.Frendi Ransomware — How to Remove Virus Infections

.Frendi Ransomware — How to Remove Virus Infections

This article will aid you to remove .Frendi Ransomware. Follow the ransomware removal instructions provided at the end of the article.

.Frendi Ransomware is one that encrypts your data and demands money as a ransom to get it restored. Files will receive the .Frendi extension. The .Frendi Ransomware will leave ransomware instructions as a desktop wallpaper image. Keep on reading the article and see how you could try to potentially recover some of your locked files and data.

Threat Summary

Name.Frendi ransomware
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts files by placing the .Frendi extension on the target files on your computer system and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files and leave a ransom note with payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .Frendi ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .Frendi ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.Frendi Ransomware – Distribution Techniques

The .Frendi ransomware is a new virus that is descendant from the Dharma/CrySiS family of threats. It is believed that it is created by an inexperienced hacker or criminal collective as it is merely a customized version of the main engine which is available on the underground hacker forums. The captured samples are relatively low in number which doesn’t give out the main method of distribution.

It is presumed that the hackers might be using email phishing tactics which is a popular mechanism for spreading out all kinds of malware. The hackers will send out messages that pose as legitimate notifications from well-known services, companies or products that they might be using. They contain malicious contents and links that will coerce the victims into interacting with them. Usually the emails pose as software updates notifications, account reset instructions, special offers and etc.

Another tactic that can be used to spread viruses en-masse is to create malicious sites that pretend to be legitimate sources. Examples include download portals, search engines, vendor sites and etc. The virus infection can happen through interaction with the displayed content or any elements such as banners, pop-ups, ads and etc.

In some situations the virus files can be spread via payload carriers of which there are two main types:

  • Application Installers — They are made by taking the real software installers from their official sources and modifying them to include the necessary virus code. The hackers will typically target applications that are widely installed by end users: system utilities, creativity suites, productivity and office programs and even games.
  • Infected Documents — The other tactic uses documents as the files that cause the infections, they can be of any one of the popular types: presentations, text files, databases and spreadsheets. Whenever they are opened a prompt will be spawned asking the victims to enable the built-in scripts. The quoted reason for this is that the this is required in order to correctly the document.

The files can additionally be delivered via file-sharing networks such as BitTorrent where both pirate and legitimate content can be shared. Larger attack campaigns can be orchestrated via the use of browser hijackers — dangerous plugins which are made available for the most popular web browsers. They are usually uploaded to the relevant repositories using fake developer credentials and user reviews. The victims are enticed into installing them as promises of new feature and performance optimizations are placed in the descriptions. If they are installed not only will the .Frendi ransomware be installed, but also other changes will be made to the browsers. Their default settings will be changed to redirect the users to a hacker-controlled landing page. Affected values include the default home page, search engine and new tabs page.

.Frendi Ransomware – Detailed Analysis

As soon as the .Frendi ransomware has been installed on the victim computers the built-in modular engine will engage the configuration steps that are preconfigured by the attackers. We anticipate that a typical pattern will be started.

Usually these type of attack start with an information gathering which can harvest data that can be categorized into two main groups:

  • User Information — The .Frendi ransomware can directly expose the identity of the computer owners by looking out for strings that can directly reveal personal information. The engine can be programmed to look for strings such as their name, address, phone number, interests and any stored account credentials. Many ransomware of this type can also access the data used by web browsers thereby hijacking cookies, sessions data, bookmarks, history and etc.
  • Machine Metrics — The criminals can create an ID that can be used to differentiate between the compromised machines. This is a value that is generated by an algorithm that takes its input values from data such as the installed hardware components, user settings and operating system environment values.

The collected information can be used further by another module called security bypass which is used to discover and disable any security software that can interfere with the proper .Frendi ransomware execution. In most cases the list of apps that are affected include the following: firewalls, anti-virus programs, intrusion detection systems and virtual machine hosts.

At this point the .Frendi ransomware can affect the whole operating system by carrying out various malicious actions. Some of the most popular one are the following procedures:

  • Boot Options Modification — They are done by changing important configuration files that will make the virus automatically start as soon as the computer boots. This action usually disables access to the recovery boot menus nd certain settings which renders most manual recovery guides useless.
  • Persistent Installation — The threat can be installed in a way which makes removal very difficult. This is done by modifying system settings, files and the Windows Registry.
  • Windows Registry — The .Frendi ransomware can modify the existing Windows Registry values and creating new ones for itself. When those that are used by the operating system are modified by the ransomware the overall system performance will degrade. This can be done to the point of rendering the computer unusable. Changes to the values used by the third-party can lead to unexpected errors.
  • Additional Payload Delivery — The virus engine can be programmed to deploy other malware to the infected computers. Usually Trojans and miners are the most common companion threats.
  • Data Removal — The engine can be programmed to look for sensitive information that can be removed and thus make recovery much more difficult. Data that is affected includes backups, restore points and shadow volume copies. In these cases the victims will need to use a professional-grade data recovery application.

Other behavior can be set via the hacker commands that are built-in by the hackers before the campaign is launched. Advanced ransomware samples can even deploy a Trojan horse which will enable the hackers to take over control of the infected computers and spy on the users at all times.

.Frendi Ransomware – Encryption Process

Like other popular malware samples the .Frendi ransomware will launch the encryption engine once all prior modules have finished running. It will probably use a built-in list of target file type extensions which are to be processed by a strong cipher. An example list can include the following data types:

  • Backups
  • Databases
  • Archives
  • Images
  • Music
  • Videos

All affected files are renamed with the .Frendi extension. The associated ransomware note is created in a text file called Encrypted.txt which reads the following message:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
In case of no answer in 24 hours write us to theese e-mails: [email protected]
If there is no response from our mail, you can install the Jabber client and write to us in support of [email protected], or [email protected]

An HTML version and a lockscreen may also be produced.

Remove .Frendi Ransomware and Try to Restore Data

If your computer system got infected with the .Frendi ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share