Remove FOX Ransomware (Virus Removal Guide)
FOX ransomware description
Contents
FOX is a ransomware-type virus that encrypts all files on target Windows computers. It is the latest Matrix ransomware variant that changes original filenames of locked files with [PabFox@protonmail.com ].[random characters].FOX. Following a successful data lock, the virus drops a ransom note called #FOX_README#.rtf into each affected file folder. Finally, the virus changes affected computer’s desktop wallpaper. The primary distribution vector for this crypto-malware is RDP vulnerabilities.
FOX ransomware is relatively a slow virus as it is designed to close all files (if opened) before starting the data encryption process. This actually gives victim some time to detect and stop the ransomware process before all files are locked. The ransomware employs two encryption algorithms – AES-128 and RSA-2048 to secure the files, and once done, they can be decrypted only with keys held by the cybercriminals. The attackers suggest purchasing these keys, or in other words, paying a ransom, which can reach up to $3500, depending on data amount and time the victim needs to pay.
The ransom note file, #FOX_README#.rtf, contains instructions on how to recover encrypted files. It states that data was locked due to “bad server security” and suggests buying “unique decryption key and special software” from the criminals. The note also urges to pay as soon as possible, or the data will be deleted after 7 days and data will be lost forever. To learn how to pay the ransom and get access to FOX ransomware decryption tool, the victim is asked to write to each of the three provided emails, and include personal ID in the subject line.
- PabFox@protonmail.com;
- FoxHelp@cock.li;
- FoxHelp@tutanota.com.
The note also instructs attaching three encrypted files to the letter so that the criminals can decrypt them and prove that they actually have tools for data recovery. The crooks also tell that they can “find common language” with the victim and help to restore all data, plus give recommendations on how to configure the server for better security. In case the victim does not receive an answer from the provided emails, the note suggests using given instructions to write them via Bitmessage.
If you have been infected by this ransomware, we recommend performing FOX ransomware removal using trustworthy anti-malware tool. Our suggested RESTORO software can help to repair virus damage on Windows OS files.
Ransomware details
| Name | FOX ransomware virus |
| Type | Ransomware; File Locker; Crypto-malware |
| Symptoms | Files are renamed, their icons turn blank, they cannot be opened. Each affected file folder contains a ransom note that demands contacting the criminals and paying the ransom, otherwise data will be lost forever. |
| File Marker | [PabFox@protonmail.com ].[random characters].FOX |
| Ransom note | #FOX_README#.rtf |
| Ransom amount | $500-$3500 |
| Distribution | Remote Desktop Protocol vulnerabilities |
| Decryption | No decryption tools for FOX ransomware are available |
| Removal | Remove ransomware using anti-malware tool. We recommend repairing virus damage using RESTORO |
FOX ransomware is essentially similar to other ransomware infections such as DHARMA, STOP/DJVU, or XATI. The main difference is that the discussed virus is mainly used in targeted attacks. Viruses that fall into the same category all function the same – they encrypt files and keep them as hostages until the victim pays the ransom. However, we do not recommend paying the ransom as you can never trust cyber criminals. You might never receive decryption tools after paying up, and criminals might try to attack you again for more money.
Details about the infection
Screenshot of desktop wallpaper set by FOX virus:
Screenshot of folder containing encrypted data:
Contents of the ransom note left by the virus:
HOW TO RECOVER YOUR FILES INSTRUCTION
ATENTION!!!
We are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED
by our automatic software. It became possible because of bad server security.
ATENTION!!!
Please don’t worry, we can help you to RESTORE your server to original
state and decrypt all your files quickly and safely!
INFORMATION!!!
Files are not broken!!!
Files were encrypted with AES-128+RSA-2048 crypto algorithms.
There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!
* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!
* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.
HOW TO RECOVER FILES???
Please write us to the e-mail (write on English or use professional translator):
PabFox@protonmail.com
FoxHelp@cock.li
FoxHelp@tutanota.com
You have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!
In subject line write your personal ID: c0pyc@tfr0mpcr1sk
We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files.
* Please note that files must not contain any valuable information and their total size must be less than 5Mb.
OUR ADVICE!!!
Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.
We will definitely reach an agreement 😉 !!!ALTERNATIVE COMMUNICATION
#FOX_README#.rtf
If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours please sеnd us Bitmеssаgеs frоm а wеb brоwsеr thrоugh thе wеbpаgе hxxps://bitmsg.me. Bеlоw is а tutоriаl оn hоw tо sеnd bitmеssаgе viа wеb brоwsеr:
1. Оpеn in yоur brоwsеr thе link hxxps://bitmsg.me/users/sign_up аnd mаkе thе rеgistrаtiоn bу еntеring nаmе еmаil аnd pаsswоrd.
2. Уоu must cоnfirm thе rеgistrаtiоn, rеturn tо уоur еmаil аnd fоllоw thе instructiоns thаt wеrе sеnt tо уоu.
3. Rеturn tо sitе аnd сlick “Lоgin” lаbеl оr usе link hxxps://bitmsg.me/users/sign_in, еntеr уоur еmаil аnd pаsswоrd аnd click thе “Sign in” buttоn.
4. Сlick thе “Сrеаtе Rаndоm аddrеss” buttоn.
5. Сlick thе “Nеw mаssаgе” buttоn.
6. Sеnding mеssаgе:
Tо: Еntеr аddrеss: BM-2cXRWRW5Jv5hxbhgu2HJSJrtPf92iKshhm
Subjесt: Еntеr уоur ID: [string]
Mеssаgе: Dеscribе whаt уоu think nеcеssаrу.
Сlick thе “Sеnd mеssаgе” buttоn.
