Click on screenshot to zoom
Danger level 7
Type: Trojans

Fatboy Ransomware

Fatboy Ransomware (a.k.a. PyCL Ransomware) is a new RaaS (Ransomware as a Service) ransomware. Although it has a funny name, you will definitely not laugh if its fully-working version ever slithers onto your computer. Luckily, at the time of writing, it does not work the way it should, i.e. it does not encrypt any files, and it is impossible to pay a ransom it demands because important payment details, e.g. the size of the ransom and the Bitcoin address cannot be found in any of the files left for users. Unfortunately, it does not mean that you are safe because it might be updated and start working properly in the near future, i.e. start locking users’ files with the intention of getting easy money. Go to delete Fatboy Ransomware as soon as possible no matter which of its versions you encounter because it does not mean that the one with the dead C&C server cannot start encrypting your files one day. Are you reading this article because your important files have been locked already? If so, you should remove this ransomware infection without hesitation and do not even think about paying the ransom it demands because you have zero guarantees that the “unique key” will be given to you.

It is not a secret that Fatboy Ransomware cannot establish communication with its C&C server and, consequently, does not encrypt files currently; however, it still places the How_Decrypt_My_Files folder on the victim’s computer. Specifically speaking, it is placed in the %APPDATA% directory. It contains several .html files with detailed instructions explaining how to purchase Bitcoins, how to transfer a ransom to get files back, etc. Additionally, several images and one text file (read_me.txt) can be found there. All these files try to convince users that the only way to decrypt files is to make a payment. We cannot say the exact price of the decryption key, but it, without a doubt, will not be cheap, so it is not advisable to make a payment, especially when you do not know whether you will get the key to unlock your data. Needless to say, you do not need to do anything if you have encountered Fatboy Ransomware but noticed that your files are fine. In this case, the removal of ransomware is the only task you need to accomplish.

Fatboy Ransomware is quite sophisticated malware, according to specialists working at It is because it drops the folder containing a bunch of files on affected computers and might even open a window, which is impossible to close, on Desktop. The folder %APPDATA%\cl this threat drops on computers contains Python files (it is a programming language which was used to create Fatboy Ransomware) and several other files without which this infection could not work:

  • cl.exe – the main executable file which communicates with the server and encrypts users’ personal files
  • server.txt – contains IP of the C&C server
  • user.txt – a file used to identify victims

Because it drops these above-listed files when it successfully enters the computer, it will not be easy to erase it. Users cannot keep a single component active on their systems by mistake because this infection might revive/continue working behind their backs.

Since Fatboy Ransomware can be purchased from the DarkNet by anyone, and the buyer is the only one who can decide upon the distribution strategy, this infection might be spread using several different methods. Two of them should be used the most frequently, according to our specialists. First, it is very likely this infection might start traveling as an attachment in spam emails. Second, it might use exploits to reach users’ PCs as well. Therefore, security specialists highly recommend installing security software on the system. According to them, security software must be active on all PCs connected to the Internet.

We cannot promise that it will be easy, but you must delete Fatboy Ransomware from your computer ASAP if you have already detected it. First, you will have to open the Task Manager and kill its process cl.exe. Then, you will need to delete all its files. It will be considerably easier to erase this threat with the help of our manual removal guide; however, if you still find it too hard to erase it, let an automatic malware remover do this job for you. It will not unlock files, but Fatboy Ransomware will be deleted fully, i.e. no components of this threat will be left on your system.

Delete Fatboy Ransomware manually

  1. Tap Ctrl+Alt+Del simultaneously.
  2. Launch the Task Manager.
  3. Open the Processes tab.
  4. Find the cl.exe process on the list and kill it (right-click on it and select End Process).
  5. Close the Task Manager and tap Win+E to open the Windows Explorer.
  6. Open %APPDATA% (type it in the address bar to open it).
  7. Find and delete two folders: cl and How_Decrypt_My_Files.
  8. Remove suspicious files opened recently.
  9. Empty the Trash.
Download Spyware Removal Tool to Remove* Fatboy Ransomware
  • Quick & tested solution for Fatboy Ransomware removal.
  • 100% Free Scan for Windows

Post comment — WE NEED YOUR OPINION!

Please enter security code:
This is a captcha-picture. It is used to prevent mass-access by robots.