Researchers from MalwareHunterTeam have spotted a new variant of ransomware called FuxSocy; this malware impersonates the known Cerber ransomware. It operates by encrypting the data you have on the computer, changes the file, and its extension to a random one; then, it demands a ransom for its decryption.
After this process is complete, the victim's desktop wallpaper is changed. Additionally, a text file named with a random name, which contains the ransom note, is dropped into every affected folder.
To decrypt it, you would need decryption software and private key; the note states that to do so, you need to open any of the encrypted folders and then find a specific text file. This file contains detailed instructions on how to decrypt the data. However, we highly advise not to pay if you get infected, some alternatives are free and supported by the government, if you pay for the ransom, in some way you are financing illicit acts.
The preferred method used to infect computers with FuxSocy is the same in the case of Cerber ransomware, using the phishing method, an e-mail that tricks you into downloading an attachment that has the malicious payload.
Once the victim is tricked that the attachment is some crucial document, the user downloads and runs it, the infection with FuxSocy begins.
When FuxSocy infects your PC, it will perform the following activities:
- Drop its malicious payload in the %AppData%, %Local%, %LocalLow% and other directories
- Create registry entries in multiple different registry sub-keys, such as Run and RunOnce keys, get rights as an administrator by escalating privileges.
Then, the FuxSocy begins to encrypt your files using what appears to be a combination of two ciphers – RSA and AES. The virus scans for files to encrypt such as:
Then, the ransomware sets a wallpaper telling you what has happened and what to do.
Being aware is the best way to reduce the likelihood of risk. However, we cannot always have control of everything, but a good strategy is to have a restoration point in the computer and also having at least one backup on an external device.
Ransomware infections aim to encrypt your files using an encryption algorithm, which may be very difficult to decrypt. There are alternatives which can be very helpful to recover your data, remember that paying is not a good idea, and does not guarantee that you are going to get your data back.
As stated above, we sincerely recommend not paying any ransomware; you can go to nomoreransom.org and get help from them; they list tools that can help you to recover your data.
It is wise to have a minimum of 1 backup outside the computer (if you have a disk in a mirror, the chances are that the mirrored disk gets encrypted too). If you have multiple backups, it's going to be better as if an external device gets broken you always can have your data, cloud backups are also an efficient way to have your backup.
TTPs: Tactics, techniques and procedures