FuxSocy Ransomware

FuxSocy Ransomware Description

A new ransomware strain that borrows large chunks of code from the now infamous Cerber Ransomware has been detected in the wild. First discovered by cybersecurity expert, the malware goes by the name FuxSocy Encryptor, which, apparently, is inspired by the FSociety hacking group from the hit TV series Mr. Robot.

The FuxSocy Ransomware follows the typical ransomware model of behavior - it infiltrates the user computer, uses strong encryption algorithms to lock the targeted files, and then demands a ransom from the victim in exchange for a decryptor tool that can restore the data. While it is indeed common for ransomware threats to copy parts of each other underlying code, in the FuxSocy Ransomware case, we are talking about significant portions that have been lifted directly from Cerber.

Multiple Similarities with Cerber

Let’s start with the exclusions list. During the encryption process, the FuxSocy Ransomware skips folders that contain certain strings. Apart from a couple of new additions, the list of such strings is identical to the one used by the Cerber Ransomware. Here is a complete list of the strings marked for exclusion:

*:\$getcurrent\*
*:\$recycle.bin\*
*:\$windows.~bt\*
*:\$windows.~ws\*
*:\boot\*
*:\documents and settings\all users\*
*:\documents and settings\default user\*
*:\documents and settings\localservice\*
*:\documents and settings\networkservice\*
*:\intel\*
*:\msocache\*
*:\perflogs\*
*:\program files (x86)\*
*:\program files\*
*:\programdata\*
*:\recovery\*
*:\recycled\*
*:\recycler\*
*:\system volume information\*
*:\temp\*
*:\tmp\*
*:\windows.old\*
*:\windows10upgrade\*
*:\windows\*
*:\winnt\*
*:\.*\*
*\appdata\local\*
*\appdata\locallow\*
*\appdata\roaming\*
*\local settings\*
*\public\music\sample music\*
*\public\pictures\sample pictures\*
*\public\videos\sample videos\*
*\tor browser\*
.txt
.jpg

The authors of the FuxSocy Ransomware didn't stop there, though. Both ransomware threats scramble the names and extensions of the encrypted files in a similar fashion. For example, a file called "Photo.png" will be changed to have a random ten-character name followed by a random four-character extension. Another way in which the FuxSocy Ransomware copies the Cerber Ransomware is the desktop image that both threats put as new default wallpaper.

The same also is true for the list of folders employed by both ransomware threats to identify folders that have priority during encryption. Some of them are Bitcoin, Excel, Microsoft SQL Server, Microsoft\Microsoft SQL Server, Microsoft\Excel, Microsoft\Office, Microsoft\Outlook, Microsoft\Word, Microsoft\Powerpoint, Office, Onenote, Powerpoint, Steam, Word, Autodesk and OpenSCAD.

What Sets FuxSocy Ransomware Apart?

A major difference is the FuxSocy Ransomware's expanded capabilities for blocking its execution on virtual machines. To do so the malware checks for matches with its internal list of processes, files, and named pipes. Some of them are:

vboxservice.exe
vboxtray.exe
VMSrvc.exe
VMUSrvc.exe
vmtoolsd.exe
\\.\VBoxMiniRdrDN
\\.\VBoxGuest
\\.\pipe\VBoxMiniRdDN
\\.\VBoxTrayIPC
\\.\pipe\VBoxTrayIPC
system32\drivers\VBoxMouse.sys
system32\drivers\VBoxGuest.sys
system32\drivers\VBoxSF.sys
system32\drivers\VBoxVideo.sys
system32\vboxdisp.dll
system32\vboxhook.dll
system32\vboxmrxnp.dll
system32\vboxogl.dll
system32\vboxoglfeedbackspu.dll
system32\vboxoglpackspu.dll
system32\vboxoglpassthroughspu.dll
system32\vboxservice.exe
system32\vboxtray.exe
system32\VBoxControl.exe
system32\drivers\vmmouse.sys
system32\drivers\vmhgfs.sys
system32\drivers\vm3dmp.sys
System32\drivers\vmci.sys

The payment method chosen by the crooks behind the FuxSocy Ransomware also is different, with victims being instructed to use the ToxChat messaging application for contact instead of being directed towards a Tor payment as was with Cerber Ransomware.

The ransom note dropped on the victim’s computer is different as well:

'Attention!!!
All your files documents, photos, databases and other important files are encrypted.
The only method of recovering files is to purchase a private key. It is on our server and
Only we can recover your files.

  1. Visit https://tox.chat/download.html
  2. Download and install qTOX on your PC.
  3. Open it, click "New Profile" and create profile.
  4. Click "Add friends" button and search for our contact.

'

Another distinguishing characteristic of the FuxSocy Ransomware is the fact that it doesn't encrypt the entirety of the files, as discovered by the researcher Michael Gillespie. Instead, the encryption starts at 0x708 bytes. For nearly all files, this will still be enough to render them unusable completely, but for some image files, a small portion could remain visible when the file is opened.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to FuxSocy Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Posted: October 29, 2019
Home Malware Programs Ransomware FuxSocy Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.