Fatboy Ransomware Removal Guide

Do you know what Fatboy Ransomware is?

If you find out that Fatboy Ransomware has hit your computer, strange as it may sound, this could be your lucky day. It is quite rare that we can refer to a cyber attack by an otherwise dangerous ransomware program as “lucky” but, in this case, it is quite possible that since the Command and Control server is offline, this infection does not encrypt your files. This could mean that all your precious photos, videos, documents, and archives will remain untouched and usable. But this is not the only reason why we do not recommend paying the ransom fee. Transferring money to criminals is like supporting cybercrime directly, not to mention the fact that there is little chance that your files will really be decrypted if it is a working version, of course, that encrypts files. In any case, we advise you to remove Fatboy Ransomware as soon as possible.

This malware infection is also called PyCL Ransomware by researchers since it is written in the Python programming language and the main executable file is called “cl.exe.” Since this vicious program is available on the dark net as a service (Raas), which anyone even rookies can buy, it can be customized and all kinds of variants can hit the web. So it should be obvious that this ransomware can hit you from different channels, too. It is possible that you get redirected to a malicious page when you click on unreliable third-party ads or links. This page could be rigged with Exploit Kits (e.g., Angler) and drop this infection onto your computer without your noticing it; this is why this type of attack is so dangerous. It is enough for your browser to load such a page; you do not even need to engage with any content. However, this can only work if your browsers and drivers are outdated. The solution should be clear: You need to keep your browsers and drivers up-to-date all the time to avoid such malicious attacks.

It is also possible that you click on a corrupt third-party ad and this infection drops directly. Yet, it is probably the most “popular” way for you to let this toothless beast onto your PC via spam e-mails. This infection can be disguised as an image or a text document file attachment and spread by spam. You should be very careful whenever you open questionable mails with attachment. It is quite likely that the attached malicious file keeps its original .exe extension; however, it would also have a fake one as in “Invoice.jpg.exe” that could be misleading for inexperienced users. Since such a spam would refer to an urgent matter that could draw your immediate attention, you may open this attachment without further ado. Please remember that prevention is the only way most of the time to save your files from encryption. If your computer was hit while the C&C server was down, you can remove Fatboy Ransomware without any consequences and your files would be all fine. In other cases you would have to use a free file recovery tool to decrypt your files if there is one at all.

Normally, this malware program applies the AES-256 algorithm to encrypt your personal files first and then, the RSA-2048 algorithm to encrypt the decryption key. This way this infection becomes virtually uncrackable. However, right now it seems, after testing a number of samples, that since the C&C server is unavailable, this ransomware cannot encrypt your files or if they had been encrypted before the server was shut down, you cannot decrypt them anymore even if these crook wanted to send you the private key, which is highly unlikely to be frank.

This infection creates two folders on your system, “%APPDATA%\cl” and “%APPDATA%\How_Decrypt_My_Files.” These contain all the related files, including authentic Python files and libraries as well. Even if there is no encryption, you would still see the ransom note window pop-up. You may not be able to close this window easily; it seems to stay on top of all your active windows. This note informs you about the attack and explains in a detailed manner what it means and what you can do to get your files back. Since there is no connection with the server at the time of writing, we cannot tell you the exact amount the crooks behind our samples would ask you to pay. As we have said, this amount can be different anyway. It could reach hundreds of dollars worth of Bitcoins if not more. However, you do not need to care about this if your files are not encrypted. All you should do is delete Fatboy Ransomware right away.

After you kill the malicious process through your Task Manager, you can delete all the files and folders associated with this attack. We have included a guide for you below this article so that you can manually eliminate Fatboy Ransomware. Of course, you can always choose to use professional malware removal software (e.g., SpyHunter) to do this automatically for you and more, to protect your PC from future malicious invasions.

How to remove Fatboy Ransomware from Windows

  1. Tap Ctrl+Shift+Esc to open the Task Manager.
  2. Find the malicious process “cl.exe” in the list and click End task.
  3. Exit your Task Manager.
  4. Tap Win+E.
  5. Bin these folders: “%APPDATA%\cl” and “%APPDATA%\How_Decrypt_My_Files”
  6. Delete the malicious .exe file you downloaded.
  7. Empty your Recycle Bin.
  8. Reboot your computer.

In non-techie terms:

Fatboy Ransomware is a dangerous threat that is for sale on the dark net as a service. For this reason, you can be hit by all kinds of variants of this ransomware that could demand different amounts for the decryption of your encrypted files. Since our researchers have found that the Command and Control server of this malware infection is shut down for an unknown period of time, your files could be safe from encryption. Thus, you do not need to worry about transferring any money to your attackers. Instead, you should remove Fatboy Ransomware from your system right now. If you want to protect your computer properly, you need to employ a decent and up-to-date anti-malware program that will automatically tackle all the existing malware attacks.