Facebook Ransomware

What does Facebook Ransomware have to do with Facebook? Absolutely nothing. Our research team does not even believe that this threat could be spread using the popular social networking platform. Instead, it seems to spread using spam emails and vulnerable RDP channels. If you do not patch security vulnerabilities and do not pay attention to the emails you open and interact with, a malicious file-encrypting ransomware might slither in and attack. Note that the threat we are discussing in this report is not the only one that can attack and destroy your personal files. In fact, it is not even an original threat, as it was created using the Hidden Tear source code, which has also been used by TrumpHead Ransomware, BSS Ransomware, SnowPicnic Ransomware, and many other malicious infections. These threats might be used by different attackers, but they all function in the similar ways. Of course, to provide you with most accurate information on how to remove Facebook Ransomware, we have created this guide.

The only good thing about Facebook Ransomware is that it does not encrypt everything. Instead, it focuses on the files that are located in the %USERPROFILE% directory (folders included). So, if your personal files are not stored there, the infection might not cause great damage. In that case, you want to delete Facebook Ransomware as soon as possible. Although this threat is quite predictable, it would be unwise to just assume that it cannot evolve and act in an unexpected manner. All in all, the sample we tested did not encrypt files elsewhere. It also disabled the Task Manger by modifying the Windows Registry (created “DisableTaskMgr” value in HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System). Most likely, this is done just so that victims would be prevented from terminating a malicious process that supports the full-screen window launched by the ransomware. This window displays Facebook logos along with a short message: “oops Your files are encrypted. Please click the button that says "How to decrypt my files."” If the button is clicked, the victim is informed that they need to pay a ransom of 0.29 Bitcoin.

If you do not know this already, 0.29 Bitcoin converts to around 1,500 USD. That is a lot of money, and even if you have it, you probably have better ways to spend it than to give it to cyber attackers. A ransom is also demanded using the file named “READ_IT.rtf,” which you can find on the Desktop. Well, how are you supposed to find this file if access to your computer is locked? It is not, and, in fact, you can easily remove Facebook Ransomware screen by tapping Alt+F4 keys on the keyboard. Once you regain access to the computer, you can also check whether or not your files were encrypted. The ones that are encrypted will have the “.Facebook” extension appended to their names. If your files are encrypted, and there are no backups that could replace them, you might be thinking about paying the ransom. It is your choice to make, but our research team does not recommend wasting your savings. You might think that your files will be miraculously restored as soon as you pay the ransom, but that is not likely to happen.

Whether your files are lost or you can replace the encrypted ones with backup copies, you need to delete Facebook Ransomware, and you need to do it fast. The instructions below show how to remove some of the components created by the ransomware, but they cannot reveal the location and name of the launcher file. Hopefully, you can identify it yourself, but if you cannot, you can always employ a tool that will take care of things automatically. An anti-malware tool you install has to be reliable, legitimate, and up-to-date; otherwise, you cannot expect it to work beneficially. While it certainly can be helpful to have Facebook Ransomware removed automatically, it probably is more important to install anti-malware software because it can help protect your operating system. Remember that if your system is not secured, vulnerabilities are not patched, and you are not careful – for example, when opening spam emails – you will always be at risk of facing malicious infections.

Facebook Ransomware Removal

1. Tap Alt+F4 to close the ransom note window.
2. Delete the launcher file (unknown name and location).
3. Launch RUN by tapping Win+R keys.
4. Enter regedit.exe and click OK to access Registry Editor.
5. Go to HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System.
6. Delete the value named DisableTaskMgr.
7. Go to the Desktop and Delete the READ_IT.rtf file.
8. Empty Recycle Bin and quickly check for leftovers using a trusted malware scanner.