New ransom threat has appeared, encrypting files on the computers infected by it and appending the .fff file extension to them afterwards. The virus aims to perform multiple modifications on the computer of the user, including dropping it’s ransom note, named READTHISHIT.txt and changing the wallpaper with the same message as in the note which asks victims to contact the e-mail firstname.lastname@example.org. If you have become a victim off this ransom infection, it is advisable to read the article below and learn how to remove it from your computer and how to restore your files.
|Short Description||Encrypts the files on the computers infected by it after which drops a ransom note, demanding payment for their decryption.|
|Symptoms||Files are no longer openable. The ransom note on the image above is displayed.|
|Distribution Method||Spam Emails, Email Attachments, Executable files|
|Detection Tool|| See If Your System Has Been Affected by .fff Ransomware |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss .fff Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
How Does .fff Files Ransomware Infect
In order to infect as many users as possible, the .fff files ransomware may be spread in a method, used by more than 80% of the ransomware viruses these days – malspam. The spammed messages may include either malicious e-mail attachments or links to external site from where the victim is supposed to download the malicious file. The e-mails are created in a way that they aim to deceive the victim into opening the malicious e-mail attachment, claiming it is a receipt, invoice or any other important document.
Besides this, other methods of infection include the usage of various different fake installers of programs, game patches, cracks, etc, that are downloaded instead of the real ones from suspicious sites.
.fff Ransomware – Malicious Activity
The first thing done by the .fff ransomware virus is to drop it’s payload. To do this, the ransomware may either connect to a malicious website and then download the payload or extract it on the computer. The payload of the .fff ransomware may consist of more than one malicious files and they may be located in the following Windows directories:
After having dropped those files, the .fff file virus may execute them and they may perform the following activities on your computer:
- Delete the shadow volume copies via administrative commands in Windows Command Prompt.
- Add registry values with the location of the encryption file in the Run and RunOnce registry sub-keys.
- Collect system information.
In addition to this, the .fff ransomware also changes the wallpaper of the infected computer and drops a ransom note named READTHISHIT.txt. The message on the wallpaper and the text document is the same:
“ok, your files are gone, sort of. they are all encrypted,
you cannot fix them, av companies won’t help you. if you really
want to get them back you need to pay for them
email me: email@example.com”
.fff Files Virus – Encryption
For this ransomware to encrypt the files on your computer, it uses the AES encryption algorithm, also known as Advanced Encryption Standard. It alters blocks of data from your original file with its encrypted analogue. Then, the encryption generates a unique decoding key which is known only to the cyber-criminals.
The virus is very careful not to encrypt important Windows files and folders, such as:
- System files.
Furthermore, .fff ransomware targets various documents, archives, audio files, virtual drive files, videos and many other types of files. The malware may attack files with the following file extensions:
“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” Source:fileinfo.com
After encryption, the files are added the .fff file extension, making them look like the following:
Remove .fff Ransomware and Restore Your Encrypted Files
In order to get rid of .fff ransomware, it is strongly recommended to follow the removal instructions below. They are specifically designed to help you delete this virus either manualy or automatically. If manual removal may be tricky, which is the case of .fff ransowmare, experts always advise using an advanced anti-malware program, which can fully and swiftly remove this virus and protect your computer in the future as well.
If you want to restore your files, you can try the alternative tools for file recovery we have suggested below in step “2. Restore files encrypted by .fff Ransomware”.