Remove FabSysCrypto Ransomware and Restore .locked Files - How to, Technology and PC Security Forum |

Remove FabSysCrypto Ransomware and Restore .locked Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This article has been made to instruct you how to remove FabSysCrypto ransomware and try to restore your .locked files in case they have been encrypted by this infection.

A ransomware virus, going by the tech-savvy name FabSysCrypto has been reported to be causing trouble for users. The virus is in English and is believed to utilize the AES encryption algorithm in a clever method to encrypt important documents and ask for ransom from the user of this device. The virus is believed to be made in a Visual Studio environment by someone known as “fabsys”. It demands 0,5 BTC to be paid from the victim to the criminals behind the virus to send back a decryptor or the decryption key. In case you have become a victim of the FabSysCrypto ransomware infection, recommendations are to focus on restoring your encrypted files via multiple different methods.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, called AES, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” in a _HELP_instructions.txt file, asking to pay a ransom of 0.5 BTC to the cyber-criminals. Files are encrypted with the .Horas-Bah extension added..
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by FabSysCrypto


Malware Removal Tool

User ExperienceJoin our forum to Discuss FabSysCrypto.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

FabSysCrypto Ransomware – Further Analysis

FabSysCrypto is a ransomware type of malware that is of the file encryption kind, meaning it uses an encryption mode to render the files on the compromised machine no longer able to be opened.

FabSysCrypto Ransomware – Infection Process

Ever since this virus became active in the beginning of March, it has been reported to be possibly spread via e-mail spam messages. Such messages promise that the attachments or web links embedded in them are legitimate and use any type of deceptive statements to convince the victim into opening the malicious attachment. The malicious attachment may be of different types:

A .vbs script that activates certain pre-configured actions.
A .js script or other type of JavaScript that causes an infection immediately after being opened.
Other executable files that are masked as multiple legitmate documents.
Documents or .PDF files that have malicious macros enabled. This means that after you open the document and click on “Enable Viewing” or “Enable Editing”, the script causes the infection. This is achievable by embedding the macros code with file joiners which are sold In the black market.

But e-mail may not be the only mean of infecting a user. The virus may be published on torrent websites as a fake game patch or fake program installer.

In addition to this, the virus may also be available on shady websites as a fake program or pretending to be something it isn’t.

Last but not least, the FabSysCrypto ransomware may be hiding in malicious scripts behind URLs or other short links as well. These may be sent out also in e-mails or via spam bots as private messages or in Social Media. To learn more on how to protect yourself from such menaces, please visit the following related article:

FabSysCrypto Ransomware – Post-Infection Activity

After infecting a given system, the FabSysCrypto virus begins to drop malicious files. So far, the files known to be dropped by this virus are:

  • fabsyscrypto.exe
  • _HELP_instructions.txt

But there may be multiple other types of files on the compromised computer. They may have different names and may exist in different administrative Windows folders:

After already dropping the malicious files on the compromised computers, the FabSysCrypto ransomware threat may be pre-programmed in order to modify the Windows Registry Editor so that malicious files can run on startup and some settings can be modified in order to prevent obstructions during encryption. The most often modified registry entries are the following:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

FabSysCrypto Ransomware Virus – The Encryption Process

The encryption process of this ransomware is conducted with the assistance of the AES encryption algorithm which is classified as a Suite 2 encryption by DoD. It is used by the department for concealing hidden files so that they can be seen only if you have a unique unlock key. The same is the case here, only the unlock key is held by the cyber-crook(s) behind this virus and it asks a payoff to be made for their unlocking.

Amongst the affected files by the FabSysCrypto virus may be the following types of files:

→ .asp, .aspx, .csv, .doc, .docx, .html, .jpg, .mdb, .odt, .php, .png, .ppt, .pptx, .psd, .sln, .sql, .txt, .xls, .xlsx, .xml

In addition to this, the virus may also encrypt web pages saved on the infected computer, other documents, text files, database files, photos and other files.

After encryption, FabSysCrypto adds a .locked file extension to the encrypted files, making them appear like the following:

The virus also makes another move – it notifies the user of the situation by possibly automatically opening it’s _HELP_instructions.txt file. The file has the following message which asks the user to use the TOR browser and access a custom web-page:

→ $=~~|~_+|_~+$$=$
All of your files are encrypted with RSA-2048 and AES-128 ciphers.
More Information about the RSA and AES can be found here:
Decrypting of your files Is only possible with the private key and decrypt program, which Is on our secret server.
To receive your private key follow one of the links:
1. xxxx://{Random A-Z 0-9 ID CODE}2. xxxx://{Random A-Z 0-9 ID CODE}
3. xxxx://{Random A-Z 0-9 ID CODE}
If all of this addresses are not available, follow these steps:
1. Download and Install Tor Browser: xxxxs://
2. After a successful Installation, run the browser and wait for Initialization.
3. Type In the address bar: 32kl2rwsjvqjeul7.onlon/56D592DC7A9DDlDB
4. Follow the Instructions on the site.
!!! Your personal Identification ID: {Random A-Z 0-9 ID CODE}

The web page, if able to be opened may contain additional instructions on how to pay and open the files that have been encrypted by this ransomware virus.

FabSysCrypto Virus – Remove and Try to Get .locked Files Back

For the removal of this virus, it is important to first do it safely. This is why we recommend backing the .locked and other files from your computer, just in case. Then, it is very important to follow the removal instructions below. They are created to methodologically create a safer environment for the removal. If you lack the experience of manually removing malware, experts always recommend using an advanced anti-malware program that will automatically take care of the threat for you and protect your PC in the future.

After having removed FabSysCrypto ransomware, it is time to try and get the files back to their working state. We have suggested several alternatives that include data recovery, shadow explorer, network sniffing and direct decryption with tools for other viruses. We suggest trying them out, but trying the direct decryption method only with copies of the encrypted files, because it may damaged them, if they have a fail-safe mechanism. The methods are not 100% effective, however they may result in the decoding of a portion of the files. You can find them below in step “2. Restore files encrypted by FabSysCrypto” below.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share