Cyber Security Center

How to delete FLYU ransomware


FLYU ransomware is file-encrypting malicious program that comes from the notorious Dharma ransomware family. Adds a .[yourfiles1@tutanota.com].FLYU file extension to encrypted files and drops a FILES ENCRYPTED.txt ransom note, as well as a pop-up note.

 

FLYU ransom note

Discovered by Jakub Kroustek, FLYU ransomware is part of the notorious Dharma ransomware family, versions of which we have already written about (Cve, Gold, NW24). This is file-encrypting malware, which means as soon as it infects a computer it will encrypt files, and users will not be able to open them. The files will remain unopenable until users decrypt them using a special decryption tool. Unfortunately, the decryption tool is not free, and selling it to victims is how ransomware gangs make money. But there are no guarantees that the decryptor offered by cyber crooks would work or even if it would be sent at all. Thus, victims are discouraged from paying the ransom sum. The ransomware sum is not mentioned in the pop-up ransom note or the FILES ENCRYPTED.txt one, though it will likely be somewhere between $100 and $1000. But whatever it is, it’s not worth the risk.

This, unfortunately, leaves backup as the only way to recover files. File recovery should not be an issue for users who have backup, as they can access it as soon as they remove FLYU ransomware. For users without backup, an option is to back up the encrypted files and hope a free decryptor becomes available. Malware researchers do release free decryptors when possible, but one for FLYU ransomware is not yet available.

When looking for free decryptors, users should be very careful as there are many malicious/fake ones. Some of the legitimate sources that are safe to download decryptors from include NoMoreRansom, Emsisoft, other anti-virus vendors and malware researchers.

What does FLYU ransomware do?

The ransomware will start file encryption soon after infecting a computer. Bu the time users notice, their files will have a strange extension added to them and they’ll be unopenable. The extension added to encrypted files will contain users’ unique IDs and .[yourfiles1@tutanota.com].FLYU. For example, image.jpg would become image.jpg.uniqueID.[yourfiles1@tutanota.com].FLYU.

When files are done being encrypted, a ransom note FILES ENCRYPTED.txt will be dropped, and another note will pop up. The pop-up ransom note contains more information, and claims that victims need to send an email to yourfiles1@tutanota.com with their IDs. The price for the decryptor is not mentioned in the note, and likely is different for each victim. But whatever it may be, it’s not recommended to pay. Not only are there no guarantees that a working decryptor would be sent to victims, the money also goes towards future criminal activities. As long as victims continue to pay the ransom, ransomware will remain a serious threat.

Here are the contents of the pop-up ransom note:

YOUR FILES ARE ENCRYPTED
Don’t worry,you can return all your files!
If you want to restore them, follow this link:email yourfiles1@tutanota.com YOUR ID –
If you have not been answered via the link within 12 hours, write to us by e-mail:yourfiles1@cock.li
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

How does ransomware infect a computer?

In most cases, users infect their computers with ransomware because they have bad browsing habits. Opening email attachments without double-checking, download torrents, clicking on ads when on high-risk websites is essentially inviting malware to enter a computer.

One of the most common ways ransomware enters a computer is via spam email attachments. Users may not recognize that they’re dealing with a malicious email and open the attached file, which would initiate the malware. Users have to learn to recognize what a potentially malicious email may look like, and what to look out for to avoid malware. The first thing users should check when they receive an unsolicited email is who the sender is. If the sender is using a random looking email address, that’s highly suspicious. Even if the sender’s email address looks legitimate, users should still look into it. The next clue is grammar and spelling mistakes. If the email tries to appear professional but has a lot of mistakes, that should cause suspicion. Lastly, to ensure that users don’t open malicious email attachments, all unsolicited ones should be scanned with anti-virus or VirusTotal before they’re opened.

Users who pirate, especially via torrents, have an increased risk of picking up malware. Torrent sites are notoriously badly regulated, which cyber criminals take full advantage off. It’s easy for them to disguise their malware as a movie, TV show, software, game, etc. When users download the file and open it, they unknowingly launch the malware. To decrease the risk of picking up malware, users should stop pirating copyrighted content.

How to remove FLYU ransomware

Using anti-malware software to delete FLYU ransomware is necessary because this is a complex infection. By attempting manual FLYU ransomware removal, users may end up doing even more damage. If users have backup, they can access it as soon as the ransomware is no longer present.

FLYU ransomware is detected as:

  • Trojan.Ransom.Crysis.E by BitDefender
  • Trojan.Ransom.Crysis.E (B) by Emsisoft
  • A Variant Of Win32/Filecoder.Crysis.P by ESET
  • Trojan-Ransom.Win32.Crusis.to by Kaspersky
  • Ransom.Crysis by Malwarebytes
  • Ransom:Win32/Wadhrama!hoa by Microsoft