FIXI Ransomware

The FIXI Ransomware is a file-locking Trojan from the Scarab Ransomware family, a Ransomware-as-a-Service business. The FIXI Ransomware can keep files as hostages by encrypting them and targets documents and other, widely-in-use media formats preferentially. Users with non-locally-saved backups can protect their work efficiently, and the anti-malware programs of most trustworthy companies should block or remove the FIXI Ransomware.

An Evolved Bug Crawls Out of the Dark Web

While some regional quirks that leave it as a memorable imprint in the threat landscape, the Scarab Ransomware Ransomware-as-a-Service is more than a Trojan family, it also is a business. And its business is booming, as of the latest campaigns with variant Trojans circulating out in the wild, like the Trump Ransomware, the Dom Ransomware or the FIXI Ransomware. Although the FIXI Ransomware is of a newer release than older builds such as 2019's Les# Ransomware or 2018's Helpersmasters@airmail.cc Ransomware, the payload strategies show a remarkable long-term consistency.

The FIXI Ransomware uses a prominent Delphi packer, 'Bobsoft Mini Delphi,' for hiding the purpose of its code, which is non-consensual encryption. The feature converts files into non-opening versions of themselves, with most formats in danger being digital media like documents. However, the FIXI Ransomware also may target other data types like archives. Like most versions of the Scarab Ransomware RaaS, it also overwrites files' names with a random set of alphabet characters.

The FIXI Ransomware includes less-visible features that degrade the system's security and remove some recovery possibilities. Using default system tools and commands, it deletes the Windows Restore Points and turns off default tools like Task Manager. These changes show synergy with the Trojan's intentions as per its Notepad message to the victim: a ransom note that sells a data unlocker for Bitcoins. The file also shows that the FIXI Ransomware belongs to the English half of its family – another branch deals in Russian-speaking victims.

The Fix to the Worst File-Fixer Kind

Free decryption potential for the Scarab Ransomware campaigns remains highly-questionable, at best, and malware researchers don't recommend assuming that an attack is ever reversible. Since the FIXI Ransomware also removes local backups, users should save backups on other devices for general-purpose restoration needs. The FIXI Ransomware is a Windows-only threat, but similar file-locking Trojans for other operating systems are becoming more noteworthy.

Besides its use of (mostly-ineffectual) packing, malware experts have little data regarding the FIXI Ransomware's disguises or infection strategies. Windows users should have strong passwords that can withstand a brute-force 'hacking' attempt and avoid unsafe download sources like e-mail attachments, documents with macros, unofficial website updates, and torrents. The FIXI Ransomware is threatening against both home PCs and unprotected servers and can lock and delete files in both environments equally effectually.

Most anti-malware programs from reputable companies will see through the current obfuscation attempts of this threat and block or remove the FIXI Ransomware automatically after detecting it. Unfortunately, disinfecting a computer prevents further damage but doesn't unlock any media.

The FIXI Ransomware is another step for Ransomware-as-a-Services, which require a consistent business plan that other threat actors acknowledge as worth their money and time. Anyone taking the machinery of illicit industries too flippantly might become the next 'customer' whose files get the squeeze between its gears.