IT security specialists discovered a new variant of ransomware which named .Frendi ransomware. It appends the .Frendi file extension to encrypted file names. This blog post will provide you with all the things you need to know about virus, how to delete .Frendi ransomware from your personal computer and how to recover all encrypted documents, photos and music for free.
The .Frendi ransomware is a malware that created in order to encrypt personal files. It hijack a whole personal computer or its data and demand a ransom in order to unlock (decrypt) them. The makers of the .Frendi ransomware have a strong financial motive to infect as many PCs as possible. The files that will be encrypted include the following file extensions:
.py, .zabw, .bsa, .kdb, .kf, .menu, .rgss3a, .mp4, .wpd, .txt, .xlsx, .wpb, .itl, .fos, .z3d, .wps, .vfs0, .sum, .nrw, .mpqge, .1st, .hplg, .m3u, .wp7, .wpl, .wpa, .r3d, .wb2, .ods, .crw, .raw, .dng, .w3x, .wbm, .yal, .pef, .cfr, .doc, .m2, .t13, .zw, .ai, .ff, .wn, .y, .mdbackup, .xpm, .wotreplay, .sb, .psk, .cas, .pdf, .layout, .x, .wmo, .wdp, .tax, .pdd, .zip, .blob, .sidn, .ws, .bc7, .bik, .jpe, .upk, .xll, .css, .mcmeta, .wcf, .xmmap, .sis, .zdb, .wpg, .rb, .wmv, .mdb, .sie, .jpg, .hkdb, .srf, .icxs, .docm, .0, .wma, .snx, .xdb, .cr2, .sql, .mrwref, .3dm, .7z, .t12, .js, .mddata, .wmd, .wpd, .ysp, .indd, .pst, .sid, .xbdoc, .bkf, .avi, .mdf, .zif, .dmp, .3fr, .pak, .eps, .raf, .arw, .gho, .wsc, .dcr, .odm, .x3d, .cdr, .svg, .xml, .wp6, .dxg, .vpp_pc, .odb, .vdf, .3ds, .slm, .fpk, .rar, .itdb, .bay, .wbc, .wpt, .rtf, .xxx, .wp, .rw2, .rim, .map, .mov, .xbplate, .png, .bkp, .ltx, .ntl, .vcf, .qdf, .orf, .pptm, .wdb, .1, .wgz, .hvpl, .wsh, .lrf, .epk, .lvl, .odt, .wbk, .gdb, .xx, .dazip, .zip, .forge, .wmf, .xls, .xyp, .re4, .wsd, .xmind, .sr2, .wbd, .kdc, .iwd, .pptx, .itm, .xy3, .wav, .p7c, .xlsx, .accdb, .wm, .mlx, .2bp, .wri, .ibank, .pkpass, .vtf, .yml, .srw, .wpw, .big, .p12, .dba, .webp, .wmv, .m4a, .apk, .das, .wbz, .syncdb, .wot, .hkx, .xlk, .lbf, .tor, .wire, .dwg
When the virus encrypts a file, it will add the “ID-{USERID}.[tlalipidas1978@aol.com].Frendi” extension to every encrypted file. Once the virus finished enciphering of all files, it will drop a file called “Encrypted.txt” with ransom instructions on how to decrypt all photos, documents and music. You can see an one of the variants of the ransom demanding message below:
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail tlalipidas1978@aol.com
In case of no answer in 24 hours write us to theese e-mails: FobosAmerika@protonmail.ch
If there is no response from our mail, you can install the Jabber client and write to us in support of phobos_helper@xmpp.jp or phobos_helper@exploit.im
If your files have been encrypted by the .Frendi ransomware, We suggests: do not to pay the ransom. Instructions that is shown below, will help you to remove .Frendi ransomware as well as restore encrypted files stored on your system drives.
Table of contents
- How to remove .Frendi ransomware
- How to decrypt .Frendi files
- How to restore .Frendi files
- How to protect your PC from .Frendi ransomware
How to remove .Frendi ransomware
In many cases it’s not possible to remove .Frendi ransomware virus manually. For that reason, our team made several removal ways which we have summarized in a detailed guide below. Therefore, if you’ve the .Frendi ransomware on your system and are currently trying to have it removed then feel free to follow the step-by-step tutorial below in order to resolve your problem. Read this manual carefully, bookmark or print it, because you may need to close your browser or restart your PC system.
Remove .Frendi ransomware with Zemana Anti-malware
Zemana Anti-malware highly recommended, because it can detect security threats such the .Frendi ransomware virus, ad supported software and other malware that most ‘classic’ antivirus programs fail to pick up on. Moreover, if you have any .Frendi ransomware removal problems which cannot be fixed by this utility automatically, then Zemana Anti-malware provides 24X7 online assistance from the highly experienced support staff.
Please go to the link below to download the latest version of Zemana Anti-Malware (ZAM) for Windows. Save it to your Desktop.
164113 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
Once the downloading process is complete, run it and follow the prompts. Once installed, the Zemana AntiMalware will try to update itself and when this process is done, click the “Scan” button to look for .Frendi ransomware virus and other security threats.
This task can take quite a while, so please be patient. While the utility is checking, you can see number of objects and files has already scanned. All found items will be marked. You can get rid of them all by simply press “Next” button.
The Zemana will remove .Frendi ransomware virus and other malicious software and PUPs.
