Fappy Ransomware Threat Intel Advisory

Summary

CloudSEK Threat Intelligence Advisory on file-locking trojan Fappy spread via phishing campaigns, untrustworthy download sources, etc.
Fappy is a ransomware-type malicious program, mapped as part of Hidden Tear ransomware family (open-source ransomware trojan that targets computers running Microsoft Windows). Fappy is quite recent and was spotted in September of 2020. Fappy is primarily spread via phishing campaigns, illegal activation tools, illegitimate updaters, and untrustworthy download sources. It was created to encrypt data after which the operators demand ransom for the decryption, as a result of which fappy is also known as the file-locking ransomware.  During the encryption process, all infected files are renamed with the ".Fappy" extension. For instance, a file named "one[.]jpg" is encrypted as "one[.]jpg[.]Fappy," as soon as it is infected by the virus. The operators demand 11.76 USD in BTC (0.00117 BTC), to unlock the files; the victims are also instructed to send proof of transfer. 
Fig1. Fappy ransomware's text file
Fig1. Fappy ransomware's text file
Attackers send deceptive, phishing emails with words such as ‘official’, ‘urgent’, ‘important’ to create a sense of urgency and to invoke panic.[/vc_wp_text][vc_wp_text]

Impact

The ransom that Fappy operators demand is a mere 11.76 USD which suggests that their target is not corporate giants but common people, which only makes it worse. This gives them leverage to expand their campaign on a massive scale.

IOCs/ Hashes

  1. Encrypted Files Extension- [.]Fappy
  2. Ransom Demanding Message- HOW TO DECRYPT FILES.txt
  3. Cyber Criminal Contact- [email protected]
  4. MD5- 5e5cf87c2bd6c75b9bd1bf328250bc1e
  5. SHA1- 1e46359929051753bae257cafca9c5410e90f35d
  6. SHA256- 326caf2ef865e7354c7efb26d1f224ecc0176e074d99a734d40f8a0a39056201
  7. SSDEEP- 12288:5ei1y+QPehnIYkuDUreNuEpsOV1n60tct:Ei1XK8DLhubO31c

Preventive Measures

  1. Do not open suspicious emails.
  2. Use spam filters and antivirus programmes to detect and filter bad emails.
  3. Enable an endpoint security product or endpoint protection suite.
  4. Keep your software up-to-date.
  5. Back up data on a regular basis and keep archived copies offsite and offline.
  6. User privilege escalation should be strong; permit access privileges only to the admin.
  7. Do not install applications from unknown sources.

Table of Contents

Request an easy and customized demo for free