What is FlatChestWare ransomware? And how does it carry out its attack?
FlatChestWare is an encryption ransomware Trojan designed to encrypt files. It was first observed by security analysts in the last week of August 2017. This ransomware infection is based on the open source platform, HiddenTear which was commonly used by cyber criminals in creating file-encrypting threats.
FlatChestWare utilizes the AES 256 encryption algorithm in performing its attack and demands a ransom of 250 USD in Bitcoins in exchange for the decryption key. It appends the .flat extension in each of the targeted files. During its attack, FlatChestWare displays a dialog box about fake Windows Update telling users to restart their computer to install new updates. And if you made the mistake of restarting your PC, it will allow the ransomware to delete your files, including the Shadow Volume Copies of the encrypted files. Without the Shadow Volume Copies, recovering your files would be a hard task. So keep in mind: Do not restart your computer when you see this dialog box. The dialog box contains the following message:
Windows Update
Restart your computer to finish installing important updates
Windows can’t update important files and services while the system is using them. Make sure to save your files before restarting.
[“Restart now” button] [“Postpone” button]
If you have fallen for FlatChestWare’s trick and rebooted your Pc, it will display a ransom note containing the following message:
“Your personal files have been encrypted. these files being photos, videos, downloads, documents, and many other files. Please do not attempt to remove this program. any attempt to remove it could cause you to be unable to recover your personal files. Only our service can decrypt your files. so disable your anti-virus and make no attempt to tamper with anything we have done.
Oh and dont feel bad for clicking ‘Restart Now’ we were already encrypting your files as soon as the application launched.
Click the [HELP] button below if you wish to recover your files.
Bitcoin Address:
[RANDOM CHARACTERS]
[Decrypt|button] [Verify payment|button] [Help|button]”
How does FlatChesWare ransomware distribute its malicious file?
This ransomware is executed using a malicious executable file named FlatChestWare.exe. According to researchers, this ransomware takes advantage of unprotected servers and then tries to get a hold of it. So once it finds ports and it establishes a Remote Desktop Protocol (RDP) and launches its attack.
Aside from RDP, FlatChestWare also distributes its malicious file using spam emails. Its developers disguise the email as something that would gauge your curiosity to make you open the email and download the corrupted file. Thus, you should beware of this trick and be cautious in opening emails especially if they’re from anonymous senders. It is also recommended that you should follow all security advises and stir clear of high-risk sites, illegal downloads, as well as clicking on suspicious ads. In addition, keeping your system and antivirus program up-to-date would also strengthen your computer’s resistance against the likes of FlatChestWare ransomware.
Terminate the ransomwar infection by following the removal instructions below.
Step 1: Open the Windows Task Manager by pressing Ctrl + Shift + Esc at the same time. Proceed to the Processes tab and look for suspicious processes that can be related to the FlatChestWare Ransomware.
Right-click on the processes, then click Open File Location and scan them using a powerful and trusted antivirus like SpyRemover Pro. After opening their folders, end their processes and delete their folders. If the virus scanner fails to detect something that you know is suspicious, don’t hesitate to delete it.
Step 2: Open Control Panel by pressing Start key + R to launch Run and type appwiz.cpl in the search box and click OK.
Step 3: Look for FlatChestWare ransomware or any peculiar program and then Uninstall it.
Step 4: Hold down Windows + E keys simultaneously to open File Explorer.
Step 5: Navigate to the following paths.
- %AppData%
- %USERPROFILE%\Downloads
- %USERPROFILE%\Desktop
Step 6: After that, look for the malicious executable file, FlatChestWare.exe and other suspicious files and delete each one of them.
Step 7: Close the File Explorer
The next step below is not recommended for you if you don’t know how to navigate the Registry Editor. Making registry changes can highly impact your computer. So it is highly advised to use PC Cleaner Pro instead to get rid of the entries that FlatChestWare ransomware created. So if you are not familiar with the Windows Registry skip to Step 12 onwards.
However, if you are well-versed in making registry adjustments, then you can proceed to step 8.
Step 8: Open the Registry Editor, to do so, tap Win + R and type in regedit and then press enter.
Step 9: Navigate to the path below:
HKCU\Software\Microsoft\Windows\CurrentVersion\RUN
Step 10: Under that location, open the value named Microsoft Update and then copy the location of the malicious file.
Step 11: Delete the value.
Step 12: Close the Registry Editor.
Step 13: Empty the Recycle Bin.
Step 14: Try to recover your encrypted files.
Note: Restoring your encrypted files using Windows’ Previous Versions feature will only be effective if you haven’t restarted your PC as what the ransomware told you to do.
To restore the encrypted file, right-click on it and select Properties, a new window will pop-up, then proceed to Previous Versions. It will load the file’s previous version before it was modified. After it loads, select any of the previous versions displayed on the list like the one in the illustration below. And then click the Restore button.
Follow the continued advanced steps below to ensure the removal of the FlatChestWare ransomware:
Perform a full system scan using SpyRemover Pro. To do so, follow these steps:
- Turn on your computer. If it’s already on, you have to reboot
- After that, the BIOS screen will be displayed, but if Windows pops up instead, reboot your computer and try again. Once you’re on the BIOS screen, repeat pressing F8, by doing so the Advanced Option shows up.
- To navigate the Advanced Option use the arrow keys and select Safe Mode with Networking then hit
- Windows will now load the Safe Mode with Networking.
- Press and hold both R key and Windows key.
- If done correctly, the Windows Run Box will show up.
- Type in explorer http://www.fixmypcfree.com/install/spyremoverpro
A single space must be in between explorer and http. Click OK.
- A dialog box will be displayed by Internet Explorer. Click Run to begin downloading SpyRemover Pro. Installation will start automatically once download is done.
- Click OK to launch SpyRemover Pro.
- Run SpyRemover Pro and perform a full system scan.
- After all the infections are identified, click REMOVE ALL.
- Register SpyRemover Pro to protect your computer from future threats.