FriedEx - Stealthy Ransomware Crafted by Dridex Authors
THREAT REMOVAL

FriedEx – Stealthy Ransomware Crafted by Dridex Authors

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by FriedEx ransomware and other threats.
Threats such as FriedEx ransomware may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

The infamous Dridex banking Trojan has now shifted towards ransomware in its FriedEx (also known as BitPaymer) variant.

Image Source: ESET

Related Story: Dridex Spread via Compromised OneDrive for Business Accounts

Dridex has been a nightmare for computer users, companies and financial institutions for several years now, so much so that for many, it has become the first thing that comes to mind when talking about banking trojans”, ESET researchers said. According to their most recent findings, the authors of Dridex have also developed another high-profile malware family – the FriedEx ransomware, detected as Win32/Filecoder.FriedEx and Win64/ Filecoder.FriedEx.

This ransomware was previously known as BitPaymer, which was discovered by Michael Gillespie and was active in the summer of 2017.

BitPaymer is a cryptovirus that most likely was aimed mainly at corporations and big firms. The ransomware is coded to put the extension .locked to all files after the encryption process is finished along with a text document containing the ransom note instructions for each encrypted file. The BitPaymer virus demanded the ransom sum of 50 Bitcoin while posing an empty threat that the target’s files will get leaked on the Web.

In August, 2017 BitPaymer was targeting NHS hospitals in Scotland. FriedEx, however, appears to be targeting more high-profile companies and is mainly delivered via an RDP brute force attack.

Related Story: Remove BitPaymer Virus – Restore .Locked Files

According to ESET researchers, the ransomware encrypts each file with a randomly generated RC4 key, which is then encrypted using the hardcoded 1024-bit RSA public key and saved in the corresponding .readme_txt file.

In December 2017, the researchers closely analyzed the FriedEx samples and noticed the similarity in the code to Dridex.

Intrigued by the initial findings, the researchers “dug deep into the FriedEx samples, and found out that FriedEx uses the same techniques as Dridex to hide as much information about its behavior as possible”.

What does this mean? The ransomware resolves all system API calls, stores all strings in encrypted mode, searches for registry keys and values by hash. The result is a very low-profile binary which makes it difficult to tell what malicious activities are taking place. The covert behavior made researchers look deeper for further analysis, which led to a number of additional similarities. The conclusion is that the two malware families are designed by the same developers.

Researchers were also able to find several instances of Dridex and FriedEx which were compiled at the same time. This may have been a coincidence if it weren’t for all the other resemblances. In addition:

Not only do the compilations with the same date have time differences of several minutes at most (which implies Dridex guys probably compile both projects concurrently), but the randomly generated constants are also identical in these samples. These constants change with each compilation as a form of polymorphism, to make the analysis harder and to help avoid detection.

Related Story: 97% of Malware Infections Are Polymorphic, Researchers Say

FriedEx Ransomware Removal Instructions

If your computer got infected with the FriedEx ransomware, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it gets chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...