French Ransomware is called this way mostly because its ransom note is written in French and it does not suggest any possible names. Our researchers think the malicious program is not being distributed yet and when it starts to spread it is entirely possible it will be known by another name. Nonetheless, we feel it is important to let our readers know about upcoming threats they should watch out for. Therefore, further in the article, we will talk about the malware’s working manner and its possible distribution channels. However, French Ransomware might be distributed among some users to test it, and so it is possible some of you could encounter it. Therefore, we will add our recommended deletion steps just a bit below the article too. Plus, if you have any questions you can submit them in the comments section.
It was discovered that the malicious application could be based on an open source ransomware called Hidden Tear. It was supposed to be educational, but unfortunately, some hackers managed to get their hands on its code and ever since then a lot of infections that use Hidden Tear’s code are still being created. No doubt, hackers see it as an easy way to make some money. French Ransomware is not an exception as our researchers noticed it drops a ransom note asking for 150 euros paid in Bitcoins. Apparently, the malware’s ransom note (background.jpg) should be dropped on the same folder where the victim downloaded and launched its installer. It could be any file, for example, a recently downloaded email attachment, software installer, or any other unreliable file downloaded from the Internet. Knowing the ransom note is placed in the same directory should make it easier to find the threat’s installer if you do not know which file infected the computer.
Furthermore, we should talk about the damage one could receive if he infects the system with French Ransomware. At the moment of writing the malware is programmed to encipher only the files located on %HOMEDRIVE%\testrw. It means if you do not have a folder called testrw, the threat should not encrypt any data. Of course, later on, when the hackers release the final version it should encrypt data on various directories, for example, %USERPROFILE%. Usually, such malicious programs encrypt only personal files like user’s photos, videos, and so on; our researchers believe this ransomware should target such data as well. After encrypting its targeted files, it might replace their names with titles from 10 to 15 random characters. Additionally, the malware may apply .lockon extension at the end of them. For instance, a text document called story.docx could turn into mRVaBENcq~lS.lockon or something similar.
Lastly, we would like to talk about the displayed ransom note. It might ask to make a payment of a specific sum and contact the malware’s creators by email to receive a decryption key. As you most likely realize it, there are no reassurances the malicious program’s creators will be able or be willing to deliver the promised decryption tools, so there is always a chance you could lose the money you pay in vain. For this reason, we advise victims who encounter French Ransomware or any other similar threat not to risk their savings and erase the infection. In this case, it should be enough to remove its installer, and we will explain how to do this in the instructions provided below.
Those who do not want to delete the malicious program manually can install a reliable security tool instead. In which case, we would recommend keeping your chosen antimalware tool up to date and active so it could guard the system against future threats.