FBIRAS Ransomware Attempts Old Social Engineering Tricks
Our research team uncovered FBIRAS ransomware during our analysis of new malware samples. This malware encrypts data and demands ransom payment for decryption.
During our testing, we observed that the ransomware encrypted files and appended a ".FBIRAS" extension to their filenames. For instance, a file originally named "1.jpg" would appear as "1.jpg.FBIRAS", and sometimes the extension was duplicated, resulting in filenames like "1.jpg.FBIRAS.FBIRAS".
Once encryption finishes, a ransom note named "Readme.txt" was generated. In this note, the perpetrators falsely identify themselves as "law enforcement" and attempt to deceive victims into believing that the infection is a consequence of cyber law violations.
The ransom note addressed the victim as a "taxpayer" and explained that their files were encrypted due to alleged cyber law breaches. Victims are instructed to contact the cybercriminals, posing as "law enforcement", to pay a "fine" in exchange for restoring access to their files. Refusal to comply with the demands results in increased fines and permanent loss of data. The note also warns against tampering with the files or attempting to remove the ransomware, as it would render the data irretrievable.
It should be highlighted that this ransomware attack obviously has no affiliation with legitimate law enforcement agencies.
FBIRAS Ransom Note Makes Weak Attempt to Look Legitimate
The full text of the FBIRAS ransom note goes as follows:
Attention Tax payer:
All Your files have been locked with ransomware by law enforcement for violating cyber laws. All of your important documents, photos, and videos have been encrypted and cannot be accessed without a decryption key. This is a serious offense and you must pay a fine to unlock your files.
To unlock your files, follow these instructions:
- Contact us on telegram = @Lawinfo19
- We will tell about you problem
- You need us to pay a amount for your criminal activity
- Use the decryption key to unlock your files.
If you fail to comply with these instructions, the fine will increase and your files will be permanently deleted.
Do not attempt to remove the ransomware or tamper with your files. Any attempts to do so will result in the permanent loss of your data.
We understand the inconvenience this may cause, but it is necessary to ensure that cyber laws are not violated. We apologize for any inconvenience and hope to resolve this matter as soon as possible.
Sincerely,
Law Enforcement
How Can Ransomware Enter Your System?
Ransomware can infiltrate a system through various means, including:
Phishing Emails: Cybercriminals often distribute ransomware through phishing emails containing malicious attachments or links. These emails may appear legitimate, enticing recipients to open attachments or click on links, which then download and execute the ransomware on the system.
Malicious Websites: Visiting compromised or malicious websites can expose users to ransomware. These sites may contain exploit kits that automatically download and install ransomware onto visitors' systems through vulnerabilities in their web browsers or plugins.
Malvertising: Cybercriminals can inject malicious code into online advertisements (malvertising), which, when clicked, redirect users to websites hosting ransomware or initiate automatic downloads onto users' systems.
Drive-by Downloads: Ransomware can also be delivered through drive-by downloads, where malware is automatically downloaded and installed onto a user's system without their consent or knowledge when visiting compromised websites.
Unpatched Software: Exploiting vulnerabilities in outdated or unpatched software is a common method for attackers to deliver ransomware. They exploit known weaknesses in operating systems, applications, or plugins to gain access to systems and execute ransomware.
File-Sharing Networks: Ransomware can spread through peer-to-peer (P2P) file-sharing networks, where users unknowingly download infected files or software bundles containing ransomware.
