FidRW.exe Ransomware

malware analysis fidelis security training ransomware
FidRW.exe is a piece of malware which will download additional stages to your computer with the ultimate goal of launching ransomware. These files are ultimately benign.


FidRW.exe begins by logging in to the following FTP server: 

USERNAME: [email protected]
PASSWORD: Z^?m6K!uh^rh

Upon successful authentication, there are 7 files listed in the server’s directory. FindRW.exe first requests exfiltrator.pdf which is actually an EXE. The file is downloaded as notepadd.exe and launched.

This second stage executable mimics the first and again logs into the FTP server but this time downloads persist.bat. This file is still under development as indicated by its contents. This will most likely be filled with persistence mechanisms to maintain the infection on the box.

The Demo_Ransomware.exe application collects the following system survey information and passes it back to the server.

After this, the application drops “Ransom Note.txt” to the public users directory and it reads:

Alas, we have been swindled by a ransomware application intended for demonstration/awareness purposes. Drats. No threat here.


The initial dropper and subsequent stages are adequately detected by many anti-virus solutions as being potentially malicious. Since this is an application intended for demonstration purposes only, so there is no real threat to be detected.


Although this application is intended for demonstration/awareness of how ransomware works, it uses real world techniques employed by malware around the globe. It is a nice example of multi-staged malware and can be used by RE/security researchers for practice.