What is FASTBOB ransomware? And how does it carry out its attack?
FASTBOB ransomware is a file-encrypting malware. Based on the analysis done by security experts, it appears that this new crypto-malware is a variant of FASTBOB ransomware. This new variant uses a .FASTBOB extension in marking its encrypted files, hence the name.
The instant it starts to carry out its attack, it drops its malicious payload in the system and uses it to establish a connection to a remote server and download more malicious files. It then uses the malicious files to make changes in the system such as creating and modifying entries in the Windows Registry to allow the malware to run on every system boot automatically. After that, it starts the encryption using both the AES 128-bit and RSA 2048-bit encryption algorithm. Once the encryption is completed, it adds the .FASTBOB extension to each one of the locked files. In addition, it also opens a file named “#_#FASTBOB_README#_#.rtf” which contains the following content:
“HOW TO RECOVER YOUR FILES INSTRUCTION
ATTENTION!!!
We are really sorry to inform you that ALL YOUR FILES WERE ENCRYPTED
by our automatic software. it became possible because of bad server security.
ATTENTION!!!
Please don‘t worry. we can help you to RESTORE your server to the original
state and decrypt all your files quickly and safely!
INFORMATION!!!
Files are not broken!!!
Files were encrypted with AES-128+RSA-2048 crypto algorithms.
There is no way to decrypt your files without unique decryption key and special software. Your unique
decryption key is securely stored on our server. For our safety, all information about your server and your
decryption key will be automatically DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
Please note that all the attempts to recover your files by yourself or using third party tools will result only in
irrevocable loss of your data!
Please note that you can recover files only with your unique decryption key, which stored on our side. If you
will use the help of third parties, you will only add a middleman.”
If you are one of the victims of this crypto-malware, paying the ransom demanded by creators of this threat is definitely not advised as you will only add fuel to the fire by giving them what they want. These crooks are not to be trusted and besides, there is no guarantee that they will really give you the encryption key or decryption software used to restore the encrypted files. The best thing you can do is to try other recovery options without spending a cent rather than give in to their whims.
How does FASTBOB ransomware proliferate?
Just like its predecessor, FASTBOB ransomware proliferates using malicious spam emails. Crooks behind this threat attach an infected file to emails. The infected file may be a ZIP file, PDF file, an executable file or a document with macro scripts used to launch FASTBOB ransomware in the targeted machine. Aside from spam emails, the malicious payload of this threat might also be distributed via fake installers, games and so on. Thus, you need to always practice caution when downloading anything from the internet.
Deleting FASTBOB ransomware wouldn’t be easy so you need to use the removal guide prepared below.
Step 1: Tap the Ctrl + Alt + Delete keys to open a menu and then expand the Shutdown options which is right next to the power button.
Step 2: After that, tap and hold the Shift key and then click on Restart.
Step 3: And in the Troubleshoot menu that opens, click on the Advanced options and then go to the Startup settings.
Step 4: Click on Restart and tap F4 to select Safe Mode or tap F5 to select Safe Mode with Networking.
Step 5: After your PC has successfully rebooted, tap Ctrl + Shift + Esc to open the Task Manager.
Step 6: Go to the Processes tab and look for FASTBOB.exe and then end its process.
Step 7: Exit the Task Manager and open Control Panel by pressing the Windows key + R, then type in appwiz.cpl and then click OK or press Enter.
Step 8: Look for programs related to FASTBOB Ransomware and then uninstall it.
Step 9: Close Control Panel and tap Win + E keys to open File Explorer.
Step 10: Navigate to the following locations and look for the malicious components created by FASTBOB ransomware such as #_#FASTBOB_README#_#.rtf and FASTBOB.exe or [random file name].exe as well as other files associated to this threat and make sure to delete them all.
- %APPDATA%
- %TEMP%
- %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 11: Close the File Explorer.
Before you proceed to the next steps below, make sure that you are tech savvy enough to the point where you know exactly how to use and navigate your computer’s Registry. Keep in mind that any changes you make will highly impact your computer. To save you the trouble and time, you can just use [product-name], this system tool is proven to be safe and excellent enough that hackers won’t be able to hack into it. But if you can manage Windows Registry well, then, by all means, go on to the next steps.
Step 12: Tap Win + R to open Run and then type in regedit in the field and tap enter to pull up Windows Registry.
Step 13: Navigate to the listed paths below and look for the registry keys and sub-keys created by FASTBOB ransomware.
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization
- HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
- HKEY_CURRENT_USER\Control Panel\Desktop
Step 14: Delete the registry keys and sub-keys created by FASTBOB ransomware.
Step 15: After that, close the Registry Editor and empty the Recycle bin.
Try to recover the encrypted files using the Volume Shadow copies
Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if FASTBOB ransomware hasn’t deleted the shadow copies of your files. But still, this is one of the best and free methods there is, so it’s definitely worth a shot.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
After you’ve covered the steps provided above, you need to continue the removal process of FASTBOB ransomware using a reliable program like [product-name]. How? Follow the advanced removal steps below.
Perform a full system scan using [product-code]. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the SafeMode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in the URL address, [product-url] in the Run dialog box and then tap Enter or click OK.
- After that, it will download the program. Wait for the download to finish and then open the launcher to install the program.
- Once the installation process is completed, run [product-code] to perform a full system scan.
- After the scan is completed click the “Fix, Clean & Optimize Now”button.