Fatboy Ransomware, also known as PyCL Ransomware by malware researchers, is a new a RaaS (Ransomware as a Service) type of malware infection that has been around for about two months. Our research indicates that the Command and Control (C&C) server of this infection may be down and therefore the ransomware program cannot connect to it to retrieve or store information. This means that it is possible that your version will not even encrypt your files even if it will claim so in its ransom note. In any case, we believe that this is a dangerous threat that is worth knowing more deeply so that you can avoid the next attack that could be a working sample and you would lose all your precious personal files. It is important that you remove Fatboy Ransomware from your system after you notice its presence if you want to restore the security of your virtual world.
Since this ransomware is indeed a RaaS, it means that it could be spread on the web in a number of ways. This malicious program is available on the dark web, so anyone can actually purchase it and then, customize it according to their personal needs. Therefore, it is possible that the ransom fee and other features will also be different from version to version. This is also why it is hard to say which distribution method is the most likely. Still, we can tell you that possibly the most widely used method is spamming campaigns because it is like throwing a bunch of hand-grenades into a lake to catch some easy fish.
You need to understand that just because you have a spam filter, tricky spam mails can still evade the last filter: You. Such a spam can seem to come from trustworthy senders, including local authorities (police), hotels, airlines, and other well-known or popular companies (Microsoft). When you see that your mail comes from the police, for example, you would not necessarily doubt it. You would rather want to see it right away, right? Of course, you would hastily check the subject, which would tell you that you have not paid for a speeding ticket yet, you have provided the wrong banking details for a room booking, or anything similar.
This is why we emphasize the need for being more cautious when clicking on e-mails even in your inbox, let alone your spam folder. This ransomware may travel as an attachment in such a spam. So when you click to view this fake image or document file, you actually initiate this vicious attack. When you delete Fatboy Ransomware, normally, you could lose all your encrypted files because this would not recover them. However, in this particular case, you may just be in the luck as we have mentioned before because it seems that temporarily this threat does not really encrypt anything.
Another possibility for you to infect your system with this ransomware is to land on malicious webpages created with Exploit Kits. This type of malicious attack can only affect you if your browsers and drivers (Flash and Java) are not updated regularly. Cyber criminals can take advantage of security holes in older software versions and simply drop this infection onto your system without your knowledge. All you need to do is load such a page in your browser and the drop will be triggered. If you want to avoid such an infection, you should make sure that all your programs and drivers are frequently updated.
Although it is possible that right now this ransomware does not encrypt your files since it does not seem to be able to contact its C&C server for information and to store the private key, it is still important to talk about what may happen if it works. Our research shows that this infection uses the “deadly” combination of the AES-256 and the RSA-2048 algorithms to create a final, unique, and unbreakable private key that is the only key to decrypt your files. This key is supposed to be kept stored on a remote C&C server and used to decrypt your encrypted files once you transfer the ransom fee.
When you run the downloaded malicious executable, it creates a folder named “%APPDATA%\cl” and copies a lot of legitimate Python files (the programming language of this infection) and libraries, and a couple of irregular files, such as cl.exe (the malicious executable), server.txt (containing the IP address for the C&C server), and user.txt. This threat also creates a “%APPDATA%\How_Decrypt_My_Files” folder with a couple of .html files, images, and a .txt file named “read_me.txt” that contains instructions.
After the encryption is done, if it is done at all, a very detailed ransom note appears on your screen that even has a tutorial on how you can purchase Bitcoins and so on. Of course, you have to pay the fee in Bitcoins; however, since the server is down we cannot confirm the real amount of this fee. As a matter of fact, it is totally likely that this amount is different for every version since it is up to the criminals in question. In any case, this fee could be anything from 10 up to 2,000 US dollars worth of Bitcoins. However, if you are lucky to be attacked while the C&C server is down, it is possible that your files are all OK and you do not need to rush and buy Bitcoins. In fact, we would never advise you to do that anyway since there is never any guarantee that you will get your private key at all. We suggest that you remove Fatboy Ransomware ASAP instead.
Since this ransomware may use a ransom note window that you cannot simply close, first of all, you need to open your Task Manager to end the malicious process if you want to be able to delete Fatboy Ransomware and all the related files. Please use our instructions below as a reference if you want to end this nightmare manually. It is possible that you have had enough of malware threats and would like to protect your PC more efficiently. Thus, we advise you to install a trustworthy malware removal tool, such as SpyHunter. This software can automatically filter out all malicious attacks and potential threats; in other words, no more paranoia for you while browsing the web.