Remove FLKR Ransomware and Restore _ Files - How to, Technology and PC Security Forum |

Remove FLKR Ransomware and Restore _ Files

The ransomware world has brought us yet another child, named FLRK. The virus uses the Blowfish encryption algorithm with 512 bytes from the files encrypted using it., which are enough to render them no longer openable. Also, the virus ads an INSTRUCT.txt file which display demands to communicate with the cyber-criminals done this and hence pay a hefty ransom fee to get the files back. In case you have become a victim of the FLKR virus, we urge you not to pay any form of ransom and focus on reading our article to learn more about the virus and methods to remove it and try to restore the files.

Threat Summary

Short DescriptionThe ransomware encrypts files with Blowfish encryption cipher and asks a ransom payment of BTC for decryption.
SymptomsFiles are encrypted with Blowfish encryption and become inaccessible with an added ._morf56@meta.ua_ file extension to them. A ransom note with instructions for paying the ransom shows as INSTRUCT.txt file.
Distribution MethodSpam Emails, Email Attachments, File Sharing Networks.
Detection Tool See If Your System Has Been Affected by FLKR


Malware Removal Tool

Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

FLKR Ransomware – How Did I Get It

Typically for most ransomware viruses, FLKR uses the typical technique to infect users. The virus may spread via phishing e-mails that aim to trick inexperienced users into opening malicious attachments or URLs posted in them. Several examples of desirable subjects for phishing e-mail topics are:

  • “Your PayPal account has been suspended.”
  • “Your eBay purchase has been dispatched.”
  • “There is suspicious activity on your BankAccount”
  • “Deadline for paying your fine.”

After the user is tricked into opening the suspicious e-mails, this results in the malware connecting successfully to a C2 server from where FLKR’s payload is downloaded. The payload of FLKR, consists of the following files, located in the system drive:

→ C:\cpqsystem\rel1711\flkr.exe

FLKR Ransomware – Post-Infection Activity

After FLKR Ransomware has already dropped it’s files, the virus may set registry entries for those files to run on system startup. The registry keys that are targeted for this are the following:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

In those keys value, strings may be added which have set data in them with the location of the malicious executables. This may run on startup.

As soon as the malicious executable is run, the FLKR virus begins encrypting user data. Amongst the encrypted files are:

  • Videos.
  • Audio files.
  • Microsoft Office documents.
  • Adobe Reader types of files.
  • Files that are associated with databases.
  • Virtual drives.

Interestingly enough, FLKR ransomware skips encrypting .txt, .mp3 and .avi files.

It also skips encrypting files in crucial Windows folders that may stop the functioning of the OS:

  • %Program Files%
  • %Documents and Settings%
  • %Intel%
  • %Install%
  • %cpqsystem%

After encryption the virus drops INSTUCT.txt file that has the following instructions:

“Information is encrypted with a strong password.
To decrypt it for instructions.
Reserver communication channel – this jabber:
Use jabber only when this conversation via e-mail is not possible”

Affected users have reported that contacting the e-mail results in the cyber-crooks providing instructions on how to pay a hefty ransom fee to get the files back and this is why experts recommend taking another approach.

Solution to FLKR Ransomware

It is strongly advisable before attempting any file restoration or decryption to successfully remove FLKR ransomware from your computer. This is why we have prepared the manual and automatic removal instructions below, and we urge you to follow them. In case you are not experienced in malware removal, we advise using an advanced anti-malware program to get rid of the FLKR associated files and objects in the Windows Registry automatically and swiftly.

After having removed FLKR completely from your computer, we strongly advise you to see the alternative suggestions on how to restore the Blowfish-encrypted files. But before doing this, we also urge you to backup those encrypted files since those methods have not been tested for this virus. Then, you can go ahead and try our suggestions in step “2.Restore files encrypted by FLKR Ransomware” below. This is a temporary solution until malware researchers come up with a solution on how to use a free decryptor and restore your files.

Manually delete FLKR from your computer

Note! Substantial notification about the FLKR threat: Manual removal of FLKR requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove FLKR files and objects
2.Find malicious files created by FLKR on your PC

Automatically remove FLKR by downloading an advanced anti-malware program

1. Remove FLKR with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by FLKR
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.