fc

[Content by Gemini 2.5]

⚠️ The “.fc” extension is re-used by several unrelated ransomware families.
Because of this collision you MUST identify the exact strain before you start recovery work.
Below are the three criminal groups that are currently (2023-2024) observed appending “.fc” together with the technical fingerprints you need to tell them apart.

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

A. FakeCry (Nodaria/SAINT) – Ukraine-wiper wannabe

  • Extension: .fc (lower-case)
  • Pattern: original_name.docx → original_name.docx.fc
  • Drops: read_me_now.txt (russian/ukrainian mixed)

B. FileCry (CRYSIS/Dharma fork) – RaaS sold on XSS/Exploit

  • Extension: .FC (upper-case) or .id-XXXX.[[email protected]].FC
  • Pattern: invoice.xlsx → invoice.xlsx.id-9EC3A4F1.[[email protected]].FC
  • Drops: README.txt and Info.hta in every folder + set as desktop wallpaper

C. FCKCRYPT (Mimic / TrendMicro TA) – uses legitimate “Everything” SDK

  • Extension: .FC (upper-case)
  • Pattern: DSC_0001.jpg → DSC_0001.jpg.FC
  • Drops: HowToDecrypt.txt (extortion note in broken English)

Distinguish quickly

  • Upper-case .FC with brackets → CRYSIS-FCKCRYPT
  • Lower-case .fc plus cyrillic note → FakeCry
  • Everything.dll found in %TEMP% → Mimic/FCKCRYPT

2. Detection & Outbreak Timeline

  • FakeCry: 21 Mar 2022 (first Ukraine energy-targeted wave)
  • FileCry (CRYSIS fork): Jan 2020 still active (latest sample 12 Apr 2024)
  • FCKCrypt/Mimic: Dec 2022 massive SMB-brute campaign, peaks Feb-Mar 2024

3. Primary Attack Vectors

FakeCry

  • Weaponized Ukrainian accounting software updates (comprom MSI)
  • GPO run-once script pushing runner.dll via rundll32

FileCry (CRYSIS)

  • RDP brute / leaked credentials → manual deploy
  • Pirated software (kms.exe, activator.exe) bundling stub loader

FCKCrypt

  • SMB & IPC$ brute (port 445) → Everything32.dll side-load → reflective run of locker.exe
  • Exploits: PrintNightmare (CVE-2021-34527), DFSCoerce (no patch) → SYSTEM escalation

Encryption details

  • FakeCry: ChaCha20 + RSA-2040, keys destroyed → irreversible
  • CRYSIS: AES-256-CTR (file) + RSA-1024 (key blob); master key unique per affiliate → decryptable only if affiliate master leaked
  • FCKCrypt: salsa20 + ECDH(secp256k1) Curve; keys wiped with NtSetInformationFile(FileDispositionInformation) → no free decryptor

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

1.1 Patch: disable SMBv1/v2 externally, apply CVE-2021-34527 & CVE-2022-30190 patches
1.2 Segmentation: isolate RDP behind VPN + MFA, close 3389/445 toward Internet
1.3 Application whitelisting: block rundll32 launch from %TEMP%, %APPDATA%
1.4 Lateral-movement guard: use Windows Defender ASR rule “Block credential stealing from LSASS”
1.5 Logging: turn on PowerShell ScriptBlock & 4624/4625 log forwarding to SIEM (catch brute)
1.6 Backups: 3-2-1 regime, offline copy (no writable SMB share), test restore monthly; Veeam/Nakivo with immutable object-lock

2. Removal (valid for all three families)

  1. Power-off network immediately → prevent second-stage & WMI propagation
  2. Boot a clean WinPE / Linux LiveUSB → back-up encrypted data (byte-level) before any cleaning
  3. From clean media:
    a. Run vendor cleaner:
    • Kaspersky Virus Removal Tool (KVRT)
    • ESETStandalone Cleaner – detects Win32/FileCryptor.D & Win32/FakeCry.A
    • MSERT (Microsoft Safety Scanner) – signatures Ransom:Win32/FileCry & Ransom:Win32/FakeCry
      b. Manually delete persistence:
    • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ “x” = C:\Users\Public\runner.exe”
    • Scheduled task \Microsoft\Windows\RasTask\fc_job
  4. Patch / harden before you re-join network (see §1)

3. File Decryption & Recovery

  • FakeCry (.fc lowercase) – NO decryptor, keys destroyed.
  • CRYSIS/FileCry (.FC) – occasional master-key leaks appear on https://koodous.com & https://github.com/Struppigel; check “CRYSIS-Master-Keys-2024.txt”. If your SHA-256 of the RSA public key in README.txt matches a leaked entry:
  1. Download Emsisoft “Dharma-Decryptor” (covers FC variant).
  2. Run on clean machine with admin rights, point to C:\ or network share; expect 3-7 % failure on >100 MB files (chunk alignment bug).
  • FCKCrypt (.FC) – no free tool yet; only chance = law-enforcement seizure of attacker server (curve private key) → monitor NoMoreRansom page.

Alternative file recovery:

  • Volume Shadow Copy – often deleted; run vssadmin list shadows from WinPE; if present → robocopy out
  • Windows“File History” backups, OneDrive cloud recycle bin, Office365 mail ransomware detection auto-versioning
  • PhotoRec/RawDisk carve – good for pdf/docx/png where only header/page is encrypted (FCKCrypt ≤1 MB files are full-encrypted, so carve rarely helps)

4. Other Critical Information

  • FakeCry note falsely claims “your data will be sent to Russian secret services” – psychological pressure; no exfil was observed (no C2 upload function)
  • FileCry is offered as “service” – affiliates keep 70 %; authors provide web-panel + signed EXE; therefore ransom e-mail varies (tuta, proton, aol, ctemplar)
  • FCKCrypt harvests Everything.db to find network shares fast – uninstall “Everything” or block Everything*.dll load via HKLM\System\CurrentControlSet\Control\Session Manager\KnownDLLs protection

If unsure which strain you have: zip three encrypted files + the ransom note and upload them to https://id-ransomware.malwarehunterteam.com or https://nosplash.com/ru – you’ll obtain the correct decryptor link within 60 s.

Stay safe, patch early, and keep an offline backup – the only universal “decryptor”.