Fopra Ransomware is a New Phobos Clone

A new variant of the Phobos ransomware family was discovered recently. The new strain is called the Fopra ransomware.

Fopra does nothing particularly different compared to other Phobos clones. It encrypts files on the victim system, changing their names and extensions.

Fopra appends the victim's ID code, the contact email used by the bad actor behind the ransomware and the string ".fopra" to encrypted files' names. This will transform a file named "image.jpg" into "image.jpg.id[alphanumeric string].[poshix@tfwno.gf].fopra".

Encrypted files include the usual suspects - document, archive, document and database extensions and file types.

Once encryption completes, the Fopra ransomware drops its ransom note inside a pair of files called "info.hta" and "info.txt", both deposited on the desktop.

The plain text version of the ransom note goes as follows:

!! All your files are encrypted !!!

To decrypt them, send an email to this address: poshix at tfwno dot gf

To increase the likelihood of receiving a response to your request, also duplicate your letters to the following e-mails:

rootma@cyberfear.com or usupmail at webmeetme dot com

For quick and convenient feedback, write to the online operator in the Wire messenger: @zexor

(The username of the Wire account must be exactly the same as above, be vigilant any accounts that differ even by one letter are fakes.)

Attention!

To get guaranteed assistance in decrypting your files, please contact only the contacts indicated in this note, otherwise, we are not responsible for the decryption!