A breach believed to be in the form of FridayBoycrazy ransomware has occurred,
so we would like to confirm the situation and provide a warning as follows.

FridayBoycrazy Ransomware

The ransomware in question is called FridayBoycrazy and appears to be changing all files including file name, extension, and random 4-digit numbers.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It is a .NET-based ransomware that is a Chaos variant and has a similar behavior. To make it difficult to recover encrypted data, delete shadow copies/Windows Backup Catalog (Windows Server) and disable Windows basic restore and error notification functions. After encryption is complete, an executable link for the ransomware is created in the startup program folder, and an image saved in internal Base64 format is created in Temp (temporary folder) and applied as the desktop image.

  
  [Figure 3 Copy and re-execute ransomware to the Roaming folder of Chaos-type ransomware]

  
  [Figure 4 Static code for deleting shadow copies and backup catalogs (Windows Server) and disabling basic recovery and error notifications]

  
  [Figure 5 Execution link of ransomware created in startup program folder]

  
  [Figure 6 Desktop image created in temporary folder]

Infection results

For the information file, <Warning (txt file without extension)> is created in each folder, and encrypted files are changed to <file name.extension.random 4 digits>.

[Figure 7 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 7 Block message]

Watch FridayBoycrazy blocking video