FANDOM


The FRS Ransomware is an encryption ransomware Trojan that is used to trick computer users into paying a ransom after taking their files hostage. The FRS Ransomware only pretends to carry out an encryption attack onto the victim's computer but does not support encryption mechanisms. The FRS Ransomware simply renames the victims' files, pretending to carry out an attack that is associated with more harmful threats.

Payloads

The FRS Ransomware will rename the victim's files and create a text file named 'READ_ME_HELP.txt' on the infected computer's desktop along with a PNG file with the same name located in the same place on the affected computer's drive.

It seems that the FRS Ransomware was a batch script that was converted into an executable program using the Quick Batch File Compiler initially. The FRS Ransomware receives its name because it adds the file extension '.FRS' to the end of each affected file's name. Once a file has been renamed, Windows will not open it because it will not recognize which tool should be used to open that file type. However, the contents of the file will not be changed; just its name. Computer users only need to rename affected the file with the correct extension to recover access to it. This is different from real encryption ransomware Trojans because these encrypt the files' data (in addition to renaming them), meaning that the file will be lost permanently unless one has access to the decryption key or software necessary to restore access to that file's data. The FRS Ransomware is attempting to trick computer users into believing that it has carried out this attack, more difficult to pull off substantially.

The FRS Ransomware will rename the files contained in the following directories:

C:\Users\%USERNAME%\Desktop\
C:\Users\%USERNAME%\Saved Games\
C:\Users\%USERNAME%\Links\
C:\Users\%USERNAME%\Favorites\
C:\Users\%USERNAME%\Searches\
C:\Users\%USERNAME%\Videos\
C:\Users\%USERNAME%\Pictures\

The FRS Ransomware will drop enciphered the files in a folder named 'FRSRANSOMWARE' on the main system drive on the affected computer after renaming the victim's files. The FRS Ransomware's ransom note contains an image of the Chinese flag. The following files have been linked to the FRS Ransomware attack:

C:\Users\FIFCOM\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FRS.exe
C:\FRSRAMSOMWARE\Chinese_national_flag.png
C:\FRSRAMSOMWARE\READ_ME_HELP_ME.txt
C:\FRSRAMSOMWARE\READ_ME_HELP_ME.png
C:\FRSRAMSOMWARE\FRS_Decryptor.exe
Community content is available under CC-BY-SA unless otherwise noted.