How to remove .Frendi ransomware with MalwareBytes Free
You can delete .Frendi ransomware automatically with a help of MalwareBytes. We suggest this free malicious software removal utility because it can easily get rid of ransomware virus, ad-supported software, malware and other unwanted applications with all their components such as files, folders and registry entries.
Please go to the link below to download MalwareBytes Free. Save it to your Desktop.
326464 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
After the downloading process is finished, close all apps and windows on your personal computer. Double-click the setup file named mb3-setup. If the “User Account Control” dialog box pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” that will help you set up MalwareBytes Free on your computer. Follow the prompts and do not make any changes to default settings.
Once setup is complete successfully, click Finish button. MalwareBytes will automatically start and you can see its main screen as shown on the image below.
Now click the “Scan Now” button . MalwareBytes AntiMalware application will scan through the whole PC for the .Frendi ransomware and other security threats. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your PC system and the speed of your system. When a threat is detected, the number of the security threats will change accordingly.
As the scanning ends, you’ll be shown the list of all detected threats on your system. All found items will be marked. You can remove them all by simply click “Quarantine Selected” button. The MalwareBytes AntiMalware (MBAM) will get rid of .Frendi ransomware virus and other security threats and move threats to the program’s quarantine. After the procedure is complete, you may be prompted to restart the computer.
We suggest you look at the following video, which completely explains the process of using the MalwareBytes Free to remove adware, hijacker and other malicious software.
Double-check for .Frendi ransomware with KVRT
KVRT is a free removal utility which can check your PC for a wide range of security threats like the .Frendi ransomware virus, adware, potentially unwanted software as well as other malware. It will perform a deep scan of your personal computer including hard drives and MS Windows registry. Once a malicious software is found, it will help you to remove all found threats from your PC by a simple click.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is finished, double-click on the KVRT icon. Once initialization procedure is finished, you’ll see the KVRT screen like below.
Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to perform a system scan with this tool for the .Frendi ransomware . A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your PC and the speed of your machine. When a threat is detected, the number of the security threats will change accordingly.
After KVRT has completed scanning, Kaspersky virus removal tool will show a scan report as displayed on the image below.
Make sure all items have ‘checkmark’ and click on Continue to begin a cleaning procedure.
How to decrypt .Frendi files
The ransom instructions encourages victim to contact .Frendi ransomware’s developers via the following emails:
- tlalipidas1978@aol.com
- phobos_helper@xmpp.jp
- phobos_helper@exploit.im
These persons will require to pay a ransom (usually demand for $300-1000 in Bitcoins). There is absolutely no guarantee that after pay a ransom to the makers of the .Frendi ransomware virus, they will provide the necessary key to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware.
We don’t recommend paying a ransom, as there is no guarantee that you will be able to decrypt your photos, documents and music. Especially since you have a chance to restore your files for free using free utilities such as ShadowExplorer and PhotoRec.
How to restore .Frendi files
In some cases, you can restore files encrypted by .Frendi ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to restore all encrypted photos, documents and music.
Recover .Frendi encrypted files using Shadow Explorer
An alternative is to recover .Frendi personal files from their Shadow Copies. The Shadow Volume Copies are copies of files and folders that MS Windows 10 (8, 7 and Vista) automatically saved as part of system protection. This feature is fantastic at rescuing personal files that were damaged by .Frendi ransomware virus. The tutorial below will give you all the details.
Visit the following page to download the latest version of ShadowExplorer for Windows. Save it on your MS Windows desktop or in any other place.
438822 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When downloading is complete, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown on the image below.
Run the ShadowExplorer tool and then select the disk (1) and the date (2) that you wish to restore the shadow copy of file(s) encrypted by the .Frendi ransomware virus like below.
Now navigate to the file or folder that you want to restore. When ready right-click on it and click ‘Export’ button like below.
Recover .Frendi files with PhotoRec
Before a file is encrypted, the .Frendi ransomware makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to recover your photos, documents and music using file restore apps like PhotoRec.
Download PhotoRec by clicking on the following link.
After the downloading process is done, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as displayed on the screen below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It will open a screen as shown below.
Select a drive to recover like below.
You will see a list of available partitions. Choose a partition that holds encrypted personal files as displayed in the figure below.
Press File Formats button and specify file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, click Browse button to select where restored personal files should be written, then click Search.
Count of recovered files is updated in real time. All restored photos, documents and music are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, press on Quit button. Next, open the directory where restored personal files are stored. You will see a contents as on the image below.
All restored photos, documents and music are written in recup_dir.1, recup_dir.2 … sub-directories. If you are looking for a specific file, then you can to sort your restored files by extension and/or date/time.
How to to protect your PC from .Frendi ransomware
Most antivirus programs already have built-in protection system against the ransomware virus. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, use the CryptoPrevent.
Use CryptoPrevent to protect your machine from .Frendi ransomware virus
Download CryptoPrevent on your MS Windows Desktop by clicking on the link below.
www.foolishit.com/download/cryptoprevent/
Run it and follow the setup wizard. Once the installation is finished, you will be shown a window where you can select a level of protection, like below.
Now click the Apply button to activate the protection.
If you are still having problems while trying to get rid of .Frendi ransomware virus from your personal computer, then ask for help here.
Hi Patrik,
The type of file we have are .dex and are not detected by the Photorec