New FuxSocy Ransomware borrows code from defunct Cerber

Researchers discovered a new piece of ransomware called FuxSocy that borrows part of code from Cerber ransomware.

Experts at MalwareHunterTeam discovered a new piece of ransomware called FuxSocy that borrows part of code from Cerber ransomware.

The Cerber ransomware was first spotted in 2016, it was offered in the criminal underground as a ransomware-as-a-service (RaaS).

The name of the ransomware comes after the FSociety hacking collective in the Mr. Robot tv series.

The popular malware researcher Vitali Kremez analyzed the FuxSocy Ransomware and discovered several similarities with the internals of the Cerber ransomware.

“When analyzed by reverse engineer Vitali Kremez, the researcher told BleepingComputer he noticed that some of the ransomware internals are similar to those used by Cerber.” reads the post published by BleepingComputer. “For example, when encrypting files FuxSocy will skip files whose file path contain certain strings. Many of the strings are taken directly from Cerber, who used the same exception list, with FuxSocy adding some additional ones.”

The expert also noticed that the FuxSocy ransomware also scrambles the file name and extensions used by encrypted files in a way similar as the Cerber threat.

Once the ransomware has encrypted the files on the infected system, it will change the desktop by setting up an almost identical background as the Cerber ransomware.

Unlike Cerber, FuxSocy attempts to block its execution on a virtual machine by looking for a list of processes, files, and named pipes associated with a virtualized environment.

Experts also noticed that the FuxSocy Encryptor only encrypts a portion of the files.

“According to Michael Gillespie, the ransomware will start encrypting files at 0x708 bytes, which for the most part will make documents unusable.” continues BleepingComputer.

The payment processes for the two ransomware are quite different, Cerber uses a Tor payment site, while FuxSocy asks victims you to contact them via the ToxChat messaging app.

The experts explained that at the time of writing there is no way to decrypt the data for free.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – cybercrime, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.