Remove FoxRansom Virus (Hidden Tear) and Restore .fox Files

Remove FoxRansom Virus (Hidden Tear) and Restore .fox Files

FoxRansom Virus image ransomware note .fox extension

The FoxRansom Virus is a ransomware strain of the Hidden Tear family targeting primarily Hungarian-speaking computer users. The captured samples carry the initial infection commands, we presume that further updates to it may include newer components and additional instructions. Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.

Threat Summary

NameFoxRansom Virus
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts sensitive information on your computer system with the .fox extensions and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by FoxRansom Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss FoxRansom Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

FoxRansom Virus – Distribution Ways

The FoxRansom virus is a newly discovered ransomware threat, the first infections were reported last week in a targeted attack. It appears that the first wave of infections are directed against Hungarian-speaking users.

Due to the low number of captured samples the analysis does not reveal which is the main infection technique. One of the primary ways is to send out SPAM email messages that usually containing phishing elements. They are images and text taken from popular Internet services that are placed in the message contents. They coerce the users into interacting with malicious elements which can essentially leads to the infection. The dangerous files can be either linked or attached directly.

The hackers can also make use of fake download sites that can spread the dangerous files. They use a similar methodology to the emails and combined they are the most popular way for spreading malware payload droppers. Two of the most common types are the following:

  • Application Installers — The criminals can take the legitimate setup files of popular software and infect them with the virus file. The list includes instances such as creativity suites, productivity apps or system utilities. They are taken from the official vendor sites and modified with the FoxRansom virus code.
  • Documents — Using a similar method the criminals can infect documents of various types: spreadsheets, presentations, databases or rich text documents. Whenever the victims files are opened a prompt will appear asking the users to enable the built-in scripts. Once this is done the infection will follow.

Various scripts can be used to spread the threats to legitimate sites as well. This is done via malicious ads that can include banners, pop-ups, in-line links and etc. In addition the virus files can be distributed via file sharing networks as well. A popular choice is BitTorrent where illegal pirate content is usually found.

In advanced infection campaigns the hacker operators can make use of browser hijackers. They represent malicious extensions made for the most popular web browsers. They are usually uploaded to the various web repositories under names that attribute useful features. The strains are uploaded via fake developer credentials and include elaborate descriptions. In certain cases they can even integrate fake user reviews as well. Once they are installed on the victim computers the built-in behavior pattern will start. Typically the modifications will trigger a default settings change (home page, search engine and the new tabs page) which is done in order to redirect the victims to a hacker-controlled page. Following this the next steps are to induce the actual ransomware delivery.

FoxRansom Virus – In-Depth Analysis

Once the FoxRansom virus infection begins a complex behavior pattern will be initiated. The security analysis that this is a threat based on the Hidden Tear that primarily seeks to target Hungarian-speaking users. This gives the experts the notion that the attackers may be from Hungarian descent. It appears that the hacker controllers have either acquired the Hidden Tear source code and modified it for this purpose. The other scenario lists that it they have paid for the custom sample to be created, such services are readily available on the hacker underground markets.

Typically such infections begin with a a data harvesting component that can extract strings grouped into two main types:

  • Anonymous Campaign Metrics — The FoxRansom virus can collect data that can be used to optimize the campaigns. The data set may include information such as a full report of the installed hardware components and certain user-set variables. They are used to generate profiles of the infected hosts.
  • Private User Data — Information collected by the ransomware can include data that can expose the identity of the victims: their real name, address, phone number, interests, location and etc.

A next step would be to utilize the collected info by the next component called stealth protection, it is used to scan the infected host for an running software that can stop the virus infection from running properly. The list includes applications such as anti-virus programs, sandbox environments and virtual machine hosts. Their real-time engines can be disabled and the associated programs can be entirely removed.

After the infiltration process has complete the ransomware engine will commence with the system changes. The analysis shows that there are several malicious actions that are undertaken by the engine. The first one is the removal of backup data — the malware identifies all Shadow Volume Copies and System Restore data. This prevents file restore unless a professional-grade solution is used. Refer to our instructions for details on this step.

Other changes that can occur include various changes to the Windows registry — modifications both to the user-installed applications and the operating system are possible. As a result may not be able to access certain functions or software and will experience significant performance issues.

In certain cases Hidden Tear infections like the FoxRansom virus can start a Trojan infection. This module creates a secure connection to a hacker-controlled server from where the operators can spy on the victims in real time. This also allows them to steal all kinds of data, overtake control of the machine at all times and deploy other threats.

In addition the hackers can program it to infect the computers as a persistent threat. This means that it will modify the boot options thereby starting once the computer is powered on and disabling the access to the recovery menu. This will also make it very difficult to use most manual removal methods.

Alternative names under which is known are the following:

  • HEUR/AGEN.1001382
  • MSIL/Filecoder.Y!tr
  • Malware/Win32.Generic.C1020407
  • Ransom_CRYPTEAR.SM0
  • Ransomware-FTD!457758293DA0
  • Trojan ( 004cd5d01 )
  • Trojan.Ransom.HiddenTear
  • Trojan.Win32.Encoder.ffvudw
  • Trojan[Ransom]/MSIL.Ryzerlo
  • W32/S-9f9d40c6!Eldorado
  • Win32.Trojan.Fakedoc.Auto

FoxRansom Virus — Encryption

The encryption engine utilizes the same behavior pattern as previous Hidden Tear based malware. Following the completion of all components the associated encryption engine is started. It uses a strong cipher that targets sensitive user data, an example list can include the following:

  • Archives
  • Databases
  • Backups
  • Images
  • Videos
  • Music

As soon as the process is complete it will rename all affected files with the .fox encryption. A ransomware note will be generated in a file called READ_IT.TXT which will be placed on the victim’s desktop and reads the following contents:

Your machine and files have been locked by the FoxRansom virus!

Update 20 August 2018: Soon after the initial release of the ransomare a new campaign was identified. The difference with the original is a newer ransomware note possibily indicating a shift of strategy. In most cases this is an indication that a campaign utilizing more delivery methods.

The newer ransomware notes are presented in a HTML or DOC formats as they include rich text formating:



We are really sorry to inform you that ALL YOUR FILES WERE ENCRYPTED
by our automatic software. It became possible because of bad server security.
Please don’t worry, we can help you to RESTORE your server to original
state and decrypt all your files quickly and safely!

Files are not broken!!!
Files were encrypted with AES-128+RSA-2048 crypto algorithms.
There is no way to decrypt your files without unique decryption key and special
software. Your unique decryption key is securely stored on our server. for our safety,
all information about your server and your decryption key will be automatically
DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
* Please note that all attempts to recover your files by yourself or using third party
tools will result only in irrevocable loss of your data!
* Please note that you can recover files only with your unique decryption key, which
stored on our side. If you will use the help of third parties, you will only add a

Please write us to the e-mail (write on English or use professional translator):

You have to send your message on each of our 3 emails due to the fact that the
message may not reach their intended recipient for a variety of reasons!

In subject line write your personal ID:

The reports showcase that the victims originate from Spain.

Remove FoxRansom Ransomware Virus and Restore .fox Files

If your computer got infected with the FoxRansom ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share