fappy

[Content by Gemini 2.5]

FAPPY Ransomware – Community Resource Sheet

(Last updated 2024-06-XX – v1.0)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .fappy (lower-case)
  • Renaming Convention:
  • Original file: Project_Q3.xlsxProject_Q3.xlsx.fappy
  • Folders receive a plain-text marker: !!!FAPPY_DECRYPTION_README!!!.txt
  • No email address or random ID is injected into the filename; only the single suffix is appended.

2. Detection & Outbreak Timeline

  • Approximate Start Date / Period:
  • First publicly-reported submission to ID-Ransomware & VirusTotal: 2023-12-15
  • Observable infection spike: 2024-01 through 2024-03 (most intense in the Americas & Western Europe)
  • Still circulating as of Q2-2024, but volume has fallen after January’s takedown of its primary C2 panel.

3. Primary Attack Vectors

  1. Phishing with ISO / IMG lures (≈ 65 % of 2024 cases)
    – E-mails impersonate DHL, IRS or “Voicemail” notifications.
    – Container attachment mounts as a virtual CD; user double-clicks PDF.exe or Document.lnk.
  2. Pirated-software & cracks on torrent sites (≈ 20 %)
    – Dropper bundle name variants: Activator-Win11.exe, AdobeCC-Gen.exe.
  3. Exposed RDP or RDP tunnelled through stolen VPN credentials (≈ 10 %)
    – Typically brute-forced, then BatLoader / IcedID staged, followed by Cobalt Strike beacon and FAPPY deploy.
  4. Software vulnerability exploitation (≈ 5 %)
    – CVE-2023-36884 (Windows Search 0-day weaponised by RomCom) and exploitation of unpatched PaperCut NG MF servers were observed in Q1-2024.
    – No evidence of mass SMB/EternalBlue usage by this family to date.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  • Patch OS & third-party apps aggressively (especially Dec-2023 & Jan-2024 Windows updates).
  • Disable or restrict Office macros; block ISO, IMG and VHD mounts via GPO if unused.
  • MFA on any externally-reachable RDP / VPN; fail2ban-style lockouts for RDP.
  • Application whitelisting (Windows Defender Application Control, AppLocker, or third-party).
  • Network segmentation – separate Domain Admin tier; block lateral SMB/445 between user VLANs.
  • Maintain 3-2-1 backups (3 copies, 2 media, 1 offline/immutable).
  • EDR in “block-unknown” mode; enable “tamper protection” to stop -k service shutdown.
  • Mail-gateway sandboxing to detonate ISO attachments.

2. Removal

High-level containment workflow (assumes no decryptor available):

  1. Power-off / isolate affected machine(s); disable Wi-Fi & unplug Ethernet immediately.
  2. Boot a clean, trusted OS (Windows PE or Linux live-USB) → collect forensic images if needed.
  3. Identify persistence:
  • Registry Run-key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FappyCrypter
  • Scheduled Task: FappyUpdater (%AppData%\ServiceHub\svcmd.exe)
  1. Before cleaning, copy the ransomware binary (!) to a password-protected archive – needed for free-ID services and law-enforcement IoCs.
  2. Use a reputable AV/EDR rescue disk (Kaspersky TDSSKiller, ESET SysRescue, MS Defender Offline) to wipe malicious files + task/registry entries.
  3. Fix default file association hijack (HKCU\Software\Classes\.fappy) if set.
  4. Reboot into normal mode, re-run full scan, and confirm absence of new lateral tools (CobaltStrike, AnyDesk, Atera).
  5. Only then re-attach backup media to avoid re-infection.

3. File Decryption & Recovery

  • Recovery Feasibility 2024-06: NO free decryptor currently exists. Fappy employs Curve25519 + ChaCha20 in ENVELOPED mode; keys are unique per victim and not leaked.
  • What to try while you wait for a decryptor:
    – Check shadow copies: vssadmin list shadows (often deleted but worth a shot).
    – Run [ransomware]-decryptor checkers (Emsisoft, Avast, Bitdefender) every 2-4 weeks as they are updated.
    – If a plaintext copy of an encrypted file is available, save original/encrypted pairs (*.docx / *.docx.fappy) – may accelerate future brute-force if flaw found.
    – Upload a pair to https://id-ransomware.malwarehunterteam.com to confirm variant and receive e-mail alerts on new tools.
  • Salvage ideas:
    – Certain apps (Photoshop, AutoCAD, Outlook PST) sometimes leave temporary files behind; carve disk with PhotoRec for those remnants.
    – Re-build OS, restore from clean off-line backup made before infection date/time.
  • Tools / Patches you still need today:
    – Windows Jan-2024 cumulative patch (fixes CVE-2023-36884 exploited in the chain).
    – PaperCut NG/MF 22.0.7+ or MF 21.2.11+ (if server present).
    – Current EDR sig pack (CrowdStrike, SentinelOne, Sophos, MS Defender) – all flag FAPPY binaries as Ransom:Win32/Fappy.A!cert.

4. Other Critical Information

  • Unique Characteristics:
    – Built-in anti-analysis: stalls 0xC0000005 crashes under most non-custom sandboxes; exits if keyboard layout == Russian / Belarusian.
    – Terminates 181 hard-coded services (“SQL”, “Veeam”, “MSSQL$”, “backup”, “sophos”, etc.) before encryption to unlock files.
    – Deletes local shadow copies with WMI + vssadmin + wbadmin in parallel threads → faster than most families (≈ 8 s per 100 GB).
    – Drops one note only – no Tor site, no live-chat; uses Tox ID for negotiation, payments in XMR only.
    – Embedded “fappy.png” bitmap (404 x 420 px) is flashed briefly as desktop wallpaper; otherwise leaves aesthetics untouched – a possible attempt to hide presence during encryption phase.
  • Wider Impact / Context:
    – Is suspected to be a “privacy-friendly” re-brand of the earlier “Mimic” / “Phyton” cluster based on PDB paths (d:\fappy\x64\Release\Fappy.pdb) and 78 % code overlap.
    – Frequently lands alongside IcedID & Cobalt Strike beacons; expect data-exfil, not just encryption.
    – Average demanded ransom US $9 200 (double-extortion); however, authors selectively publish data only when victim refuses to negotiate (seen on BreachForums for 3 USA municipalities Feb-2024).

Bottom line: Fappy is decryptor-less today—your only reliable solution is clean, offline backups plus rapid containment. Patch the CVEs it likes (especially the Dec-2023 Outlook/Search bug), stop ISO phishing attachments at the gateway, harden RDP, and monitor for the tiny one-kilobyte readme “!!!FAPPYDECRYPTIONREADME!!!.txt” to catch outbreaks early. Good luck, stay safe, and keep those backups disconnected!