Fatboy Ransomware

Posted by Max Lehmann on May 16, 2017

What is Fatboy Ransomware?

Fatboy Ransomware, also known as PyCL Ransomware, is a new RaaS ransomware discovered by malware analysts. It has fallen into the group of RaaS (Ransomware as a Service) ransomware because it is available for download somewhere on the DarkNet, and those people with bad intentions can easily personalize it, for example, decide upon a size of a ransom. Also, they are the ones responsible for distributing this ransomware-type infection too. At the time of writing, the infection rate of Fatboy Ransomware is quite low. Additionally, it seems that its C&C server is down and, in consequence, the ransomware infection cannot reach it. Because of this, at present, this threat does not encrypt any files, and there is no information about the amount of money or the Bitcoin address (it is necessary to know it to transfer money) provided to users. Unfortunately, we cannot guarantee that it is the end of the campaign. Specialists at anti-spyware-101.com say that this threat might steer itself in any direction, i.e. it might never revive or start working again in full swing soon. We hope that you are reading this article not because your PC is infected with a properly-working version of Fatboy Ransomware. If our worst fear has become a reality, i.e. you have discovered a ransomware infection on your computer, delete it without the slightest hesitation even if your files have been locked.testtesttest

What does Fatboy Ransomware do?

The properly working version of Fatboy Ransomware slithers onto computers illegally and strikes immediately after finding where users’ files are located. It uses the AES-256 cipher to encrypt users’ files and, on top of that, it encrypts the AES key using RSA-2048. There is not much information about the types of files it encrypts since it does not encrypt data at the time of writing; however, specialists believe that it should touch the most valuable data, i.e. users’ images, music/video files, documents, etc. Once the encryption process is finished, this infection drops the How_Decrypt_My_Files folder in the %APPDATA% directory. It contains .html files with detailed instructions (e.g. how to buy Bitcoins, how to decrypt files, and step-by-step payment instructions), some images (e.g. index.html), and a .txt file (read_me.txt). If you read the latter or any other file from beginning till end, you will find out that this ransomware infection wants money in exchange for the unique decryption key. The size of the ransom might vary, but, we can assure you, the key will not be inexpensive. Do not even think about purchasing the decryption key if you have encountered the version that does not encrypt files. Actually, you could not transfer a ransom even if you want to because it is impossible to do that without the Bitcoin address. In the opinion of our experienced specialists, those users whose personal files have been encrypted by Fatboy Ransomware should not transfer a cent to cyber criminals either because there are no guarantees that the decryption key will be sent to them in exchange.

Fatboy Ransomware is quite a sophisticated infection, specialists say. Unlike other ransomware-type infections, it creates a folder %APPDATA%\cl after infiltrating the computer. This folder contains several legitimate Python (a programming language used to develop Fatboy Ransomware) files and three files used by ransomware: cl.exe (the main executable file), server.txt (contains the IP address of the C&C server), and user.txt (most probably, used to identify the specific victim). Since it creates all these files on the victim’s computer, its removal is surely not a piece of cake, but it is a must to eliminate it as soon as possible so that it could not strike again. If it has not touched any of your files yet, it does not mean that it will not be updated and make your files inaccessible.

Where does Fatboy Ransomware come from?

Since Fatboy Ransomware is a RaaS ransomware, its distribution is the person’s who have purchased it responsibility. This person might be your friend and send this threat directly to you; however, specialists are sure that two other methods are employed to disseminate this infection the most frequently. According to them, it should mainly be spread as an attachment in spam emails. In addition, it might also be distributed via exploits. Security specialists say that this crypto-threat is not the only sophisticated ransomware infection out there, so the installation of reputable security software is highly recommended.

How to remove Fatboy Ransomware

As mentioned above, Fatboy Ransomware drops several files after the successful entrance, and you will need to erase them all one by one to fully delete this infection from your computer. You should use our manual removal guide if you need some guidance, but we still cannot promise that its deletion will be a piece of cake. Therefore, if you are an inexperienced user, you should erase this malicious application using an automatic malware remover. If your files have been encrypted, it will not unlock them for you. In such a case, the only free way to get files back is recovering them from a backup.

Fatboy Ransomware Removal Guide

  1. Press Ctrl+Shift+Esc on your keyboard to open the Task Manager.
  2. Click on the Processes tab.
  3. Locate the cl.exe process, right-click on it, and select End Process to kill it.
  4. Open the Windows Explorer and go to %APPDATA%.
  5. Locate the cl folder and remove it fully.
  6. Delete the How_Decrypt_My_Files folder.
  7. Find and erase the malicious file you have launched (if this threat has not removed it automatically).
  8. Empty the Recycle bin. 100% FREE spyware scan and
    tested removal of Fatboy Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *