[Virus/malware activity reported: Fopra ransomware]

Due to a security breach believed to be in the form of Fopra ransomware,
we would like to confirm the situation and provide a warning as follows.

Fopra Ransomware

The ransomware is called Fopra and appears to be changing all files with the extension filename.extension.id[unique value].[tracklus@tfwno.gf].fopra.

How it works

file version

[Figure 1 File version]

[Figure 2 File properties]

behavioral process

• Register startup program

  Copy it from the initial startup location to %AppData%Local, run it again, and register it as a startup program.

  
  [Figure 3 Startup program registration]

  
  [Figure 4 Startup program registration]

• Deleting shadow copies

  Deletes shadow copies to make recovery difficult after infection.

  
  [Figure 5 Deleting shadow copies]

• Disable Windows Firewall

  Disable the firewall to make security vulnerable.

  
  [Figure 6 Disabling Windows Firewall]

Infection results

Information files are created in each folder with the names info.txt / info.hta, and when encryption is performed, the files are changed to <file name.extension.id[unique value].[tracklus@tfwno.gf].fopra> It's possible.

[Figure 7 Infection result 1]

[Figure 8 Infection result 2]

[Figure 9 Infection result 2]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 10 Block message]

[Figure 11 Block message]

Go to the Fopra blocking video