FuxSocy Ransomware Description
A new ransomware strain that borrows large chunks of code from the now infamous Cerber Ransomware has been detected in the wild. First discovered by cybersecurity expert, the malware goes by the name FuxSocy Encryptor, which, apparently, is inspired by the FSociety hacking group from the hit TV series Mr. Robot.
The FuxSocy Ransomware follows the typical ransomware model of behavior - it infiltrates the user computer, uses strong encryption algorithms to lock the targeted files, and then demands a ransom from the victim in exchange for a decryptor tool that can restore the data. While it is indeed common for ransomware threats to copy parts of each other underlying code, in the FuxSocy Ransomware case, we are talking about significant portions that have been lifted directly from Cerber.
Multiple Similarities with Cerber
Let’s start with the exclusions list. During the encryption process, the FuxSocy Ransomware skips folders that contain certain strings. Apart from a couple of new additions, the list of such strings is identical to the one used by the Cerber Ransomware. Here is a complete list of the strings marked for exclusion:
*:\documents and settings\all users\*
*:\documents and settings\default user\*
*:\documents and settings\localservice\*
*:\documents and settings\networkservice\*
*:\program files (x86)\*
*:\system volume information\*
The authors of the FuxSocy Ransomware didn't stop there, though. Both ransomware threats scramble the names and extensions of the encrypted files in a similar fashion. For example, a file called "Photo.png" will be changed to have a random ten-character name followed by a random four-character extension. Another way in which the FuxSocy Ransomware copies the Cerber Ransomware is the desktop image that both threats put as new default wallpaper.
The same also is true for the list of folders employed by both ransomware threats to identify folders that have priority during encryption. Some of them are Bitcoin, Excel, Microsoft SQL Server, Microsoft\Microsoft SQL Server, Microsoft\Excel, Microsoft\Office, Microsoft\Outlook, Microsoft\Word, Microsoft\Powerpoint, Office, Onenote, Powerpoint, Steam, Word, Autodesk and OpenSCAD.
What Sets FuxSocy Ransomware Apart?
A major difference is the FuxSocy Ransomware's expanded capabilities for blocking its execution on virtual machines. To do so the malware checks for matches with its internal list of processes, files, and named pipes. Some of them are:
The payment method chosen by the crooks behind the FuxSocy Ransomware also is different, with victims being instructed to use the ToxChat messaging application for contact instead of being directed towards a Tor payment as was with Cerber Ransomware.
The ransom note dropped on the victim’s computer is different as well:
All your files documents, photos, databases and other important files are encrypted.
The only method of recovering files is to purchase a private key. It is on our server and
Only we can recover your files.
- Visit https://tox.chat/download.html
- Download and install qTOX on your PC.
- Open it, click "New Profile" and create profile.
- Click "Add friends" button and search for our contact.
Another distinguishing characteristic of the FuxSocy Ransomware is the fact that it doesn't encrypt the entirety of the files, as discovered by the researcher Michael Gillespie. Instead, the encryption starts at 0x708 bytes. For nearly all files, this will still be enough to render them unusable completely, but for some image files, a small portion could remain visible when the file is opened.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to FuxSocy Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.