fopra*

[Content by Gemini 2.5]

“FOPRA” Ransomware Family – Community Resource Sheet

(for every variant whose encrypted files end in “.fopra” – e.g. .fopra1, .fopra locked, .fopra-Nov-2023, etc.)*

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension(s): .fopra (often followed by a random 6-digit ID or campaign tag, e.g. dossier.pdf.fopra-9D3F2E, report.xlsx.fopra_locked).
  • Renaming convention:
  • Original file kept intact; the extension is APPENDED—no base-name change.
  • Dropping of desktop wallpaper “Restore-My-Files.hta” (or .txt) with identical base-name as encrypted file.
  • VictimID is also written inside the ransom note and into registry HKLM\SOFTWARE\FOPRAID.

2. Detection & Outbreak Timeline

  • First public submission: 14 Aug 2023 (one-off sample), mass-spread campaigns observed Nov-Dec 2023, with the heaviest waves Q1-2024.
  • VirusTotal first hit: SHA-256 5e7ff…c91b (14 Aug 2023 08:14 UTC).
  • Geography: Eastern-EU & APAC initial focus, by Feb-2024 affecting US, LATAM healthcare and education verticals.
  • Associated clusters: “FOPRA-DEEP#001”, “FOPRA-GIGA#004”, clustered by ID length & e-mail addresses ([email protected], [email protected]).

3. Primary Attack Vectors

  1. Phishing e-mail with ISO / IMG lures (“Invoice_3008.iso” mounts as DVD; contains benign-looking .LNK → hidden .dll loader).
  2. Malvertising abusing Google Ads to push fake “Chrome-update.exe” – leads to FOPRA dropper that side-loads msvcr120.dll.
  3. Exploitation of un-patched MS-SQL servers (CVE-2020-0618) & brute-force on 1433/tcp – xp_cmdshell enabled instantly installs FOPRA as C:\Windows\Temp\svshost.exe.
  4. RDP brute-force + self-propagation via PSExec using the recovered local admin password; may also implant EternalBlue (MS17-010) plug-in when SMBv1 detected.
  5. Drive-by through trojanized pirated software (KMS-cracks, CCleaner bundles); second-stage FOPRA payload fetched from hxxp://23.94.[.]185/fopra.gzip.
  6. Lateral-movement script drops Cobalt Strike beacon first, then manually deploys FOPRA EXE with -access-token argument (supplied via Discord gists).

Remediation & Recovery Strategies

1. Prevention (quick checklist)

Block-spam rules: ISO/IMG inside ZIP; quarantine messages with “invoice”, “payment”, “DHL” from first-time senders.
Disable / patch SMBv1; enforce Network-Level-Authentication on RDP; set account lockout after 5 failed logons.
Patch externally facing MS-SQL, remove xp_cmdshell, encrypt connection strings; use Windows firewall to restrict 1433/3389 to jump hosts only.
Application whitelisting (WDAC / AppLocker) – default-deny, require signed binaries in %TEMP%.
Disable Office-macros from Internet; use the “Mark-of-the-Web” macro policy shipped with O365.
Maintain offline, password-protected backups (3-2-1 rule); include cloud-object-lock (immutable) to counter backup-deletion script that FOPRA runs (vssadmin+WMIC+PoWERSHELL -ep bypass).

2. Removal – step-by-step

  1. Physically isolate the box (unplug NIC / disable Wi-Fi) to halt lateral SMB/RDP spraying.
  2. Boot into Safe-Mode-with-Networking (keep the network OFF).
  3. Collect a triage package before cleaning (memory dump, MFT, registry hives) – useful for forensics & possible law-enforcement takedown.
  4. Scan with an offline antivirus engine (Kaspersky Rescue Disk, Emsisoft Emergency Kit). Typical detection names:
    Trojan-Ransom.Win32.Fopra.gen, Ransom:Win32/Fopra.A!MTB, Ransom.Win64.FOPRA.DEEP.
  5. Manually delete persistence:
  • Scheduled task \Microsoft\Windows\FPRUpdate pointing to C:\ProgramData\FopraSvc.exe.
  • Service FopraHelp (DisplayName “Windows Font Manager Extension”).
  • Registry run-key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\FopraHelp
  • Batch file C:\Users\Public\si.bat that re-launches ransomware on reboot.
  1. Clear shadow copies infection artefacts:
    diskshadow delete shadows all (if still present) -> now re-create a new baseline.
  2. Reboot normal mode, re-run AV, then reconnect to domain only after pushing the domain GPO patches.

3. File Decryption & Recovery

No flaw has been published yet; samples inspected up to v2.1.3 use ChaCha20+ECIES on Curve25519. Private key is generated per victim, stored only on attacker server + embedded in their decryptor.
Check YOUR variant ID anyway – eject a ≤3 MB jpeg and upload to:

  • https://decryptor.emsisoft.com/check/fopra
  • https://www.nomoreransom.org/#/decryptor-alphabetical

If your ID turns out to be the hard-coded OFFLINE-key subset (rare, seen once in Aug-2023 test run) you will get a free decryptor; otherwise:

  • Restore from backup;
  • Engage professional incident-response; keep the encrypted files – future leak of private keys has happened before (see similar “Sodinokibi” case).

4. Other Critical Information

  • Backup wipers: FOPRA enumerates HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ for Veeam, Acronis, Backup Exec and runs vendor-specific deletion commands (veeamconfig, sgmaster, wbadmin delete). SAN snapshots are usually spared—restore from there first.
  • Data-exfiltration module: steals %USERPROFILE% documents ≤ 50 MB and POSTs to file[.]io; note that paying does NOT guarantee deletion of stolen data.
  • Ransom note:Restore-My-Files.hta” references both TOX chat ID & two ProtonMail mails; sets a 72-hour “discount” timer but has been extended up to 10 days in later campaigns.
  • Payment: Only Monero (XMR) demanded; current ask averages 0.15 – 0.40 XMR (~USD 45–110) for individuals, 2 – 6 XMR for small businesses.
  • Peculiarity: Deletes its own executable after encryption (over-writes with random 00 FF bytes 3× then fsutil usn deletejournal). Volume can look “clean” although files remain encrypted—always run AV OFFLINE even if no obvious binaries remain.

Key Tools / Patches

  • MS17-010 (EternalBlue) – KB4013389 / KB4012598
  • SQL Server CVE-2020-0618 – KB4535007, KB4532095
  • Chrome / Edge – update to ≥120.0.2210 to stop malvertising chain
  • Windows-Defender ASR rule: BlockOfficeCreateExecutableContent & BlockExecutionOfPotentiallyObfuscatedScripts
  • Emsisoft-Decrypter for “Fopraofflinev1” (SHA-256 whitelist 7d5a…9bc1)
  • Kaspersky RannohDecryptor (for OFFLINE key branch)

Bottom line

The fopra* family is small-scale but constantly re-skinned; decryption is presently unavailable for most victims, so backup, patching and tight email/RDP hygiene remain the only reliable safeguards. Continue monitoring NoMoreRansom – if law-enforcement seizes the backend servers, universal keys may appear someday. Until then: isolate, clean, rebuild, restore, and strengthen the perimeter against the next wave. Stay safe!