FCrypt ransomware - How to remove

FCrypt ransomware is a new cryptovirus, which works in a principle of locking certain files in the victim’s computer and asking for a payment in order to make them accessible again. This type of malware and the behaviour is not new, however, the FCrypt is a new sample, not related to any other predecessors. It locks and marks files by adding ‘.FCrypt’ extension at the end of the name and changing icons to golden padlocks, later dropping a ‘#HELP-DECRYPT-FCRYPT1.1#.txt’ ransom note to explain what is happening to the compromised computer.

Fcrypt Ransomware quicklinks

• How does FCrypt ransomware work
• How does FCrypt virus infect Windows
• How to remove FCrypt ransomware and recover encrypted files
• Automatic Malware removal tools
• How to recover FCrypt ransomware encrypted files and remove the virus
• Step 1. Restore system into last known good state using system restore
• 1. Reboot your computer to Safe Mode with Command Prompt:
• 2.Restore System files and settings.
• Step 4. Use Data Recovery programs to recover FCrypt ransomware encrypted files

Download Spyhunter
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

Ransomware, e.g. Pluto, Maoloa or CryptoID, is a tough computer infection, whose consequences are one of the hardest to fix because even after the removal of the virus, locked files still stay encrypted and only hackers have the correct decrypting code, which they try to manipulate you into buying. Luckily, throughout the years, cybersecurity has evolved a lot and been catching up with threats like FCrypt ransomware, therefore there are a couple techniques you can apply and potentially unlock your affected data.

This article will demonstrate the main features of FCrypt cryptovirus, ways it could have entered your computer, and 2-viruses.com observed methods of manual and automatic elimination, which should be a perfect assisting tool for the full removal of FCrypt ransomware.

How does FCrypt ransomware work

FCrypt ransomware begins its malicious deeds right after its installer gets initiated. There are tons of processes that the dangerous program has to complete in order to later succeed in asking for a payment, but surprisingly it takes only a few seconds to crypt all the precious pictures, videos, music, documents or etc. and secure its persistence, invisibility and etc. The very first file directories that FCrypt virus affects are %AppData%, %Temp%, %Local%. Here the malicious software drops its copies to get more authorization and so that antivirus programs would not notice it immediately, and if the computer gets shut down, it could reappear again. Once this is complete, the ransom-demanding threat begins scanning and looking for potential data to encrypt, which typically are all the files on drives, except for system files, which if locked would make the computer useless and in need of new operating system instal. This is done not only to have a chance to ask for money but also victims are more willing to pay for their valuable memories. (How does ransomware work)

After that, it has been Noted by independent researchers that FCrypt ransomware creates random MD5 hash and uses that for AES key, which is not usual for other crypto viruses. While AES is one of the fastest an easiest to decipher algorithms with an additional hash it can be quite challenging to crack. This whole encryption takes only a few seconds and soon enough all the affected files get marked with the daunting ‘.FCrypt’ string and their icons change into golden locks. Later a text file ransom note called ‘#HELP-DECRYPT-FCRYPT1.1#.txt’ appears on a desktop saying:

–= FCRYPT V1.1 =–

Warning!
All your important files are encrypted and have the extension: .FCrypt
No one else can decrypt your file!
Please follow the steps below:
1. Send this file (#HELP-DECRYPT-FCRYPT1.1#.txt) to E-mail : [email protected]
2. Uninstall all anti-virus software on your computer.
3. Waiting for our reply .
You DON’T need to pay any money for decryption.
NOTE!
IN ORDER TO PREVENT DATA DAMAGE:
# DO NOT MODIFY ENCRYPTED FILES
# DO NOT CHAGE DATA BELOW
…..BEGIN CERTIFICATE…..
hQEMAwPklKRCsUg0AQgAgYvhOX9OYzDYPtlWet2NBve7dlZKpo6IpdhYWUdpRTpygip0QF010rxAHEz0mTEga7uFovhMzmu/I8quySllRsS7XypaP7SGdvbyrikpUnAR

It is unknown yet, how much do the hackers behind FCrypt ransomware ask, but the fact that they tell you that you won’t need to pay in order to get your files back sounds more like a trick, just to get you to talk to them, as they may ask you to send this virus to your friends just like Popcorn Time ransomware. Virustotal.com report now shows that pretty much all sophisticated antivirus programs detect FCrypt virus as malicious, therefore you shouldn’t wait and get rid of it immediately.

How does FCrypt virus infect Windows

Viruses like FCrypt ransomware, typically don’t just enter the system if the user does not grant permission, however, this authorization can come in different forms which the victim may not be even aware of. Crooks know very well how to abuse and socially engineer various features which would deceit gullible users without their suspicion. You can let FCrypt crypto infection in by connecting to vulnerable and dangerous networks, visiting dubious websites, clicking on ads, downloading illegal content from torrent domains and etc. But the most popular spreading vector that helps FCrypt ransomware to proliferate is Malspam.

Developers gather or buy email addresses off of DarkWeb and send out thousands of well-thought messages, which look like any regular emails unless they have an infected attachment, which you are urged to open. Typically, FCrypt ransomware and other cryptovirus messages are very brief, don’t use the victim’s name, but a general salutation, and comes from strange mailing addresses which don’t seem to match the organization they are pretending to be. Of course, most of us are immediately distracted by the scary/worrisome body of an email and end up opening the attachment, rather than noticing all other red flags. Once such infected .docx or .pdf file is opened, it asks you to Enable Macros in order to see the inside content, and that is where the virus installation begins. If you click ‘Enable’ FCrypt ransomware begins silently working in the background, while you’ll still be wondering why the file is empty.

How to remove FCrypt ransomware and recover encrypted files

There are two ways you can handle FCrypt ransomware infection – manually and automatically. The first one suits those users who have made copies of their important files and now can recover the system to the snapshot made earlier. You will find tips and tricks on how to restore Windows from the backups at the end of this article. Mind you again, this is only for people that have backed up their data. A more likely situation is that you were not concerned about your virtual memories until this FCrypt infection happened so now you need an alternative method to fix it.

The best way to handle any malware infection is to use an anti-spyware program like Spyhunter, Malwarebytes, which are able to detect all kinds of viruses, FCrypt ransomware included. Pick and scan your compromised Windows with one of the above-mentioned programs and simply follow with provided instructions on how to remove it. These automatic elimination applications ensure that the system is clean, so you know for sure, that before trying to recover your .FCrypt locked files, they will not end up locked again, this time irreversibly.

Automatic Malware removal tools

As for the locked data recovery, in This post on Twitter malware expert Michael Gillespie shared that FCrypt cryptovirus is decryptable. That is good news for all the victims of the notorious ransomware. Unfortunately, the official unlocking tool is still under the development and should come out in the near future, but isn’t available now. That being said, we suggest you still cleaning the system from FCrypt ransomware and simply keeping the inaccessible files stored in your computer, until the decryptor will be released (check the official Nomoreransom.org site). If anyone offers to restore your data for a small fee or free-of-charge, don’t engage in these scams too, cause they might worsen the situation and take your money without giving the desired results.

How to recover FCrypt ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before FCrypt ransomware has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of FCrypt ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to FCrypt ransomware. You can check other tools here.  

Step 3. Restore FCrypt ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually FCrypt ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover FCrypt ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.