A ransomware virus, carrying the name Flyper, based on the HiddenTear virus project has been caught out in the wild to infect user PCs. The virus uses a very strong RSA-2048 file encryption mechanism to encipher the files of unsuspecting users, adding it’s distinctive .flyper file extension to the encrypted files. Users are asked in an instructions.txt file to pay in BitCoin a ransom payoff to cyber criminals. Everyone who has been affected by the Flyper virus are warned NOT to pay the ransom money, since there may be alternative methods to decrypt your files. We have provided further instructions on removing Flyper ransomware from your computer and trying to restore your files, so we suggest to read this article carefully.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions.txt” all linking to a web page and a decryptor. Changed file names and the file-extension .flyper has been used. Also changes the wallpaper to a “You have been hacked!” message.|
|Detection Tool|| See If Your System Has Been Affected by Flyper |
Malware Removal Tool
|User Experience||Join our forum to Discuss Flyper Ransomware.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Flyper Ransomware – How Does It Spread
To infect users, Flyper uses a file that has a very long name, for example:
The file itself is an executable type of file, but it is cleverly masked to resemble an Adobe Reader .pdf file. Such files may be disguised on spam e-mail addresses as well as dropped on your computer via other malware, like Trojan.Downloader, for example. They may also be downloaded via a malicious URL that you may have landed on as a result of a potentially unwatned program that displays ads on your computer.
Flyper Ransomware – More Information
As soon as the malicious file of Flyper has been activated, it may briefly freeze your computer and the opened Windows may enter “Not Responding” state.
Then a command prompt window may open, suggesting the Flyper virus also deletes the shadow volume copies using the following command:
After erasting the shadow copies, the Flyper virus immediately gets down to business. It scans for most Widely used type of file extension and if they are present on the computer, the virus encrypts them:
The ransomware then displays a text document, named Instructions.txt. The ransom not in it notifies the users his files are encoded and gives further instructions on how to pay the ransom money in BitCoin:
Since this is a part of the open source HiddenTear projects, researchers may discover a decryption method and release a free decrypter.
Until then, users are advised to remove Flyper Ransowmare and try to restore their files, using the instructions provided below.
Remove Flyper Ransomware and Restore .Flyper Files
After Flyper attacks your computer and encrypts your files, the first advisable step is to remove it from your PC. You can do this by following the step-by-step instructions below. Malware reverse engineers also advise using a more automatic approach and downloading an advanced anti-malware program to remove this virus from your computer.
If you want to try and restore your files, please check the alternative methods in step “3. Restore files Encrypted by Flyper” below.
Furthermore, we also advise you to follow this article since we will update it as soon as a decrypter for Flyper has been released.