOnce registry sub-keys.
  • Collect system information.

In addition to this, the .fff ransomware also changes the wallpaper of the infected computer and drops a ransom note named READTHISHIT.txt. The message on the wallpaper and the text document is the same:

“ok, your files are gone, sort of. they are all encrypted,
you cannot fix them, av companies won’t help you. if you really
want to get them back you need to pay for them

email me: sofucked@freespeechmail.org”

.fff Files Virus – Encryption

For this ransomware to encrypt the files on your computer, it uses the AES encryption algorithm, also known as Advanced Encryption Standard. It alters blocks of data from your original file with its encrypted analogue. Then, the encryption generates a unique decoding key which is known only to the cyber-criminals.

The virus is very careful not to encrypt important Windows files and folders, such as:

  • System files.
  • Drivers.

Furthermore, .fff ransomware targets various documents, archives, audio files, virtual drive files, videos and many other types of files. The malware may attack files with the following file extensions:


After encryption, the files are added the .fff file extension, making them look like the following:

Remove .fff Ransomware and Restore Your Encrypted Files

In order to get rid of .fff ransomware, it is strongly recommended to follow the removal instructions below. They are specifically designed to help you delete this virus either manualy or automatically. If manual removal may be tricky, which is the case of .fff ransowmare, experts always advise using an advanced anti-malware program, which can fully and swiftly remove this virus and protect your computer in the future as well.

If you want to restore your files, you can try the alternative tools for file recovery we have suggested below in step “2. Restore files encrypted by .fff Ransomware”.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share