Home Malware Programs Ransomware SoFucked Ransomware

SoFucked Ransomware

Posted: September 13, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 7
First Seen: September 13, 2017
Last Seen: April 18, 2018
OS(es) Affected: Windows

The SoFucked Ransomware is a Trojan that locks your files with an AES encoding to force you into paying for their safe return. Extortionist-endorsed decryption solutions aren't always reliable, and malware experts recommend using free alternatives or restoring to your most recent backup, instead of paying for a potentially non-useful service. Since the symptoms of this infection may not appear immediately, users should depend on default anti-malware security measures for detecting, quarantining or uninstalling the SoFucked Ransomware.

The Trojan that Tells It Like It Is

Trojans intending to use encryption to extort money out of the PC users they're attacking can opt for incredibly sophisticated, in-depth tutorials on how to pay. Alternately, their authors may opt for a low-effort implementation that provides only a bare minimum of necessary information, such as an email address. The SoFucked Ransomware falls into the latter group, although its encryption attacks aren't any less viable at causing damage to media as a result of its short instructions.

Although the SoFucked Ransomware is fully functional, the samples malware experts identify to date have yet to offer any significant information on how it's spreading. The Trojan may be attached to spam emails, downloaded via Web-based threats like the RIG Exploit Kit or installed manually after the con artists brute-force access to a vulnerable server. The SoFucked Ransomware's payload includes, but isn't limited to the following features necessarily:

  • The SoFucked Ransomware uses an AES-based encryption method for locking widely-used formats of data, such as documents. It also appends '.fff' extensions to these files afterward, which lets the victim detect which content is being held hostage without opening them one by one.
  • The SoFucked Ransomware also delivers a Notepad file either to the desktop or the same folders bearing any encrypted media. The threat actor provides no significant instructions other than asking for generic payment and giving an email address (with an unusual choice of provider: 'sofucked@freespeechmail.com') to contact. Most decryption negotiations offer either the decryption key or the decryptor program after taking payment through methods like the Bitcoin crypto currency.
  • The Trojan also resets the Windows wallpaper to an image that duplicates the text of the previous Notepad message.

Victims also may experience other symptoms from different builds of the SoFucked Ransomware, such as being unable to access the Windows Shadow Copies or problems with launching software like the Task Manager.

Rescuing Your Files from an 'Effed' Situation

Since its ransoming format provides a minimum of support and its other features are limited relatively, the SoFucked Ransomware may be a product of a threat actor without much experience in threatening file encryption. Victims are more likely of being recreational PC users that will have their systems compromising by downloading unsafe content, such as torrents related to illicit gaming programs or entertainment media. However, there is a theoretical possibility of the SoFucked Ransomware being deployed more professionally through such methods as brute-forcing access to a business's server or disguising it inside of an email attachment.

Although testing free decryption software for file-unlocking purposes is preferable to paying ransoms to remote attackers, malware experts can't confirm the SoFucked Ransomware's compatibility with such solutions. Always create spare copies of any files before testing them with potentially irreversible procedures like a cipher-specific decryption routine. Although anti-malware products can identify and delete the SoFucked Ransomware as a threat to your computer, without backups, a SoFucked Ransomware infection can cause permanent data loss.

The SoFucked Ransomware's relationship with the rest of the file-locking Trojan industry at large is still a topic of speculation and research. However, what's certain is that even con artists just stepping into this underground business model need to know little to cause considerable damage to unprotected PCs.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



dir\name.exe File name: name.exe
Size: 55.29 KB (55296 bytes)
MD5: 5a843982bb525573b3b65c16801cefef
Detection count: 15
File type: Executable File
Mime Type: unknown/exe
Path: dir
Group: Malware file
Last Updated: September 16, 2017
Loading...