French Ransomware

French Ransomware has earned its name because it is targeted at Windows users who speak French. Of course, other names could be attached to this malware, including “Lockon Ransomware” or “Débloquer Votre Oridnateur Ransomware.” Unfortunately, one specific name is not appointed to this threat, which might make it more difficult for users to researcher it. Of course, right now, we do not even know if this malware will be terrorizing Windows users because it is still in development. Our researchers who have analyzed this threat inform that it comes from the Hidden Tear, and several other threats from this family include Rastakhiz Ransomware, Jhash Ransomware, and Onion3Cry Ransomware. They were created by different parties (most likely), but the same source-code was used in the process. Quite recently, the creator of this code has made a public apology at utkusen.com stating that he is sorry for publishing it. Unfortunately, it is too late for that, and the only thing we can focus on is the removal of French Ransomware.

The current version of the malicious French Ransomware appears to encrypt files only in the %HOMEDRIVE%\\testrw directory. Clearly, this version is still in testing. That being said, our research team has found that the threat is programmed to target 365 different file extensions; including .doc, .txt, or pdf. When the encryption of files becomes possible, the infection should rename the original files using 10-15 random characters. Also, the “.lockon” extension should be added to the files to help you find them. The Desktop background image should be changed automatically to accompany these files. The image should include a message in French, and, according to it, you need to create an account on localbitcoins.com and then send a specific amount in Bitcoins to the presented Bitcoin Address. Our sample asked a ransom of 150 EUR or GBP, and the Bitcoin Address was 1EhHaeQ5x8Q4wF62QwqRUfoFrbYo2PLR7c. The ransom note, of course, could change as the threat evolves, but, in any case, fulfilling the demands is not recommended.

What happens if you do as told, and pay the ransom? In the perfect world, cyber criminals behind the devious French Ransomware would immediately provide you with a decryption key, and your files would be decrypted soon enough. Then, you would simply need to remove the launcher of the ransomware. Unfortunately, virtual world is not a perfect world, and trusting cyber criminals is always a bad idea. Whether or not you pay the ransom, the encrypted files will remain the same. So, why would you waste your money? Instead, invest it in software that could keep malicious threats out of the picture in the future. Unfortunately, despite so many new threats emerging all the time, Windows users are still careless. They do not protect their operating systems. They do not back up their files (which can save you if a file-encrypting threat attacks). They do not act cautiously online. Windows users could be exposed to French Ransomware in a form of a DOC or PDF file attached to a misleading email message, and it could be enough to click it to launch the infection.

Installing anti-malware software is one of the most important steps you could make. You want to employ software that could protect your operating system against the invasion of French Ransomware and all other threats that are currently running in the wild. This software can also automatically delete malicious threats, and so if it has invaded your system already, you can rely on it to delete French Ransomware. You could also try erasing the infection manually, but, as you can see, the guide is not very detailed, and you have to have certain knowledge or skills to identify and delete the malicious .exe file. Another step that is very important is the backing up of personal data. Back it up externally, and you will never need to worry about your files being irreversibly corrupted or lost. If you have any questions or concerns about the ransomware, take note that the comments section below is open to everyone.

French Ransomware Removal

1. Delete the .exe file that represents the ransomware (its name and location are random).
2. Delete the file named backround.jpg (it is located in the same location where the .exe file is).
3. Empty Recycle Bin to clear the components completely.
4. Run a full system scan using a legitimate malware scanner to look for leftovers.