If you ask around the cyber-security circles who or what is the real Fsociety, they’ll likely say that it’s Anonymous, or try to be clever and answer “Fun Society.” Truth is Sometimes lamer than fiction. Fsociety is a new ransomware infection, and it’s not created by an anti-corporate revolutionary group, but by common cyber-criminals. The virus’s name is inspired by the hit TV show Mr. Robot. It infects PCs, encrypts their files and asks for money in return for their decryption. Fsociety uses the strong AES-256 algorithm.
Fsociety ransomware virus – Way of Infection
The developers of Fsociety ransomware are reportedly distributing it by spamming email massages containing malicious URLs and attachments. Users are often too trusting of emails that look like they were sent from PayPal, Microsoft, or other big name companies. This is a quick way to get infected, as cyber-criminals use these disguises to win the user’s trust and then infect their computer. The best defense against this type of spam is to avoid opening emails containing archives, shortcuts, or weird URLs.
How does the Fsociety ransomware work?
When the Fsociety virus sneaks into your computer, it’ll create looking files in following folders:
C:\ User\[Windows username]\ AppData\ Local
C:\ Windows\ Temp
C:\ Windows
C:\ Users\ [ Windows username]\ Appdata\ Roaming
C:\ Users\[ Windows username]\ Appdata
The virus’s files would be generated to look like your average Windows system file. Names like: notepad.exe, patch, update, setup.exe. Chances are that most users already have similar files on their computer, so they wouldn’t notice if some more popped up.
Fsociety is reportedly a variant of the EDA2 project. That is to say, Fsociety is based on code from EDA2 and it’s not a 100% original work. Recently, there was another project that surfaced, called Shark ransomware project.
After Fsociety infects your computer, it’ll start searching for particular files to encrypt. The virus targets files of the following types:
“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”
Once the files are encrypted, the cyber criminals will hold the key to their decryption. They promise to give it to you if you pay them enough money, but there’s nothing that obligates them to keep their promise. If your computer gets infected by the Fsociety virus, it’ll be best to try to solve the problem by other means before paying the crooks.
Ransomware naming and Fscociety
While ransomware viruses are an awful trend in the Web, at least some of the crooks have an original way of naming their viruses. Fsociety is an interesting example, but other, more extreme cases include the Bart virus and the Hitler virus. Another virus that’s named after a currently hot property is the Pokemon Go ransomware that our team reported on recently