FabSysCrypto ransomware - How to remove

A one more player joins the intimidating ransomware league. FabSysCrypto virus is based on the open-source HiddenTear project. Knowing this trait, we can also make an assumption that this ransomware will exploit AES algorithm for encryption. It shares other similarities with older viruses, like the fact that FabSysCrypto sample marks the encoded pictures, videos, music and documents by appending .locked extension. It also urges victims to download TOR browser so they would be able to access a unique payment website. Furthermore, FabSysCrypto virus generates a personal identification ID for every individual victim. If owners of the affected system wish to restore their files, they are strongly urged to follow instructions that are found on TOR websites. FabSysCrypto ransomware is obviously a threat to fear, but we recommend you to not give into the feeling of panic.

Analysis of FabSysCrypto ransomware

FabSysCrypto claims to use RSA-2048 and AES-128 ciphers. These two algorithms are selected to complicate the process of creating a free decryption tool. AES will be applied to the selected data in order to make it unusable. During the latter process, two keys are generated. The code which is supposed to be the private one, responsible for decryption, is then encrypted with RSA. However, it is possible that the ransom note features false statements and FabSysCrypto virus only exploits AES. Whichever scenario is revealed to be true, your decision not to pay the required bitcoins should be non-negotiable. If you happen to be open to discussion on this subject, hackers will only scare you in the hopes of convincing you to pay.

Before FabSysCrypto virus can make demands and threats, it has to successfully implement some changes in the devices it manages to slither into. One of the regular modifications that a ransomware initiates is the changes in Windows Registry Keys. The file named fabsyscrypto.exe will be assigned to be launched after every time device is rebooted. While creators of majority of ransomware are completely anonymous, security researchers believe that a person, going by the nickname “fabsys”, could be responsible for this variant.

In comparison to older ransomware samples, FabSysCrypto virus does not choose from hundreds of different file types. Twenty different file types are available for the encryption that FabSysCrypto virus initiates. This will include most of the popular extension of Word documents, pictures, PowerPoint presentations and etc. As soon as files are selected and encrypted, the payload will launch _HELP_instructions.txt file which will demand that a victim would download TOR browser and enter a website with their unique identification code.

Restoring files that FabSysCrypto ransomware damaged

For the time being, a free tool to decrypt files that FabSysCrypto spoiled has not been introduced. However, you can give other options for recovery a try. If you scroll down below, you will find multiple suggestions for how files could regain their functionality. Recovery of Shadow Volume Copies is a possibility, that is if the FabSysCrypto virus does not set commands to delete them. In addition to that, you can follow advices for utilization of universal file-recovery programs. However, you do not have to consider all of these options if you have placed your data in backup storages for safety measures. If you have copies of the corrupted data somewhere, you can move on to the elimination of FabSysCrypto virus and retrieve files from the second location.

Circulation of FabSysCrypto ransomware

You can face a malicious payload of a FabSysCrypto virus when you are visiting unreliable domains or opening email letters that are originating from suspicious sources. These two strategies are the most popular when it comes to transmission of ransomware infections. However, there are cases when ransomware is distributed via torrent downloads or even social networking sites. Be careful when you are reacting to posts that are sent to you or to the ones you are tagged in. Various fake news articles can lead into malicious domains, opting to infect you with malware.

Feeling overwhelmed? Need some help in removing FabSysCrypto virus from your system? We offer you an automatic option which requires a person to have an anti-malware program. Then, a full security scan is required to be ran. If you do not have a necessary tool, choose from Spyhunter or Hitman.

How to recover FabSysCrypto ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before FabSysCrypto virus has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3

Step 2. Complete removal of FabSysCrypto ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to FabSysCrypto virus. You can check other tools here.  

Step 3. Restore FabSysCrypto ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually FabSysCrypto virus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover FabSysCrypto ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.

Removal guides in other languages

Leave a Reply

Your email address will not be published. Required fields are marked *