FANDOM


Fakewu is ransomware that runs on Microsoft Windows. It is aimed at English-speaking users. It is part of the GX40 family.

Payload

Transmission

Fakewu is distributed through email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers.

Infection

Fakewu encrypts the user's data using AES-256 (ECB mode) and then requires a ransom of 0.02 BTC in order to return the files. The .encrypted extension is added to encrypted files. It encrypts the following extensions:

.# vc,. $ ac, ._vc, .00c, .07g, .07i, .08i, 
.09i, .09t, .10t, .11t, .123, .13t, .1pa, 
.1pe, .2011, .2012, .2013, .2014, .2015, 
.2016, .2017, .210, .3dm, .3ds, .3g2, .3gp, 
.3me, .3pe, .500, .7z, .aac, .aaf .ab4, 
.ac2, .acc, .accd, .ach, .aci, .acm, .acr, 
.aep, .aepx, .aes, .aet, .afm, .ai, .aif, 
.amj,. as, .as3, .asc, .asf, .asm, .asp, 
.asx, .ati, .avi, .back, .bak, .bat, .bay, 
.bc8, .bc9, .bd2, .bd3, .bgt, .bk2, .bkf, 
.bmp, .bpf, .bpw, .brd, .brw, .btif, .bz2, 
.c, .cal, .cat, .cb, .cd, .cdf, .cdr .cdt, 
.cdx, .cf8, .cf9, .cfdi, .cfp, .cgm, .cgn, 
.ch, .chg, .cht, .clas, .clk, .cmd, .cmx, 
.cnt, cntk, .coa, .cpp, .cpt, .cpw, .cpx, 
.crt, .cs, .csl, .csr, .css, .csv, .cur, 
.cus, .d07, .dac, .dat, .db, .dbf, .dch, 
.dcr, .ddd, .dds, .defx, .der, .des, .dgc, 
.dif, .dip, .djv,.djvu, .dng, .doc, .docb, 
.docm, .docx, .dot, .dotm, .dotx, .drw, 
.ds4, .dsb, .dsf, .dtau, .dtd, .dtl, .dwg 
.dxf, .dxi, .ebc, .ebd, .ebq, .ec8, .efs, 
.efsl, .efx, .emd, .eml, .emp, .ens, .ent, 
.epa, .epb,. eps, .eqb, .ert, .esk, .ess, 
.esv, .etq, .ets, .exp, .fa1, .fa2, .fca, 
.fcpa, .fcpr, .fcr, .fef, .ffd, .fim, .fla, 
.flac, .flv, .fmv, .fon, .fpx, .frm, .fx0, 
.fx1, .fxr, .fxw, .fyc, .gdb, .gem, .gfi, 
.gif , .gnc, .gpc, .gpg, .gsb, .gto, .gz, 
.h, .h10, .h11, .h12, .hbk, .hif, .hpp, 
.hsr, .html, .hts,. hwp, .i2b, .iban, .ibd, 
.ico, .idml, .iff, .iif, .img, .imp, .indb, 
.indd, .indl, .indt, .ini, .int, .intu, 
.inv, .inx, .ipe, .ipg, .itf, .jar, .java, 
.jng, .jp2, .jpeg, .jpg, .js, .jsd, .jsda, 
.jsp, .kb7, .kd3, .kdc, .key, .kmo, .kmy, 
.lay, .lay6 .lcd, .ldc, .ldf, .ldr, .let, 
.lgb, .lhr, .lid, .lin, .lld, .lmr, .log, 
.lua, .lz, .m, .m10,. m11, .m12, .m14, .m15, 
.m16, .m3u, .m3u8, .m4a, .m4u, .m4v, .mac, 
.max, .mbsb, .md, .mda, .mdb, .mdf, .mef, 
.mem, .met, .meta, .mhtm, .mid, .mkv, .ml2, 
.ml9, .mlb, .mlc, .mmb, .mml, .mmw, .mn1, 
.mn2, .mn3 .mn4, .mn5, .mn6, .mn7, .mn8, 
.mn9, .mne, .mnp, .mny, .mone, .mov, .mp2, 
.mp3, .mp4, .mpa, .mpe,. mpeg, .mpg, .mql, 
.mrq, .ms11, .msg, .mwi, .mws, .mx0, .myd, 
.mye, .myi, .myox, .n43, .nap, .nd, .nef, 
.nl2, .nni, .npc, .nv, .nv2, .oab, .obi, 
.odb, .odc, .odg, .odm, .odp, .ods, .odt, 
.oet, .ofc, .ofx .old, .omf, .op, .orf, 
.ost, .otg, .otp, .ots, .ott, .p08, .p12, 
.p7b, .p7c, .paq, .pas, .pat,. pcd, .pcif, 
.pct, .pcx, .pd6, .pdb, .pdd, .pdf, .pem,
.per, .pfb, .pfd, .pfx, .pg, .php, .pic, 
.pl, .plb, .pls, .plt, .pma, .pmd, .png, 
.pns, .por, .pot, .potm, .potx, .pp4, .pp5, 
.ppam, .ppf, .ppj, .pps, .ppsm, .ppsx, .ppt, 
.pptx, .pr0, .pr1, .pr2, .pr3, .pr4, .pr5, 
.prel, .prf, .prn, .prpr, .ps, .psd, .psp, 
.pst, .ptb, .ptdb, .ptk, .ptx, .pvc, .pxa, 
.py,. q00, .q01, .q06, .q07, .q08, .q09, 
.q43, .q98, .qb1, .qb20, .qba, .qbb, .qbi, 
.qbk, .qbm, .qbmb, .qbmd, .qbo, .qbp, .qbr, 
.qbw, .qbx, .qby, .qbz, .qch, .qcow, .qdf, 
.qdfx, .qdt, .qel, .qem, .qfi, .qfx, .qif 
.qix, .qme, .qml, .qmt, .qmtf, .qnx, .qob, 
.qpb, .qpd, .qpg, .qph, .qpi, .qsd, .qsm, 
.qss, .qst,. qtx, .quic, .quo, .qw5, .qwc, 
.qwmo, .qxf, .r3d, .ra, .raf, .rar, .raw, 
.rb, .rcs, .rda, .rdy, .reb, .rec, .resx, 
.rif, .rm, .rpf, .rsspptm, .rtf, .rtp, .rw2, 
.rwl, .rz, .s12, .s7z, .saf, .saj, .say, 
.sba .sbc, .sbd, .sbf, .scd, .sch, .sct, 
.sdf,.sdy, .seam, .ses, .set, .shw, .sic, 
.skg, .sldm, .sldx, .slk, .slp, .sql, .sqli, 
.sr2, .srf, .ssg, .stc, .std, .sti, .stm, 
.str, .stw, .svg, .swf, .sxc, .sxd, .sxi, 
.sxm, .sxw, .t00, .t01, .t02, .t03, .t04 
.t05, .t06, .t07, .t08, .t09, .t10, .t11, 
.t12, .t13, .t14, .t15, .t99, .ta1, .ta2, 
.ta4, .ta5,. ta6, .ta8, .ta9, .tar, .tax, 
.tax0, .tax1, .tax2, .tb2, .tbk, .tbp, .tdr, 
.text, .tfx, .tga, .tgz, .tif, .tiff, .tkr, 
.tlg, .tom, .tpl, .trm, .trn, .tt10, .tt11, 
.tt12, .tt13, .tt14, .tt15, .tt20, .ttf, 
.txf, .txt .u08, .u10, .u11, .u12, .uop, 
.uot, .v30, .vb, .vbpf, .vbs, .vcf, .vdf, 
.vdi, .vmb, .vmdk, .vmx, vnd, .vob, .vsd, 
.vyp, .vyr, .wac, .wav, .wb2, .wi, .wk1, 
.wk3, .wk4, .wks, .wma, .wmf, .wmv, .wpd, 
.wpg, .wps, .x3f, .xaa, .xcf, .xeq, .xhtm, 
.xla, .xlam, .xlc, .xlk, .xll, .xlm, .xlr, 
.xls, .xlsb, .xlsm , .xlsx, .xlt, .xltm, 
.xltx, .xlw,.xml, .xpm, .xqx, .yuv, .zdb, 
.ziparc, .zipx, .zix, .zka

It drops a file called FILE SECURITY PROTECTED. It says the following:

YOUR FILES HAS BEEN ENCRYPTED 
Your documents, photos, databases and other important files have been 
encrypted with strongest encryption and unique key, generated for this computer. 
Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you 
pay and obtain the private key. 
Now you have the last chance to decrypt your files. 
1. Buy Bitcoin (https://en.bitcoin.it/wiki/Buying_bitcoins) 
2. Send amount of 0.02 BTC to address: 3BsyRz2scfvXcWRaycPoizEH5hAbDmWcpNE 
3. Transaction will take about 15-30 minutes to confirm. 
4. When transaction is confirmed, send email to us at ransomwareinc@yopmail.com 
5. Write subject of your mail with:
'Restore my files ***' 
6. Write content of your mail with: 
'Bitcoin payment: (YOUR BITCOIN TRANSACTION ID) 
Computer Identifier: ***' 
7. We will contact you back with your private key. 
button [RESTORE]
Community content is available under CC-BY-SA unless otherwise noted.