Cyber security researchers discovered a new variant of cryptovirus that called ‘Fordan ransomware‘. It appends the .fordan file extension to encrypted file names. Read below a brief summary of information related to this ransomware and how to restore or decrypt .fordan files for free.
The Fordan ransomware is a malware that created in order to encrypt photos, documents and music. It hijack a whole machine or its data and demand a ransom in order to unlock (decrypt) them. The developers of the Fordan ransomware have a strong financial motive to infect as many computers as possible. The files that will be encrypted include the following file extensions:
.wpw, .bc6, .xlsx, .xlsb, .wbc, .wdb, .xlsm, .cdr, .dazip, .bc7, .ysp, .dbf, .p7c, .wmv, .x3f, .avi, .pdd, .zip, .xmind, .sidd, .cr2, .iwd, .snx, .arch00, .wotreplay, .dcr, .cfr, wallet, .big, .zip, .wbk, .3fr, .ztmp, .p12, .sql, .m3u, .vdf, .rar, .indd, .xpm, .xll, .mpqge, .map, .kf, .erf, .odt, .cas, .odb, .css, .eps, .xml, .wma, .wpl, .gdb, .bay, .wmo, .pptx, .docx, .sum, .zabw, .cer, .jpeg, .rgss3a, .srw, .wbd, .webp, .ppt, .accdb, .wpg, .2bp, .pst, .ybk, .wma, .kdb, .odp, .pfx, .menu, .apk, .dwg, .mddata, .itdb, .y, .flv, .dng, .mdbackup, .hkdb, .wps, .iwi, .epk, .mp4, .xdl, .m2, .rtf, .dmp, .xar, .rw2, .w3x, .syncdb, .xbdoc, .lbf, .ibank, .xx, .wgz, .hvpl, .bar, .wpa, .fsh, .xls, .litemod, .wbmp, .x3f, .vpp_pc, .yml, .svg, .tax, .yal, .nrw, .icxs, .pef, .xlsx, .wp4, .xlsm, .xy3, .1st, .mov, .xbplate, .wm, .p7b, .asset, .wdp, .sav, .pak, .wp7, .der, .xdb, .slm, .zdb, .vpk, .kdc, .doc, .wire, .crt, .psk, .re4, .gho, .wp6, .zw, .qic, .csv, .py, .jpg, .lvl, .3ds, .1, .mdf, .m4a, .mdb, .wmv, .r3d, .docm, .xmmap, .vcf, .wsd, .wsh, .rim, .0, .raw, .js, .ncf, .z3d, .forge, .wot, .hplg, .bkp, .layout, .lrf, .wmd, .vfs0, .wsc, .mcmeta, .xwp, .bik, .wpb, .itl, .hkx, .txt, .mrwref, .wb2, .odm, .sid, .wcf, .sidn, .ltx, .xf, .das, .wpd, .sie, .pptm, .jpe, .xls, .xyw, .fos, .odc, .zdc
Upon successful encryption, it appends the .fordan extension to the file name of its encrypted file. The ransomware also creates a text file called “_readme.txt” in each folder. This file is a ransom demanding message. The ransom instructions asks for money in the form of bitcoins. The content of the ransom instructions is below:
Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-6COaKAec5A Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: mosteros@firemail.cc Reserve e-mail address to contact us: gorentos@bitmessage.ch
Threat Summary
Name | Fordan ransomware |
Type | Ransomware, Filecoder, Crypto virus, File locker |
Encrypted files extension | .fordan |
Ransom note | _readme.txt |
Contact | mosteros@firemail.cc, gorentos@bitmessage.ch |
Ransom amount | $490, $980 in Bitcoins |
Symptoms |
|
Removal | To remove .Fordan ransomware use the removal guide |
Decryption | To decrypt .Fordan ransomware use the steps |
Use the step-by-step guidance below to remove ransomware and try to recover encrypted personal files for free.
Quick links
- How to remove .Fordan ransomware
- How to decrypt .fordan files
- Use STOPDecrypter to decrypt .fordan files
- How to restore .fordan files
- How to protect your computer from .Fordan ransomware?
