Threat Report – FuxSocy Ransomware

November 1, 2019 | Views: 1359

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

This blog is by Knogin blog. Reposted with permission.

Summary 

Researchers from MalwareHunterTeam have spotted a new variant of ransomware called FuxSocy; this malware impersonates the known Cerber ransomware. It operates by encrypting the data you have on the computer, changes the file, and its extension to a random one; then, it demands a ransom for its decryption.

After this process is complete, the victim’s desktop wallpaper is changed. Additionally, a text file tilted with a random name, which contains the ransom note, is dropped into every affected folder.

To decrypt it, you would need a decryption software and private key; the note states that to do so, you need to open any of the encrypted folders and then find a specific text file. This file contains detailed instructions on how to decrypt the data. However, we highly advise not to pay if you get infected, some alternatives are free and supported by the government, if you pay for the ransom, in some way you are financing illicit acts.

 

TTPs

The preferred method used to infect computers with the FuxSocy is the same in the case of Cerber ransomware, using the phishing method, an e-mail that tricks you into downloading an attachment that has the malicious payload.

Once the victim is tricked that the attachment is some crucial document, the user downloads and runs it, the infection with FuxSocy begins.

When FuxSocy infects your PC, the first thing will do is perform the following activities:

Drop its virus files in the %AppData%, %Local%, %LocalLow% and other directories create registry entries in multiple different registry sub-keys, such as Run and RunOnce keys, get rights as an administrator.

Then, the FuxSocy begins to encrypt your files using what appears to be a combination of two ciphers – RSA and AES. The virus scans to encrypt files such as:

  • Documents
  • Files
  • Pictures
  • Music
  • Archives
  • Videos

Then, the ransomware sets a wallpaper telling you what has happened and what to do.

 

Conclusions

Being aware is the best way to prevent bad things can happen. However, we cannot always have control of everything, but what we can do is having a restoration point in the computer and also having at least one backup in an external device.

Ransomware infections aim to encrypt your files using an encryption algorithm, which may be very difficult to decrypt. There are alternatives which can be very helpful to recover your data, remember that paying is not a good idea, and does not warranties that you are getting your files back.

 

Advice 

As stated above, we sincerely recommend not paying any ransomware; you can go to nomoreransom.org and get help from them; they list tools that can help you to recover your data.

It is wise to have a minimum of 1 backup outside the computer (if you have a disk in a mirror, the chances are that the mirrored disk gets encrypted too). If you have multiple backups, it’s going to be better as if an external device gets broken; you always can have your data, cloud backups are also an efficient way to have your backup.

TTPs: Tactics, techniques and procedures

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel