A ransomware virus, carrying the name Flyper, based on the HiddenTear virus project has been caught out in the wild to infect user PCs. The virus uses a very strong RSA-2048 file encryption mechanism to encipher the files of unsuspecting users, adding it’s distinctive .flyper file extension to the encrypted files. Users are asked in an instructions.txt file to pay in BitCoin a ransom payoff to cyber criminals. Everyone who has been affected by the Flyper virus are warned NOT to pay the ransom money, since there may be alternative methods to decrypt your files. We have provided further instructions on removing Flyper ransomware from your computer and trying to restore your files, so we suggest to read this article carefully.

Threat Summary

Name	Flyper
Type	Ransomware
Short Description	The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms	The user may witness ransom notes and “instructions.txt” all linking to a web page and a decryptor. Changed file names and the file-extension .flyper has been used. Also changes the wallpaper to a “You have been hacked!” message.
Distribution Method	Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool	See If Your System Has Been Affected by Flyper Download Malware Removal Tool
User Experience	Join our forum to Discuss Flyper Ransomware.
Data Recovery Tool	Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Flyper Ransomware – How Does It Spread

To infect users, Flyper uses a file that has a very long name, for example:

1280dg28d238fg4f348g03410r012d4g839gf348fh34.exe

The file itself is an executable type of file, but it is cleverly masked to resemble an Adobe Reader .pdf file. Such files may be disguised on spam e-mail addresses as well as dropped on your computer via other malware, like Trojan.Downloader, for example. They may also be downloaded via a malicious URL that you may have landed on as a result of a potentially unwatned program that displays ads on your computer.

Flyper Ransomware – More Information

As soon as the malicious file of Flyper has been activated, it may briefly freeze your computer and the opened Windows may enter “Not Responding” state.

Then a command prompt window may open, suggesting the Flyper virus also deletes the shadow volume copies using the following command:

vssadmin delete shadows /all /quiet

After erasting the shadow copies, the Flyper virus immediately gets down to business. It scans for most Widely used type of file extension and if they are present on the computer, the virus encrypts them:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”Source:fileinfo.com

The ransomware then displays a text document, named Instructions.txt. The ransom not in it notifies the users his files are encoded and gives further instructions on how to pay the ransom money in BitCoin:

“Your personal files have been encrypted with strongest encryption RSA 2048 and unique key generated for this computer.
We present a decrypter software which allows to decrypt and return control to all your encrypted files.
We accept a payment with Bitcoin, there are many methods to get them.
On these sites you can buy Bitcoin
Localbitcoin.com cex.io btcdirect.eu
To get KEY and Decrypter Program :
1)Send 0.5 BTC bitcoins to this address with Description your PC Computer Name
Bitcoin Address 1PniPmm5kiuuAhXpBWR3QiUtpfAAFm2SS
2)Contact me by email to get your key
[email protected]

Since this is a part of the open source HiddenTear projects, researchers may discover a decryption method and release a free decrypter.

Until then, users are advised to remove Flyper Ransowmare and try to restore their files, using the instructions provided below.

Remove Flyper Ransomware and Restore .Flyper Files

After Flyper attacks your computer and encrypts your files, the first advisable step is to remove it from your PC. You can do this by following the step-by-step instructions below. Malware reverse engineers also advise using a more automatic approach and downloading an advanced anti-malware program to remove this virus from your computer.

If you want to try and restore your files, please check the alternative methods in step “3. Restore files Encrypted by Flyper” below.

Furthermore, we also advise you to follow this article since we will update it as soon as a decrypter for Flyper has been released.

Manually delete Flyper from your computer

Note! Substantial notification about the Flyper threat: Manual removal of Flyper requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Flyper files and objects.

2. Find malicious files created by Flyper on your PC.

3. Fix registry entries created by Flyper on your PC.

Automatically remove Flyper by downloading an advanced anti-malware program

1. Remove Flyper with SpyHunter Anti-Malware Tool

2. Back up your data to secure it against infections and file encryption by Flyper in the future

Back up your data to secure it against attacks in the future

IMPORTANT! Before reading the Windows backup instructions, we highly recommend to back up your data automatically with cloud backup and insure it against any type of data loss on your device, even the most severe. We recommend reading more about and downloading SOS Online Backup .

To back up your files via Windows and prevent any future intrusions, follow these instructions:

1. For Windows 7 and earlier

1. For Windows 8, 8.1 and 10

1. Enabling the Windows Defense Feature (Previous Versions)

1-Click on Windows Start Menu

2-Type Backup And Restore
3-Open it and click on Set Up Backup

4-A window will appear asking you where to set up backup. You should have a flash drive or an external hard drive. Mark it by clicking on it with your mouse then click on Next.

5-On the next window, the system will ask you what do you want to backup. Choose the ‘Let Me Choose’ option and then click on Next.

6-Click on ‘Save settings and run backup’ on the next window in order to protect your files from possible attacks by Flyper.

1-Press Windows button + R

2-In the window type ‘filehistory’ and press Enter

3-A File History window will appear. Click on ‘Configure file history settings’

4-The configuration menu for File History will appear. Click on ‘Turn On’. After its on, click on Select Drive in order to select the backup drive. It is recommended to choose an external HDD, SSD or a USB stick whose memory capacity is corresponding to the size of the files you want to backup.

5-Select the drive then click on ‘Ok’ in order to set up file backup and protect yourself from Flyper.

1- Press Windows button + R keys.

2- A run windows should appear. In it type ‘sysdm.cpl’ and then click on Run.

3- A System Properties windows should appear. In it choose System Protection.

5- Click on Turn on system protection and select the size on the hard disk you want to utilize for system protection.
6- Click on Ok and you should see an indication in Protection settings that the protection from Flyper is on.

Restoring a file via Windows Defense feature:
1-Right-click on the encrypted file, then choose Properties.

2-Click on the Previous Versions tab and then mark the last version of the file.

3-Click on Apply and Ok and the file encrypted by Flyper should be restored.

3. Restore files encrypted by Flyper

Optional: Using Alternative Anti-Malware Tools

How to Find Decryption Key for Files Encrypted By Flyper Ransomware

We have designed to make a tutorial which is as simple as possible to theoretically explain how could you detect your decryption key. Find out how

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

Hey you,
BE IN THE KNOW!

Remove Flyper Ransomware and Restore .flyper Encrypted Files

Threat Summary