- Finish words
How to remove .Fordan ransomware
The following instructions will allow you to remove .Fordan ransomware and other malicious software. Before doing it, you need to know that starting to delete the ransomware, you may block the ability to decrypt files by paying makers of the ransomware requested ransom. Zemana Anti-malware, KVRT and Malwarebytes Anti-malware can detect different types of active ransomwares and easily remove it from your PC system, but they can not restore encrypted files.
How to automatically remove .Fordan ransomware with Zemana Anti-malware
Thinking about remove .Fordan ransomware from your machine? Then pay attention to Zemana Anti-Malware. This is a well-known utility, originally created just to scan for and remove malicious software, adware and PUPs. But by now it has seriously changed and can not only rid you of malicious software, but also protect your PC from ransomware, malware and adware, as well as find and delete common viruses and trojans.
Visit the page linked below to download the latest version of Zemana Free for Windows. Save it on your Microsoft Windows desktop.
164112 downloads
Author: Zemana Ltd
Category: Security tools
Update: July 16, 2019
After downloading is done, close all windows on your system. Further, start the install file named Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as shown in the figure below, click the “Yes” button.
It will open the “Setup wizard” which will assist you install Zemana on the personal computer. Follow the prompts and do not make any changes to default settings.
Once setup is complete successfully, Zemana will automatically launch and you can see its main window as shown below.
Next, click the “Scan” button for scanning your PC for the .Fordan ransomware related files, folders and registry keys. This process may take some time, so please be patient. During the scan Zemana Anti Malware (ZAM) will detect threats exist on your personal computer.
After the scan get finished, the results are displayed in the scan report. Next, you need to click “Next” button.
The Zemana Anti Malware (ZAM) will start to delete .Fordan ransomware virus and other kinds of potential threats such as malware and potentially unwanted applications. After the cleaning procedure is finished, you can be prompted to restart your computer.
Automatically remove Fordan ransomware virus with MalwareBytes Anti-Malware
We recommend using the MalwareBytes which are fully clean your system of the ransomware virus. This free utility is an advanced malware removal program created by (c) Malwarebytes lab. This program uses the world’s most popular anti-malware technology. It is able to help you get rid of ransomware, trojans, malicious software, adware, worms, and other security threats from your computer for free.
Click the following link to download the latest version of MalwareBytes Free for Microsoft Windows. Save it directly to your Windows Desktop.
326462 downloads
Author: Malwarebytes
Category: Security tools
Update: April 15, 2020
When downloading is finished, close all programs and windows on your PC system. Open a directory in which you saved it. Double-click on the icon that’s called mb3-setup as shown in the following example.
When the setup begins, you will see the “Setup wizard” that will help you install Malwarebytes on your computer.
Once installation is finished, you’ll see window as displayed on the image below.
Now click the “Scan Now” button . MalwareBytes Anti Malware (MBAM) program will scan through the whole machine for the Fordan ransomware and other kinds of potential threats such as malware and trojans. A scan may take anywhere from 10 to 30 minutes, depending on the count of files on your personal computer and the speed of your machine. While the MalwareBytes Anti Malware is checking, you can see number of objects it has identified either as being malicious software.
After the system scan is finished, MalwareBytes will show you the results. You may delete items (move to Quarantine) by simply click “Quarantine Selected” button.
The Malwarebytes will now remove Fordan ransomware virus and other malicious software and move items to the program’s quarantine. After finished, you may be prompted to reboot your PC system.
The following video explains steps on how to remove hijacker, adware and other malicious software with MalwareBytes Free.
Remove .Fordan ransomware with KVRT
KVRT is a free portable program that scans your PC system for adware, trojans, worms and crypto viruses such as the .Fordan ransomware and helps remove them easily. Moreover, it will also allow you delete any malicious web-browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) on your computer from the link below.
129082 downloads
Author: Kaspersky® lab
Category: Security tools
Update: March 5, 2018
After the downloading process is finished, double-click on the KVRT icon. Once initialization process is done, you’ll see the Kaspersky virus removal tool screen as shown below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next click Start scan button to start scanning your computer for the .Fordan ransomware virus and other malware. A scan can take anywhere from 10 to 30 minutes, depending on the number of files on your personal computer and the speed of your PC system.
As the scanning ends, a list of all items found is created as displayed in the figure below.
Make sure all threats have ‘checkmark’ and click on Continue to start a cleaning procedure.
