Fenrir Ransomware

Fenrir Ransomware is a ransomware that silently slithers into your operating system and then encrypts your personal files. What is the reason behind this? The cyber criminal(s), who is responsible for this infection, is hoping to make you pay for the decryption tool (“unlocker”) that allegedly can get your files decrypted. Can you trust the promises made by criminals? You probably need no explanation as to why that is a bad idea. Our research team has analyzed hundreds of different file-locking ransomware threats, and we can say with confidence that you are unlikely to get your files decrypted if you fulfill the demands of a creator who has built this malicious infection. So, what should you do? If the files encrypted by this malware are not backed up, you probably want them decrypted. In this case, we suggest looking into different options (e.g., legitimate file decryptors, system restore points, the help of Windows repair experts, etc.). Now, even though it is unlikely that you would get your files freed, you have to exhaust all options before you give up. In the end, you MUST remove Fenrir Ransomware.

According to our malware analysts, Fenrir Ransomware is spread via spam emails. That is the primary means of distribution for Azer Ransomware, RanRans Ransomware, and most other threats of this kind. It was found that this particular threat might conceal its malicious installer as an Adobe Reader file. If you are convinced that the file attached to the suspicious, misleading spam email is legitimate, you are more likely to open it. Of course, if you do that, the ransomware is executed automatically. Once it is launched, it silently makes a DNS request to connect to one of the many available domains. The threat does that to download an .RTF file and a .PNG file that, later on, is used as the Desktop wallpaper, as well as to retrieve and/or send the encryption key. The encryption process is silent as well, and so you are unlikely to notice that a malicious threat is encrypting your personal files one by one. Once that is done, all files become unreadable, and a unique extension is attached to their names. We have found that the extension is created using a unique Hardware ID (HWID), which means that it is unique in every case. Do not start removing the extension from the corrupted files because that is a waste of your time.

The final task for Fenrir Ransomware is to introduce you to the ransom demands. To do that, the threat launches a file named “ransom.rtf”. It also opens a window entitled “YOUR ID: [unique ID].” The message represented via this window suggests that you need to transfer a ransom that equals 150 USD in Bitcoins to 19SVnn5cjTewmgzE5v9gVXn4mzxFQMT5Wo. This Bitcoin Wallet was set up by the creator of the infection. Once the transaction is complete, you are then expected to send your ID to whiterabbit01@mailinator.com. At the bottom of the window, you can find two different buttons. The first one is called “I SENT THE PAYMENT, RETRIEVE MY FILLLES!!!”, and it asks you to enter a password. The second one is called “I WILL NOT PAY, DELETE MY FILES!!!”, and if you click it, you are introduced to a pop-up suggesting that you should not do that. Ultimately, you cannot get your files deleted. Additionally, Fenrir Ransomware uses the aforementioned .PNG file to replace your desktop wallpaper and inform you about the encryption and the ransom demands as well.

The situation you are in is very tricky, and there is not much we can help you with. Hopefully, you can get your files decrypted, or you have them backed up, and the encryption does not intimidate you at all. Of course, the last thing you should do is waste your money on a ransom that is unlikely to lead you anywhere. Whatever you do and whatever happens, you must remember to delete Fenrir Ransomware from your operating system, and that is pretty easy to do if you know where the malicious launcher posing as an Adobe Reader file is hiding. Once you remove this file, you need to eliminate the components of the infection, and that is it. Of course, we strongly recommend that you also employ an anti-malware tool to keep your operating system protected against malware in the future.

Fenrir Ransomware Removal

1. Right-click and Delete the malicious .exe file (might pose as an Adobe Reader file).
2. Right-click and Delete the file named ransom.rtf.
3. Right-click and Delete the {unknown name}.PNG file.
4. Launch RUN (tap Win+R keys) and enter regedit.exe.
5. Navigate to HKCU/Software/Microsoft/Windows/CurrentVersion/RUN.
6. Right-click and Delete the value named PID (the valuedata of this value is unique in every case).