New FuxSocy Ransomware borrows code from defunct Cerber

Researchers discovered a new piece of ransomware called FuxSocy that borrows part of code from Cerber ransomware.

Experts at MalwareHunterTeam discovered a new piece of ransomware called FuxSocy that borrows part of code from Cerber ransomware.

The Cerber ransomware was first spotted in 2016, it was offered in the criminal underground as a ransomware-as-a-service (RaaS).

The name of the ransomware comes after the FSociety hacking collective in the Mr. Robot tv series.

The popular malware researcher Vitali Kremez analyzed the FuxSocy Ransomware and discovered several similarities with the internals of the Cerber ransomware.

“When analyzed by reverse engineer Vitali Kremez, the researcher told BleepingComputer he noticed that some of the ransomware internals are similar to those used by Cerber.” reads the post published by BleepingComputer. “For example, when encrypting files FuxSocy will skip files whose file path contain certain strings. Many of the strings are taken directly from Cerber, who used the same exception list, with FuxSocy adding some additional ones.”

The expert also noticed that the FuxSocy ransomware also scrambles the file name and extensions used by encrypted files in a way similar as the Cerber threat.

Once the ransomware has encrypted the files on the infected system, it will change the desktop by setting up an almost identical background as the Cerber ransomware. 

Unlike Cerber, FuxSocy attempts to block its execution on a virtual machine by looking for a list of processes, files, and named pipes associated with a virtualized environment.

Experts also noticed that the FuxSocy Encryptor only encrypts a portion of the files.

“According to Michael Gillespie, the ransomware will start encrypting files at 0x708 bytes, which for the most part will make documents unusable.” continues BleepingComputer.

The payment processes for the two ransomware are quite different, Cerber uses a Tor payment site, while FuxSocy asks victims you to contact them via the ToxChat messaging app.

The experts explained that at the time of writing there is no way to decrypt the data for free. 

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – cybercrime, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]