FORMA Ransomware

What is FORMA Ransomware?

If you run your Windows operating system using Polish, or you live in Poland, FORMA Ransomware is the threat you need to beware of, amongst thousands of others. While most infections are pretty versatile, and they use English to deliver messages intended for victims, once in a while, we see a threat that has a very specific target. That is how the threat we are discussing in this report works too. The distribution of this malware is still very mysterious, but it is likely that attackers could use spam email attacks to spread the launcher. The threat could be bundled with unreliable programs that might be available on Polish file-sharing websites too. The attackers could also spread malware randomly, but set it to attack only those systems whose IP addresses link to Poland. In any case, if this malware got in, you need to eliminate it as soon as possible, and research team is ready to help you. We have created a guide that should help you remove FORMA Ransomware, and we also discuss other options you have when deleting this dangerous infection.test

How does FORMA Ransomware work?

When FORMA Ransomware enters the system and is executed, the encryption of files begins right away. A special encryption key that only cyber attackers are aware of is used to encode files and make it impossible to read them. The “.locked” extension is added to their names to make it possible for you to spot the corrupted files right away. Unfortunately, you might discover that your personal photos, highly important documents, and other types of files are encrypted. Our hope is that if these files are truly important to you, you have backup copies stored on external drives or virtual clouds. If that is not the case, you are in trouble because decrypting files is not possible. Of course, the creator of FORMA Ransomware wants you to think that there is a way out, and that is why a file named “ODSZYFRFUJ_PLIKI_TERAZ.txt” is created in every folder that has encrypted files. The file, of course, represents a ransom note in Polish. The message starts with this statement: “UWAGA!!! WSZYSTKIE TWOJE PLIKI ZOSTALY ZASZYFROWANE WOJSKOWA METODA SLUZB SPECJALNYCH SHA-256!”

Basically, the attackers expect you to purchase a decryption key, and you are given 48 hours to do it. Because there is no information about how much you need to pay or even how to pay it, you are likely to be pushed into emailing What bad can happen if you do that? Well, if cyber criminals can obtain your email address, no one can stop them from flooding you with malicious emails, and some of them could even contain launchers of other threats. Furthermore, your email address could be shared with or sold to third parties, and we cannot know how they could use such information. On top of that, even if that is the only option for you, and you are willing to pay the ransom, you need to think if you really can trust cyber criminals to help you out. We believe that you cannot. Most likely, the attackers will simply take your money and step away from the situation, leaving you empty-handed. The sad news is that, at the time of research, legitimate decryptors could not help. If you are going to look for one, make sure you do not install malware.

How to remove FORMA Ransomware

The instructions you can find below are meant to help you delete FORMA Ransomware components from your Windows operating system. If you do not erase these files, you will not be safe. We can say the same about all other malicious components that might exist on your operating system. Do not assume that other threats do not exist just because you do not see them. Ransomware is flashy and visible, but there are tons of other infections that can be concealed and hide even from some security programs. Of course, if you decide you want to remove FORMA Ransomware manually, the most important task for you is to eliminate the launcher file, which can hide anywhere, and its name should be unique too. Do not panic if you are not able to erase ransomware or any other existing threats manually because anti-malware software exists. If you install software that is legitimate and trustworthy, you will have your system cleaned and protected in no time.

Removal Instructions

  1. Launch Explorer by tapping keys Win+E at the same time.
  2. Enter %TEMP% into the box at the top to access the directory.
  3. Delete these files: invisible.vbs, FORMA.exe, AdobeAcrobatReader.exe, admin.exe, 1.Bat, 2.bat, 3.bat, 4.bat.
  4. Enter the following paths into the Explorer to find and Delete a file named syswin32.lnk:
    • %ALLUSERSPROFILE%\Application Data\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
    • %ALLUSERSPROFILE%\Start Menu\Programs\Startup
    • %APPDATA%\Microsoft\Windows\Start Menu\Startup
    • %USERPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
  5. Once you Empty Recycle Bin, quickly examine your operating system using a legitimate malware scanner. 100% FREE spyware scan and
    tested removal of FORMA Ransomware*


Leave a Comment

Enter the numbers in the box to the right *