How to decrypt .fordan files
The encryption method is so strong that it is practically impossible to decrypt .fordan files without the actual encryption key.
We do not recommend paying a ransom, as there is no guarantee that you will be able to decrypt your files. In addition, you must understand that paying money to the cyber criminals, you are encouraging them to create a new ransomware virus.
With some variants of Fordan ransomware, it is possible to decrypt or restore encrypted files using free tools such as STOPDecrypter, ShadowExplorer and PhotoRec.
Use STOPDecrypter to decrypt .fordan files
Michael Gillespie (@) released a free decryption tool named STOPDecrypter (download from download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip).
STOPDecrypter has been updated to include decryption support for the following .djvu* variants (.djvu, .djvuu, .udjvu, .djvuq, .djvur, .djvut, .pdff, .tro, .tfude, .tfudeq, .tfudet, .rumba, .adobe, .adobee, .blower, .promos. STOPDecrypter will work for any extension of the Djvu* variants including new extensions (.fordan).
Please check the twitter post for more info.
How to restore .fordan files
In some cases, you can recover files encrypted by .Fordan ransomware virus. Try both methods. Important to understand that we cannot guarantee that you will be able to recover all encrypted documents, photos and music.
Restore .fordan files with ShadowExplorer
The Microsoft Windows has a feature called ‘Shadow Volume Copies’ that can help you to restore .fordan files encrypted by the .Fordan ransomware. The method described below is only to restore encrypted photos, documents and music to previous versions from the Shadow Volume Copies using a free tool called the ShadowExplorer.
Visit the following page to download the latest version of ShadowExplorer for MS Windows. Save it on your Windows desktop or in any other place.
438819 downloads
Author: ShadowExplorer.com
Category: Security tools
Update: September 15, 2019
When the download is finished, open a directory in which you saved it. Right click to ShadowExplorer-0.9-portable and select Extract all. Follow the prompts. Next please open the ShadowExplorerPortable folder as shown in the figure below.
Double click ShadowExplorerPortable to run it. You will see the a window as displayed below.
In top left corner, choose a Drive where encrypted photos, documents and music are stored and a latest restore point as displayed below (1 – drive, 2 – restore point).
On right panel look for a file that you wish to recover, right click to it and select Export like below.
Use PhotoRec to recover .fordan files
Before a file is encrypted, the .Fordan ransomware virus makes a copy of this file, encrypts it, and then deletes the original file. This can allow you to restore your documents, photos and music using file restore software like PhotoRec.
Download PhotoRec by clicking on the link below.
Once the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and choose Extract all. Follow the prompts. Next please open the testdisk-7.0 folder as shown below.
Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as on the image below.
Select a drive to recover like below.
You will see a list of available partitions. Choose a partition that holds encrypted files as shown below.
Press File Formats button and select file types to recover. You can to enable or disable the recovery of certain file types. When this is finished, press OK button.
Next, click Browse button to select where restored photos, documents and music should be written, then click Search.
Count of restored files is updated in real time. All recovered personal files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.
When the recovery is complete, click on Quit button. Next, open the directory where restored photos, documents and music are stored. You will see a contents as displayed on the screen below.
All restored files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re looking for a specific file, then you can to sort your recovered files by extension and/or date/time.
How to protect your computer from .Fordan ransomware?
Most antivirus programs already have built-in protection system against the ransomware. Therefore, if your PC does not have an antivirus program, make sure you install it. As an extra protection, use the HitmanPro.Alert.
Use HitmanPro.Alert to protect your system from .Fordan ransomware
All-in-all, HitmanPro.Alert is a fantastic tool to protect your computer from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Windows operating system from Windows XP to Windows 10.
Visit the page linked below to download the latest version of HitmanPro Alert for MS Windows. Save it on your Microsoft Windows desktop.
After the downloading process is finished, open the directory in which you saved it. You will see an icon like below.
Double click the HitmanPro Alert desktop icon. When the utility is started, you’ll be shown a window where you can choose a level of protection, as displayed below.
Now click the Install button to activate the protection.
Finish words
After completing the few simple steps above, your computer should be clean from .Fordan ransomware virus and other malicious software. Your personal computer will no longer encrypt your photos, documents and music. Unfortunately, if the few simple steps does not help you, then you have caught a new variant of ransomware virus, and then the best way – ask for help here.