Foxy Ransomware

Posted by Lisa Blanc on December 4, 2017

What is Foxy Ransomware?

If all pictures, videos, songs, slides, and other files that belong to you have been marked by the .nightmare extension, Foxy Ransomware must have infiltrated your computer. It is another HiddenTear-based ransomware infection, so our specialists have not found it surprising at all that it acts the way it does, i.e. goes to lock files on compromised machines the first thing. All ransomware infections act similarly – they make it impossible to access files so that cyber criminals behind them could have a chance to obtain easy money from users. At the time of writing, Foxy Ransomware was not a very prevalent threat if compared to similar ransomware-type infections, but it does not mean that it cannot become popular over time, so you should take all security measures to prevent it from entering your system. If it is already too late for prevention, i.e. you have already encountered this threat, you should delete it from your computer right away because the ransomware infection creates a copy of itself in %TEMP%, and you might accidentally launch it again one day. In this case, your files will become encrypted again. Once all components of Foxy Ransomware are erased from your system, you could restore your files. Unfortunately, free decryption software does not exist. Cyber criminals will not give you the special decryption tool to you for free either, so the only thing you can do is to restore these encrypted personal files from a backup.testtest

What does Foxy Ransomware do?

Foxy Ransomware goes to encrypt users’ files right away and appends the .nightmare extension to all of them. Then, it drops a ransom note READ_ME_IMPORTANT.txt. You could not open it due to the window placed over your Desktop. This window contains answers to the most popular questions, e.g. “What has happened to my PC/Files?” and “Can I recover my Files?.” Additionally, you will see a clock ticking down in the bottom-left corner of the opened window. It is used to scare users into believing that all files will be deleted irreparably soon and, because of this, they need to take action right now. Just like similar ransomware infections, Foxy Ransomware demands money from users. Specifically speaking, it demands a ransom in Bitcoin. You should not pay a cent for the decryption of your files even if it turns out that it is the only way to get files back because you do not know whether you could really decrypt your files after you make a payment. There are many cases when users get nothing from cyber criminals after they pay the ransom required to them, so we suggest that you do not pay anything to anyone. We can guarantee that these encrypted files will not be deleted by the ransomware infection from your computer when the timer reaches zero, so the chances are high that you could decrypt them in the future when the free decryptor is released. Alternatively, you can restore your data from a backup today, as has already been mentioned in the 1st paragraph of this report.

Of course, encrypting users’ files is the major activity Foxy Ransomware performs on users’ computers, but it is surely not the only one. Research carried out by our experienced specialists has clearly shown that the ransomware infection also drops a copy of itself WindowsSoundDriver.exe to %TEMP% and creates a new file (decrpt.openwithnotepad) with a unique victim’s ID to %USERPROFILE%\Documents.

Where does Foxy Ransomware come from?

There are only two possible reasons why Foxy Ransomware has successfully infiltrated your computer. First, you have opened a malicious attachment from a spam email. Second, your RDP credentials are unsafe and, because of this, the ransomware infection has been uploaded to your computer without your knowledge. If you are sure it has slithered onto your computer in a different way, you still need to remove the ransomware infection fully from your PC so that it could not encrypt any other files on your computer.

How to delete Foxy Ransomware

The first thing you need to do so that you could delete Foxy Ransomware from your computer is to unlock your screen. You can do this by killing the malicious process via Task Manager. Once the red window is removed from Desktop, you need to remove all files associated with the ransomware infection one by one and then delete recently downloaded suspicious files to remove the malicious file that can launch Foxy Ransomware. If you do not have time for the manual ransomware removal, you can use an automated scanner. It does not matter how you erase it, the most important thing is not to leave any malicious components active.

Foxy Ransomware removal guide

  1. Press Ctrl+Shift+Esc simultaneously to open Task Manager.
  2. Open the Processes tab.
  3. Kill the process named Foxy – Ransomware.
  4. Close Task Manager.
  5. Press Win+E.
  6. Open %USERPROFILE%\Desktop.
  7. Delete READ_ME_IMPORTANT.txt.
  8. Open %TEMP%.
  9. Delete WindowsSoundDriver.exe.
  10. Remove decrpt.openwithnotepad from %USERPROFILE%\Documents.
  11. Delete all suspicious recently downloaded files.
  12. Empty Recycle bin. 100% FREE spyware scan and
    tested removal of Foxy Ransomware*
Disclaimer
Disclaimer
Trojans

Leave a Comment

Enter the numbers in the box to the right *