Frendi ransomware - How to remove

Frendi ransomware is a newly discovered Phobos cryptovirus variant that has been recently discovered infecting users’ computers and locking precious personal data with strong algorithms later demanding for the payment in exchange for the decrypting key. This virus can be easily recognized from the ‘.Frendi’ extension mark left at the end of affected files’ names and ransom notes with explanations and instructions on how to contact the crooks and complete the transaction. Although only developers of Frendi ransomware know the decrypting code, this doesn’t mean that paying them is a good idea and will help you get your data back.

As the Virustotal.com analysis shows, the majority of antivirus engines detect Frendi ransomware as malicious software, but that does not mean that your PC is fully protected from it even if you have one of these security applications running, since this cryptovirus has sophisticated obfuscation techniques which allow it to sneak in and install undetected, just like other of its kind, for example, Borontok, PewCryptAYE ransomware and etc. This is why it is important to learn more about this threat and know the possible ways it can enter the system, what it does to the computer and how to get rid of it if it does get in. Unfortunately, at the moment there is no official decryptor for Frendi virus, but there are still some options (which are mentioned at the end of the article) you shall try in order to potentially restore your files.

What is Frendi ransomware

Frendi cryptovirus was first mentioned by cybersecurity expert JakubKroustek and soon identified as the latest Phobos ransomware variant. It seems as if the mechanisms are still the same as in the original source, the only difference being the used appendix ‘.Frendi’, email addresses – [email protected], [email protected], and updated encryption code. Presumably, the used cipher for encryption is still AES, but even though the features of Frendi ransomware are well known for malware specialists, the algorithm is still not yet cracked. This is why malware prevention and backups are so important since in situations like this it can be the only solution.

phobos frendi ransomware ransom notes

Once the victim initiates Frendi ransomware executable, the virus starts running malicious background processes which start with copying malware pieces into various important Windows system folders such as %AppData%, %Local%, %Temp% and etc., that ensure the persistence, invisibility, and authorization to make changes in the computer, just as the hackers want. At the same time, antivirus operations are stopped and potential files that are suitable for encryption are being recognized. Then the Symmetric AES algorithm is applied to the selected picture, audio, video, document files making them unavailable, and the generated unique unlocking code is sent to crooks, while the affected data is marked with .Frendi extension. This only lasts for seconds and there is no way you can stop the ransomware from harming your PC.

The reason why only a certain data (all files except for the crucial system folders) is targeted is so that the crooks could contact the user and demand a ransom and the victim would be able to make the payment with the same computer. The only way hackers can benefit from Frendi virus – only if the user pays. The information is displayed in both – text file and GUI:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
Write this ID in the title of your message [uniqueID]
In case of no answer in 24 hours write us to theese e-mails: [email protected]
If there is no response from our mail, you can install the Jabber client and write to us in support of [email protected] or [email protected]
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www{.}coindesk{.}com/information/how-can-i-buy-bitcoins/

Jabber client installation instructions:
Download the jabber (Pidgin) client from https://pidgin.im/download/windows/
After installation, the Pidgin client will prompt you to create a new account.
Click “Add”
In the “Protocol” field, select XMPP
In “Username” – come up with any name
In the field “domain” – enter any jabber-server, there are a lot of them, for example – exploit.im
Create a password
At the bottom, put a tick “Create account”
Click add
If you selected “domain” – exploit.im, then a new window should appear in which you will need to re-enter your data:
User
password
You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)

If you don’t understand our Pidgin client installation instructions, you can find many installation tutorials on youtube – https://www.youtube.com/results?search_query=pidgin+jabber+install

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Encrypted.txt:

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]
In case of no answer in 24 hours write us to theese e-mails: [email protected]
If there is no response from our mail, you can install the Jabber client and write to us in support of [email protected], or [email protected]

The creators of Frendi ransomware give their emails and other ways to contact them like Jabber messaging tool, just so that the users would reply. Just like in every other ransomware, Frendi virus asks for Cryptocurrency – Bitcoin, to ensure anonymity, yet it is unknown how much (The average can be around a $1000). All in all, reaching out to hackers shouldn’t be considered as a solution because they cannot be trusted and very often they simply take your money but do not send anything back, or the code does not work properly. Not only just very few people have a spare thousand or a couple of hundred dollars that they could easily give away just to get their files back, but it is much safer to try recovering files yourself.

How Frendi virus spreads

Frendi ransomware has the potential to infect systems through various paths, e.g. P2P networks, Trojans, exploit kits, deceitful links, fake updates, RaaS service and etc., but some of them require very technical knowledge and resources, except for Malspam, which only needs hackers to make a believable message that would urge the recipient to either click on the hyperlink that automatically initiates cryptovirus set up or to open an attached .pdf or .docx file with virus inside Macros. Typically these phishing emails are socially engineered to look like important messages from the clients, government, employers, attorneys, bank, healthcare facilities and etc. They seem to be very obscure, yet captivating or shocking, which drives victims on clicking on the link or getting the file to figure things out.

Users who know about phishing can spot the malicious emails from the lack of data, such as no name of the addressee, unofficial sender’s email, short and unspecific message, the persistent command to open the link or attachment and etc. But because Frendi hackers are also very good at deceiving people, even the most aware users fall for their scam. (How to recognize Phishing)

How to get rid of Frendi ransomware and recover data

Removal of Frendi ransomware is very important not only for preventing the virus from locking all the newly written files but also as an essential step towards potential data recovery. Unfortunately, deleting the virus does not mean that the encrypted files will get unlocked as well, that’s why ransomware is one of the most unfortunate computer infections out there. Users who do have backups of all their important files are lucky since they can restore the system from the snapshot made in the past, however, we still advise them to get rid of Frendi ransomware first.

Frendi cryptovirus can be removed by a trustworthy spyware eliminating tool. We suggest Spyhunter, but you are welcome to try others of your choice, as long as they are reputable and not fake antivirus engines, because that would cause more issues than there is now. Simply perform a system scan with a security application and see if it detect anything. Once the anti-malware software picks up on the malicious agent, continue with provided instructions, which are very easy and typically require pressing a few buttons for permanent virus termination. Only when you are sure that your system is free from Frendi ransomware, you shall move onto the next step – recovery.

As we mentioned earlier, users who have their backups can now begin the recovery process as shown in the instruction below, but those who haven’t should seek other options. Currently, there is no official decryptor released for Frendi cryptovirus, however, that does not mean that there won’t be. Although there are a few techniques that allow restoring data from Shadow Copies or with special file recovery programs (all mentioned at the end of the article as well), sometimes virus tends to delete file snapshots, therefore, nothing works. We suggest to first try these techniques only on a few files, so it wouldn’t damage data and if you can’t, then simply store .frendi marked files in your PC or drive and keep checking Nomoreransom.org website for decryptor updates.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,


How to recover Frendi ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before .Frendi has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Frendi ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to .Frendi. You can check other tools here.  

Step 3. Restore Frendi ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually .Frendi tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Frendi ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *