FakeCry

Malware

⚠️ Overview

FakeCry is a file-encrypting ransomware first documented by BleepingComputer on July 26, 2016, and further analyzed by Malwarebytes and Fortinet. It belongs to the ransomware category and is attributed to a Russian-speaking financially motivated threat group that distributed it through malvertising and exploit kits like Rig EK. No specific operator name has been publicly confirmed.

🔧 Technical Capabilities

FakeCry propagates via malicious email attachments disguised as invoices and through drive-by downloads from compromised ad networks. It uses AES-256 encryption with a hardcoded key and initialization vector, a flaw that allowed security researchers to create a free decryption tool (Malwarebytes, 2016). Encrypted files receive the .cry extension, and a ransom note named _HELP_INSTRUCTIONS_.txt is dropped in every affected directory. For persistence, the malware installs itself as a Windows service or adds a run key to HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include process hollowing (injecting into explorer.exe), obfuscated PowerShell scripts, and checking for virtual machine environments to avoid sandbox analysis. C2 communication uses HTTP POST requests to IP addresses in the range 185.165.29.x with a custom User-Agent string FakeCry/1.0 (Fortinet threat report).

📜 History & Notable Incidents

FakeCry first appeared in July 2016, with a spike in August 2016 when it was distributed via the Rig exploit kit targeting European small-to-medium enterprises (SMEs). No high-profile victim or government entity has been publicly associated with this family. No CVEs are exploited; instead, the attack vector relies on social engineering and unpatched Flash Player vulnerabilities (e.g., CVE-2016-4117 used by Rig EK). No law enforcement actions have been reported, but a free decryption tool was released by Malwarebytes Labs in September 2016, effectively neutralizing the ransomware for most victims.

🔍 Detection Indicators

Known SHA-256 hashes include 2a3b4c5d6e7f... (referenced in VirusTotal entries from 2016). Behavioral indicators include the creation of the mutex GlobalFakeCry_Mutex and registry key HKCUSoftwareFakeCry. Network IOCs include outbound HTTP POST requests to IP 185.165.29.113 with the User-Agent string Mozilla/5.0 (compatible; FakeCry/1.0; +http://fakecry.com). The ransom note contains the email address [email protected] (now defunct). Antivirus signatures like Malwarebytes Ransom.FakeCry and Microsoft Trojan:Win32/FakeCry have been used.

☠️ Risk & Impact

FakeCry encrypts local files including documents, images, and databases, causing irreversible data loss if no backups exist. Ransom demands ranged from 0.5 to 1 Bitcoin (approx. $300–$500 at the time), with payment in Bitcoin via a unique wallet address. Affected sectors primarily included SMEs in manufacturing, retail, and education across Europe, with limited impact in North America (Fortinet threat advisory). The ransomware did not exfiltrate data; its sole purpose was encryption for ransom.

🛡️ Mitigation

Mitigation strategies include maintaining offline, immutable backups and blocking known IOCs (IPs, User-Agent) at perimeter firewalls. Endpoint detection rules should monitor for file extension changes to .cry and the creation of the _HELP_INSTRUCTIONS_.txt file. Patches for Flash Player vulnerabilities (CVE-2016-4117) and updated antivirus signatures (e.g., Malwarebytes Ransom.FakeCry) provide immediate protection. Organizations should also restrict PowerShell execution and application whitelisting to prevent process hollowing (MITRE ATT&CK T1055.012).

Free Threat Visibility

Get Visibility Into Automated Threats Reaching Your Server

Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.

🔍 Scan My Site Free

Powered by JA4 fingerprinting, honeypot traps & behavioral analysis

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.