FRS ransomware virus oriented to Chinese PC users

FRS ransomware is a crypto-virus, which is similar to FCP Randowmare. Usually, it infects PCs via malicious spam email[1] attachments or compromised Remote Desktop Manager utilities. Once installed, it targets Desktop, Saved Games, Favorites, Searches Videos, and Pictures folders to lock the most popular file types, including .doc, .docx, .pdf, .jpg, .png, .avi, .mp3, etc. Each file encrypted by FRS ransomware virus gets a .FRS file extension, which will supposedly be encrypted by running a FRS_Decryptor.exe file. However, experts recommend the victims to try restoring the “locked” files by simply renaming them because this pretend-to-be ransomware might not be using encryption algorithm.
As soon as files are corrupted, the virus changes the default desktop wallpaper with Chinese national flag (Chinese_national_flag.png) and generates a READ_ME_HELP_ME.txt ransom note. The ransom note is initially written in the Chinese language; thus obviously the virus is oriented to Chinese-speaking users. Nonetheless, the .txt file contains a translation into English. The ransom note says:
Oops! Your important files have been encrypted!
Is the content of your files not readable? It is normal because your important files have been encrypted by the “FRS Ransomware.” It means your files are NOT DAMAGED! Your files are just encrypted. From not it is not possible to use your files until they will be decrypted. The only way to decrypt your files safely is use special decryption tool “FRS Decryptor.” Please wait for “FRS Decryptor” to start automatically. If “FRS Decryptor” does not start automatically, open “FRS Decryptor” on the desktop.
Once the FRS ransomware virus payload is being executed, it attacks the following locations by corrupted the content with the following encryption scheme *.*” *.*.FRS. For this purpose, it activates Command Prompt in the background and runs the following commands:
Desktop\*.*” *.*.FRS
ren “C:\Users\%USERNAME%\Saved Games\*.*” *.*.FRS
ren “C:\Users\%USERNAME%\Links\*.*” *.*.FRS
ren “C:\Users\%USERNAME%\Favorites\*.*” *.*.FRS
ren “C:\Users\%USERNAME%\Searches\*.*” *.*.FRS
ren “C:\Users\%USERNAME%\Videos\*.*” *.*.FRS
ren “C:\Users\%USERNAME%\Pictures\
Unfortunately, it's not yet clear is it possible to decrypt files locked by FRS ransomware. If the virus continues the work of its ancestor (FPCRansomware), it might be that the ransomware did not encrypted files, but simply renamed them in a way that the system could not recognize them. Thus, try to unlock the supposedly locked files manually by simply renaming them.
If the files haven't been renamed but locked, you may attempt to open a FRS_Decryptor.exe decryptor available on the desktop. However, this file is dubbed as an official FRS decryptor, but allows decrypting only a few files for free. Those who opt for restoring the rest of the data have to purchase an “Advanced Edition,” but the amount of a ransom is not indicated.
By the way, the fact that it's compiled with “Quick Batch File Compiler”[2] makes it different from the other ransomware viruses. In other words, it's developers used the Batch Converter to convert ransomware-related Batch scripts into .EXE format (FRS.exe), thus making the development process more manageable. Besides, using a Quick Batch File Compiler allows crooks to conceal malicious batch file's operations from an end user by encrypting and protecting the ultimately converted .EXE file from the changes.

Anyway, it's not advisable to pay the ransom as you can only lose your money for nothing. Thanatos ransomware is one of the examples proving the fact that ransomware developers are not concerned about people's files. All they want is monetary support, which would let them continue cyber attacks.
Instead of paying the ransom, you should remove FRS ransomware from the system with one of these tools – FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. Indeed, you can use another security tool, but make sure to choose a powerful and reputable one. After the FRS ransomware removal, you can decrypt files from backups or try alternative decryption methods. Explicit information on how to decrypt files locked by FRS is included at the end of this article.
Restrain from opening misleading email attachments
For the last couple of decades, social engineering attacks[3] are the most successful method employed by hackers to initiate malicious activities through human interactions. Although Baiting and Scareware work, phishing scam tricks millions of PC users to download malware, ransomware and other cyber infections each day.
The most frequently ransomware dissemination strategy is dubbed as spam. It includes email and text message campaigns, which are aimed at creating a sense of urgency or curiosity. Crooks generate email messages via spam bots and attach ransomware payloads in the form of .exe, .doc, .docx, . png, .avix, and similar formats. Such emails can mimic official authorities or online services, which urge to open the attachment. If the victim falls for the trick, he or she opens the attachment (enabling Macros is required), and unintentionally executes the ransomware payload. Cybersecurity experts from avirus.hu[4] claim that there's only one way to prevent ransomware payloads from being accidentally downloaded – bypass misleading email attachments. You should use email filters and report suspicious-looking emails as spam all the time.
Elimination of FRS ransomware virus
Do not waste your time trying to remove FRS ransomware manually because it's not possible. The only way to get rid of this cyber infection is to run a full system scan with a reputable and updated anti-virus. According to AV-Tests,[5] the bulk of AV engines (53 out of 68) are capable of detecting the virus and initiating full FRS ransomware removal.
To delete the FRS crypto-malware automatically, you can use one of these tools: FortectIntego, SpyHunterCombo Cleaner or MalwarebytesMalwarebytes. After the removal, plug-in the external storage of the backups and recover your files from it. In case you don't have backups, try file encryption methods given below:
Was this guide helpful?
Be the first to comment