FANDOM


Facebook (ransomware) is file-encryption malware that behaves similarly to ransomware-type viruses.

Payload

Transmission

Facebook spreads by spam emails (malicious attachments), third party software download sources (freeware download websites, free file hosting sites, peer-to-peer networks, etc.), fake software update tools, and trojans.

Infection

Immediately after infiltration, Facebook encrypts most stored data and appends filenames with the ".facebook.facebook" extension (i.e., "sample.jpg" is renamed to "sample.jpg.facebook.facebook"). Compromised data immediately becomes unusable. After successful encryption, Facebook opens a pop-up window.

The main difference between Facebook and regular ransomware is that it is not designed to generate revenue. The opened pop-up window contains a message (in both Russian and English) claiming that files are encrypted and that encryption/decryption keys have not been saved. For this reason, restoring data is impossible. Unfortunately, this is accurate. Ransomware developers generate revenue by encrypting users' files and selling (or claiming to sell) decryption keys for hundreds of even thousands of dollars. They provide users with decryption instructions and contact information. Facebook, however, provides no such information. The message merely states that files are encrypted and can never be restored. Note that the pop-up window's background contains Mark Zuckerberg's photo and a message stating that he is the one responsible for the decryption - "My name is Mark Zuckerberg and I have encrypted your files without saving any encryption keys." This is false - neither Facebook nor Zuckerberg have anything to do with this malware. Facebook is probably designed to troll regular users by simply "wiping" their computers (possibly causing extensive damage and disruption).

Text presented in Facebook malware pop-up:

Что случилось с моим компьютером?
Ваши важные файлы зашифрованы. Многие из ваших документов, фотографий, 
видео, баз данных и других файлов больше не доступны, поскольку они были 
зашифрованы. Не тратьте свое время на поиск способа восстановления 
файлов. Никто не может восстановить ваши файлы.
Могу ли я восстановить мои файлы?
Нет. Меня зовут Марк Цукерберг, и я зашифровал ваши файлы, не сохраняя 
никаких ключей шифрования. Я ценю, что вы выполняете мою программу, 
потому что вы позволили мне разрушить больше жизней.
What Happened to My Computer?
Your important files are encrypted. Many of your documents, photos, videos, 
databases and other files are no longer accessible because they have been encrypted. 
Do not waste your time looking for a way to recover your files. Nobody can recover 
your files.
Can I Recover My Files?
No. My name is Mark Zuckerberg and I have encrypted your files without saving any 
encryption keys. I appreciate you executing my program because you have allowed 
me to ruin more lives.
"A squirrel dying in front of your house may be more relevant to your interests right 
now than people dying in Africa."

Variant

On December 7th, 2018, Facebook ransomware's developers have released an updated variant of this ransomware which has a different pop-up window, file extension and now also creates a .rt file containing ransom-demanding message. This version has been developed using an open-source ransomware project called HiddenTear.

Text presented within this pop-up:

oops Your files are encrypted.
Please click the button that says "How to decrypt my files"
191RK3m897XbQqX7rSieYNqNFmJLorKpuP
[How to Decrypt your files.]
[Give me back my files!"

Text presented within this file:

Files has been encrypted with hidden tear
Send me some bitcoins or kebab
And I also hate night clubs, desserts, being drunk.
Community content is available under CC-BY-SA unless otherwise noted.