Home / Spyware Help / Facebook Ransomware Removal Guide

Facebook Ransomware Removal Guide

by 0 Comments

Do you know what Facebook Ransomware is?

Facebook Ransomware is an old ransomware infection that doesn’t differ much from all the other ransomware applications we have discussed before. It might still be possible to get infected with this program, so please be careful. In fact, it would be a good idea to educate yourself about ransomware distribution tactics, so you could avoid all the other ransomware programs that will try to target you in the future.

To remove Facebook Ransomware, please scroll down to the bottom of this description for the manual removal instructions. You can also terminate this infection automatically.

It is very common for ransomware programs to be based on one single code. When several infections are based on the same code, we say that they come from a certain malware family. Facebook Ransomware is based on the Hidden Tear code. Hidden Tear is an open-source ransomware program. It means that the main code is publicly available, and almost anyone can get a hold of it and make ransomware infections of their own. At the same time, it also means that not all programs based on the Hidden Tear ransomware are related. Different people can get the malware code, tweak it, and release their own infections.

So, the main code-wise, Facebook Ransomware can be similar to BlackWorm Ransomware, XCry Ransomware, BSS Ransomware, and many other infections that are based on Hidden Tear. However, it can perfectly function as a stand-alone infection, and it is very unlikely that the decryption keys used for other Hidden Tear programs would work on Facebook Ransomware.Facebook Ransomware Removal GuideFacebook Ransomware screenshot
Scroll down for full removal instructions

It would be for the best to avoid Facebook Ransomware in the first place, but users are often tricked into downloading and installing ransomware on their computers. Most of the time, ransomware infections come via spam email messages. Here, you might blink and ask, how spam email can enter your inbox when most of such messages get filtered into the Junk box anyway? Well, spam campaigns that distribute ransomware can pose as notifications from banks, online stores, and official entities (like Microsoft and Google), to trick users into thinking that they have received an important notification, and they have to check the received documents immediately.

However, if the tone of the message is very urgent, and if you did not expect to receive anything from the said source, you should clearly scan the attached file with a security tool of your choice before opening it. It is very likely that you will be able to avoid getting infected with Facebook Ransomware if you scan the attached files in advance.

Nevertheless, what happens if Facebook Ransomware still manages to enter the target system? Well, then you go through your usual ransomware experience. Once the program is launched, it encrypts some of the files in the %UserProfile% directory. This is where users keep most of their personal files. Also, we know that Facebook Ransomware can disable Task Manager by modifying Windows Registry. Malicious programs often try to disable Task Manager because they want to avoid getting removed or killed.

Once the encryption is complete, Facebook Ransomware launches the main program’s window, and the window comes with the information about the infection. It says the following:

oops Your files are encrypted.
Please click the button that says “How to decrypt my files”

If you click the How to decrypt files button, you will see another pop-up box that says you need to pay 0.29 BTC to receive a decryption key. There’s also an additional ransom note that drops on your desktop. The ransom note is READ_IT.rtf, and it sounds like a joke:

Files has been encrypted with hidden tear
Send me some bitcoins or kebab
And I also hate night clubs, desserts, being drunk.

Either way, the point is that you need to remove Facebook Ransomware right now. Since the program was released quite a while ago, there might be a public decryption tool waiting for you. If not, you should look for other file recovery options. If you have a hard drive where you keep copies of your files, you can easily transfer them back into your computer after you have removed the malware and the encrypted files. Choose the file recovery option that is the best for you.

How to Remove Facebook Ransomware

  1. Press Alt+F 4 and close the ransomware pop-up.
  2. Delete the most recent files from Desktop and open the Downloads folder.
  3. Delete the most recent files from the folder.
  4. Press Win+R and enter %TEMP%. Press OK.
  5. Remove the most recent files from the directory.
  6. Press Win+R and type regedit. Click OK.
  7. Open HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System.
  8. On the right pane, right-click and delete the value DisableTaskMgr.
  9. Reboot your computer. Press Ctrl+Shift+Esc.
  10. Click the Processes tab and highlight processes that say Facebook Official.
  11. Press End Process to kill those processes and close Task Manager.
  12. Use SpyHunter to scan your computer.

In non-techie terms:

Facebook Ransomware may not be the most dangerous infection out there, but this ransomware program can still encrypt your files. If you do not keep a file back-up it might prove to be challenging to retrieve your data. Please do not panic because that’s exactly what these criminals want. Remove Facebook Ransomware with a reliable antispyware tool, and then explore your options. Please make sure you protect your computer from similar intruders in the future.