Ransomware distribution
FOX ransomware, as part of MATRIX virus, is mainly distributed in targeted attacks using RDP exploits. In other words, the attackers tend to brute-force vulnerable RDP credentials to compromise connections. To protect your computer network against such attacks, RDP should be used very carefully and with proper complexity passwords. In addition, two-factor authentification should be used for maximum security.
Other common ransomware distribution method is malicious email spam. It typically involves usage of specifically-crafted messages to the victim, often with tone that requires urgent actions (such as open a document, reply to the email after viewing attachment or link contents, and so on). We recommend being extremely cautious and double-checking the sender’s trustworthiness before opening any attachments, plus, never enable document editing or Macros if that is not absolutely necessary.
Finally, the crooks insert ransomware executables in illegal online torrent downloads. The most common way is to add these to various software cracks, or, in other words, illegal tools users employ to activate paid software licenses for free. Stay away from such downloads to keep your computer, data and privacy secure.
Remove FOX ransomware instantly
We recommend you to remove FOX ransomware virus as soon as possible using tools recommended below the article. What is more, you may want to use RESTORO for virus damage repair on default Windows OS files. It is a recommended tool that can fix various Windows problems as explained in its review here.
FOX virus removal leaves a free way for data recovery procedure. Once you finish with the malware elimination, you can use your external storage devices to restore data that was corrupted. Speaking of FOX decryption tool, such software currently does not exist.
OUR GEEKS RECOMMEND
Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system:
STEP 1. REMOVE AUTOMATICALLY WITH ROBUST ANTIVIRUS
STEP 2. REPAIR VIRUS DAMAGE TO YOUR COMPUTER
GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more.
FOX ransomware virus Removal Guidelines
Method 1. Enter Safe Mode with Networking
Step 1. Start Windows in Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it:
Instructions for Windows XP/Vista/7 users
- First of all, turn off your PC. Then press the Power button to start it again and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. This launches the Advanced Boot Options menu.
- Use arrow keys on the keyboard to navigate down to Safe Mode with Networking option and press Enter.
Instructions for Windows 8/8.1/10 users
- Open Windows Start menu, then press down the Power button. On your keyboard, press down and hold the Shift key, and then select Restart option.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Networking. In this case, it is the F5 key.
Step 2. Remove files associated with the virus
Now, you can search for and remove FOX ransomware virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
REMOVE MALWARE & REPAIR VIRUS DAMAGE
1 Step. Get robust antivirus to remove existing threats and enable real-time protection
INTEGO Antivirus for Windows provides robust real-time protection, Web Shield against phishing and deceptive websites, blocks malicious downloads and blocks Zero-Day threats. Use it to remove ransomware and other viruses from your computer professionally.
2 Step. Repair Virus Damage on Windows Operating System Files
Download RESTORO to scan your system for FREE and detect security, hardware and stability issues. You can use the scan results and try to remove threats manually, or you can choose to get the full version of software to fix detected issues and repair virus damage to Windows OS system files automatically.
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically.
Step 1. Boot Windows in Safe Mode with Command Prompt
Instructions for Windows XP/Vista/7 users
- Shut down your PC. Start it again by pressing the Power button and instantly start pressing F8 button on your keyboard repeatedly in 1-second intervals. You will see Advanced Boot Options menu.
- Using arrow keys on the keyboard, navigate down to Safe Mode with Command Prompt option and press Enter.
Instructions for Windows 8/8.1/10 users
- Launch Windows Start menu, then click the Power button. On your keyboard, press down and hold the Shift key, and then choose Restart option with the mouse cursor.
- This will take you to Windows Troubleshoot screen. Choose Troubleshoot > Advanced Options > Startup Settings > Restart. Tip: If you can't find Startup Settings, click See more recovery options.
- In Startup Settings, press the right key between F1-F9 to enter Safe Mode with Command Prompt. In this case, press F6 key.
Step 2. Start System Restore process
- Wait until system loads and command prompt shows up.
- Type cd restore and press Enter, then type rstrui.exe and press Enter. Or you can just type %systemroot%system32restorerstrui.exe in command prompt and hit Enter.
- This launches System Restore window. Click Next and then choose a System Restore point created in the past. Choose one that was created before ransomware infection.
- Click Yes to begin the system restoration process.
After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won't be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future.
Alternative software recommendations
Malwarebytes Anti-Malware
Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense
If you're looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek's Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.
Norbert Webb is the head of Geek’s Advice team. He is the chief editor of the website who controls the quality of content published. The man also loves reading cybersecurity news, testing new software and sharing his insights on them. Norbert says that following his passion for information technology was one of the best decisions he has ever made. “I don’t feel like working while I’m doing something I love.” However, the geek has other interests, such as snowboarding and traveling.
Recent Posts
Private Internet Access Review 2022: Fast, Secure & Cheap VPN
Private Internet Access (PIA) VPN maintains its long-term role as a leader Private Internet Access…
Remove XCBG Ransomware Virus (DECRYPT .xcbg FILES)
XCBG ransomware aims to lock your files and demand a ransom XCBG ransomware is a…
Remove BPQD Ransomware Virus (DECRYPT .bpqd FILES)
BPQD ransomware encrypts all computer files, demands a ransom from the user BPQD ransomware is…
Remove KQGS Ransomware Virus (DECRYPT .kqgs FILES)
KQGS ransomware is a hostile computer virus designed to encrypt all of your files KQGS…
Remove VTYM Ransomware Virus (DECRYPT .vtym FILES)
VTYM ransomware description: a virtual menace to your files stored on the computer VTYM ransomware…
Remove FOPA Ransomware Virus (DECRYPT .fopa FILES)
FOPA ransomware is a new threatening computer virus that encrypts your files FOPA ransomware virus…