Fappy Ransomware Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on file-locking trojan Fappy spread via phishing campaigns, untrustworthy download sources, etc.
Updated on
April 19, 2023
Published on
September 18, 2020
Subscribe to the latest industry news, threats and resources.
Fappy is a ransomware-type malicious program, mapped as part of Hidden Tear ransomware family (open-source ransomware trojan that targets computers running Microsoft Windows). Fappy is quite recent and was spotted in September of 2020. Fappy is primarily spread via phishing campaigns, illegal activation tools, illegitimate updaters, and untrustworthy download sources. It was created to encrypt data after which the operators demand ransom for the decryption, as a result of which fappy is also known as the file-locking ransomware.  During the encryption process, all infected files are renamed with the ".Fappy" extension. For instance, a file named "one[.]jpg" is encrypted as "one[.]jpg[.]Fappy," as soon as it is infected by the virus. The operators demand 11.76 USD in BTC (0.00117 BTC), to unlock the files; the victims are also instructed to send proof of transfer.  [caption id="attachment_8156" align="aligncenter" width="342"]Fig1. Fappy ransomware's text file Fig1. Fappy ransomware's text file[/caption] Attackers send deceptive, phishing emails with words such as ‘official’, ‘urgent’, ‘important’ to create a sense of urgency and to invoke panic.[/vc_wp_text][vc_wp_text]


The ransom that Fappy operators demand is a mere 11.76 USD which suggests that their target is not corporate giants but common people, which only makes it worse. This gives them leverage to expand their campaign on a massive scale.

IOCs/ Hashes

  1. Encrypted Files Extension- [.]Fappy
  2. Ransom Demanding Message- HOW TO DECRYPT FILES.txt
  3. Cyber Criminal Contact- [email protected]
  4. MD5- 5e5cf87c2bd6c75b9bd1bf328250bc1e
  5. SHA1- 1e46359929051753bae257cafca9c5410e90f35d
  6. SHA256- 326caf2ef865e7354c7efb26d1f224ecc0176e074d99a734d40f8a0a39056201
  7. SSDEEP- 12288:5ei1y+QPehnIYkuDUreNuEpsOV1n60tct:Ei1XK8DLhubO31c

Preventive Measures

  1. Do not open suspicious emails.
  2. Use spam filters and antivirus programmes to detect and filter bad emails.
  3. Enable an endpoint security product or endpoint protection suite.
  4. Keep your software up-to-date.
  5. Back up data on a regular basis and keep archived copies offsite and offline.
  6. User privilege escalation should be strong; permit access privileges only to the admin.
  7. Do not install applications from unknown sources.

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations