FortyFy is a type of rogue browser extension that security researchers categorize as a browser hijacker. It is similar to other recently detected rogue apps like PubQuo and the Bing Redirect virus, and another extension that is installed with Fortyfy, called NebulaNanoel. We have also verified that this extension redirects to Boyu.
This hijacker leverages the “Managed by your organization” feature of Chromium browsers to prevent you from reverting the changes it has made.
All this will happen without your informed permission or knowledge. Users typically get such rogue apps after installing pirated software like cracked games, or the extensions themselves were once legitimate, but were sold to third-parties, thus bypassing the Chrome Web Store policies. In fact, this second thing is exactly what happened with the Fortyfy extension.
FortyFy Extension removal instructions
Fortyfy itself – the extension – enforces the changes and allows the redirects. But there are other parts of the hijacker outside your browser, which modify system settings. We created the guide to address all of them, not just the browser. Don’t skip steps.
In Chrome, you will have to deal with the Fortyfy extension replacing your default search engine, homepage, and new tab page. The hijacker leverages the “Managed by your organization” feature of Chromium browsers to prevent you from reverting any changes it made.
SUMMARY:
Name | FortyFy |
Type | Browser Hijacker |
Detection Tool |
We’ve divided our guide into several sections that must be completed in the given order or you won’t be able to fully get rid of the Fortyfy extension.
Remove FortyFy “Managed by” Policy From Chrome
The biggest obstacle for most users when trying to delete FortyFy from their browser is the “Managed by your organization” policy that the hijacker uses to evade removal. Here, we’ll give you several ways to deal with this obstacle. We recommend you try them all for best results.
Remove Fortyfy through the Group Policy Editor
- Type Edit Group Policy in the Start Menu, open the first result and expand the Computer Configuration entry.
- Right-click on Administrative Templates and click Add/Remove Templates.
- If you see any items in the list that shows up, select them and select Remove. We assume you are on a home or unmanaged PC. If you are on a work PC that should be managed by a higher admin, contact that admin.
- Restart the PC, open your browser, and see if the rogue policy is gone.
Delete Fortyfy from your system registry
If you used the first method and cleaned the Group Policy Editor, any FortyFy entries should be gone from the Registry. But I still recommend manually checking it just in case there’s something left:
- First, go into your browser and visit one of the following URLs depending on what browser you are using: BROWSERNAME://policy (e.g. Chrome, Edge, Brave://policy)
- See if there are any policies with a Value made up of random letters and numbers.
- If there is, copy the value and paste it in a notepad document for later use. You’ll get back to it as soon as you collect all IDs you want to remove.
- Go to Extensions in your browser, and toggle on the Developer Mode button.
- Then look for any questionable extensions you want to remove, copy the value of their IDs, and paste it in the same notepad document as earlier. FortyFy is in this menu. The goal is to spot if there is something else. For example, we know another malware extension, NebulaNanoel, is also installed sometimes.
- Now go to your Registry (type regedit in the Start Menu, right-click the Editor > Run as administrator).
- Press Ctrl + F and paste the values you saved from earlier one by one. Then hit Enter and if anything gets found, delete it. Repeat the search and delete the next item until no more search results are shown.
Now that the Registry is also cleaned, your browser should no longer be locked by any rogue thrid-party policies. Restart your PC and check if the browser is free. If it’s not, you’ve probably missed something and the next method will help you take care of it.
Remove Fortyfy with the Chrome Policy Remover
This small free tool can automatically clean your Chrome browser (only Chrome) from any rogue policies. Here’s how to use it:
- Download the Chrome Policy Remover from here. Since it’s a user-made tool, your AV may quarantine it or delete it. If that happens, disable the antivirus (temporarily) and download the app again.
- Right-click the Policy Remover, select Run as Administrator, and click OK to open it.
- Press the Enter key to start the script that will clean your browser’s policies.
- Once the process completes, close the CMD window and restart your PC.
After you do this, your control over the Chrome browser will be restored. All that’s left to do is clean the Chrome settings and delete FortyFy from the browser.
Remove any Fortyfy Extension leftover settings
Now that your browser is not locked by the FortyFy policy, you’ll be able to go ahead and delete the extension. Just remember to also check and restore any other browser settings that have been changed without your approval.
Below, we’ll show the steps to clean Chrome. The process to do the same in any other Chromium-based browser (e.g. Edge, Brave) is very similar. The steps are the same, only the placement of certain settings might be changed a bit.
- In your Chrome browser, click the three dots (top-right), open Extensions, disable the FortyFy extension, and click Remove to delete it. Do the same with any other unwanted items.
- Open the Chrome menu again, and go to Settings > Privacy and Security.
- Select Delete browsing data > Advanced, leave only Passwords unchecked, and click Delete Data.
- Click Site Settings from the left, scroll to Permission, and check the different permission types for rogue sites listed under “Allowed”. If you see anything sketchy, click its three dots button, and click Remove.
- Then open the Appearance tab, see if there’s any rogue URL typed there, and delete it.
- Go to Search Engine, see if your default search engine has been changed and if yes, change it back. Then go to Manage Search Engines, look for suspicious and unfamiliar tools, and if you find any, delete them.
- Lastly, check the On Startup section and delete from it any rogue URLs you may find there.
- Next, go to Search Engine, choose the search engine you want as your default, and then click on Manage Search Engines. Look at the list of tools and if you find anything suspicious, eliminate it.
- Then go to the On Startup tab and also delete any sketchy URLs you may see there.
And with that, the browser should be back to normal, free of any rogue policies and extensions. From here on, you must make sure to be more careful with the things you allow into your PC to avoid similar hijackers in the future.
The Effects FortyFy Has on User Privacy
One of the biggest issues linked to hijackers like FortyFy is the effect that they have on user privacy. Such rogue apps don’t seek to corrupt files or blackmail the user, but they will almost always monitor your browsing patterns, search queries, and online habits. The hijackers will usually not disclose their data-collection practices in a clear way and so the users generally have no idea that their browsing habits are being closely monitored and recorded. Such data is highly valuable to online advertisers, so the people behind FortyFy will either sell it to the highest bidder or directly use it themselves for targeted advertising (or both).
It is annoying and a privacy breach when you are targeted by hijacker ads, but it will probably not lead to direct harm. The real issue is if the info falls into the hands of cybercriminals because they will certainly use it in more nefarious and damaging ways. Scammers can send you fake adverts and message you phishing links by using the information they’ve collected. This way they can get you to share sensitive details about yourself like your password for some of your accounts or even your banking credentials.
The worst part is that once your browsing data gets collected by a hijacker, you have zero knowledge and control over where it goes and how it’s used. For this reason, the only solution here is to get rid of FortyFy ASAP or else your virtual privacy will continue to be compromised.
The Purpose of FortyFy and Other Hijackers
There’s typically one central goal that dictates what hijackers do and how they are used and that goal is profit. We already told you how these rogue apps will collect your browsing data only to sell it to third-party advertisers or even directly target you with paid ads. We’ll admit that this is a common practice that pretty much every legitimate site and app uses today to generate revenue. The problem is that the people behind FortyFy will put their profit over everything else, including your virtual safety.
The ads this hijacker may generate on your screen or the third parties it could sell your data to could easily be hosted by scammers or online criminals. As long as the money flows, the owners of FortyFy don’t really care. Furthermore, the hijacker could directly send your browser to sites it’s designed to promote, even if those sites aren’t safe, and could be used as platforms for scamming schemes. If such redirects occur in your browser because of FortyFy (or another hijacker), it’s critical that you do not interact with anything on the site you are sent to. The only safe solution in such situations is to uninstall the hijacker
Methods Used by FortyFy to Evade Detection
A key aspect of the success of FortyFy is that it manages to enter the user’s system unnoticed and remain on it for as long as possible to maximize profits. Its creators know that the hijacker will eventually be removed from the affected browser, so they design it to be both difficult to detect and get rid of.
We already mentioned how the hijacker typically gets installed in the browser without the user’s awareness. This mostly happens through file bundles – installation packages with several apps inside that get installed together. The user typically wants the main program from that package but doesn’t notice that there are other apps attached to it. If those additional elements aren’t disabled manually within the setup settings, they will get installed alongside the main thing. This is how users typically get a hijacker added to their browser without realizing it.
Another common vector for distributing such unwanted software is by presenting the hijacker as something useful, like a free utility or useful browser extension. Often, they’ll even have some rudimentary functionality to at least seem like a legitimately helpful software, but soon after they are installed, it becomes apparent that they are little more than a revenue-generation tool that has barely any use.
Once installed, FortyFy gets busy modifying the browser and even some of the system settings. It tinkers with the Registry and other system settings, which lets it make changes in the browser and enforce them as “Managed by your organization.”. This stops the user from reverting those changes directly, from within the browser, which significantly slows down the hijacker’s removal. The good news is we’ve researched the potential system changes FortyFy could make to gain persistence in the system and we’ll show you in our guide how to spot them and reverse them. After that, you should be able to clean the affected browser(s) relatively easily (also shown in the guide).
Leave a Comment