{
	"id": "25170128-c060-47ea-b2c0-57d102c04cfc",
	"created_at": "2026-04-06T01:30:58.551781Z",
	"updated_at": "2026-04-10T03:20:39.125863Z",
	"deleted_at": null,
	"sha1_hash": "f5abd327a80cd305727fd3006d65658ba46003e8",
	"title": "New FuxSocy Ransomware Impersonates the Notorious Cerber",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3981984,
	"plain_text": "New FuxSocy Ransomware Impersonates the Notorious Cerber\r\nBy Lawrence Abrams\r\nPublished: 2019-10-25 · Archived: 2026-04-06 00:33:38 UTC\r\nA new ransomware has been discovered called FuxSocy that borrows much of its behavior from the notorious and now-defunct Cerber Ransomware.\r\nDiscovered by MalwareHunterTeam, this ransomware calls itself FuxSocy Encryptor, which is named after the FSociety\r\nhacking group in the Mr. Robot television series.\r\nLike any other ransomware, FuxSocy will encrypt a victim's files and then demand a ransom in order to get a decryptor. \r\nhttps://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/\r\nPage 1 of 8\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/\r\nPage 2 of 8\n\nVisit Advertiser websiteGO TO PAGE\r\nWhat is interesting about this ransomware, though, is that the developers decided to model it after the Cerber Ransomware\r\nby adopting its outward appearance as well as some of the internals.\r\nSimilarities to Cerber\r\nWhen analyzed by reverse engineer Vitali Kremez, the researcher told BleepingComputer he noticed that some of the\r\nransomware internals are similar to those used by Cerber.\r\nFor example, when encrypting files FuxSocy will skip files whose file path contain certain strings. Many of the strings are\r\ntaken directly from Cerber, who used the same exception list, with FuxSocy adding some additional ones.\r\nThe full list of bypassed folders are below:\r\n*:\\$getcurrent\\*\r\n*:\\$recycle.bin\\*\r\n*:\\$windows.~bt\\*\r\n*:\\$windows.~ws\\*\r\n*:\\boot\\*\r\n*:\\documents and settings\\all users\\*\r\n*:\\documents and settings\\default user\\*\r\n*:\\documents and settings\\localservice\\*\r\n*:\\documents and settings\\networkservice\\*\r\n*:\\intel\\*\r\n*:\\msocache\\*\r\n*:\\perflogs\\*\r\n*:\\program files (x86)\\*\r\n*:\\program files\\*\r\n*:\\programdata\\*\r\n*:\\recovery\\*\r\n*:\\recycled\\*\r\n*:\\recycler\\*\r\n*:\\system volume information\\*\r\n*:\\temp\\*\r\n*:\\tmp\\*\r\n*:\\windows.old\\*\r\n*:\\windows10upgrade\\*\r\n*:\\windows\\*\r\n*:\\winnt\\*\r\n*:\\.*\\*\r\n*\\appdata\\local\\*\r\n*\\appdata\\locallow\\*\r\n*\\appdata\\roaming\\*\r\n*\\local settings\\*\r\n*\\public\\music\\sample music\\*\r\n*\\public\\pictures\\sample pictures\\*\r\n*\\public\\videos\\sample videos\\*\r\n*\\tor browser\\*\r\n.txt\r\n.jpg\r\nLike Cerber, FuxSocy will also prioritize certain folders to make sure they get encrypted. This list of priority folders are:\r\nbitcoin\r\nexcel\r\nmicrosoft sql server\r\nmicrosoft\\excel\r\nhttps://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/\r\nPage 3 of 8\n\nmicrosoft\\microsoft sql server\r\nmicrosoft\\office\r\nmicrosoft\\onenote\r\nmicrosoft\\outlook\r\nmicrosoft\\powerpoint\r\nmicrosoft\\word\r\noffice\r\nonenote\r\noutlook\r\npowerpoint\r\nsteam\r\nthe bat!\r\nthunderbird\r\nword\r\nautodesk\r\nsolidworks*\r\nOpenSCAD\r\nIn addition, FuxSocy also scrambles the file name and extensions used by encrypted files in a similar manner as Cerber.\r\nEncrypted FuxSocy Files\r\nFinally, after encrypting a computer the Windows desktop background will be changed to an almost identical background\r\nthat was originally used by Cerber. \r\nhttps://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/\r\nPage 4 of 8\n\nFuxSocy Desktop Background\r\nSo what has changed?\r\nWhile outwardly FuxSocy looks very similar to Cerber, there are also quite a few differences.\r\nFor example, FuxSocy attempts to more extensively block users from running the ransomware on a virtual machine by\r\nlooking for the following processes, files, and named pipes:\r\nprl_cc.exe\r\nprl_tools.exe\r\nvboxservice.exe\r\nvboxtray.exe\r\nVMSrvc.exe\r\nVMUSrvc.exe\r\nvmtoolsd.exe\r\nvmwaretray.exe\r\nvmwareuser.exe\r\nVGAuthService.exe\r\nvmacthlp.exe\r\nxenservice.exe\r\nqemu-ga.exe\r\n\\\\.\\VBoxMiniRdrDN\r\n\\\\.\\VBoxGuest\r\n\\\\.\\pipe\\VBoxMiniRdDN\r\n\\\\.\\VBoxTrayIPC\r\n\\\\.\\pipe\\VBoxTrayIPC\r\n\\\\.\\HGFS\r\n\\\\.\\vmci\r\nsystem32\\drivers\\VBoxMouse.sys\r\nsystem32\\drivers\\VBoxGuest.sys\r\nsystem32\\drivers\\VBoxSF.sys\r\nsystem32\\drivers\\VBoxVideo.sys\r\nsystem32\\vboxdisp.dll\r\nsystem32\\vboxhook.dll\r\nsystem32\\vboxmrxnp.dll\r\nsystem32\\vboxogl.dll\r\nsystem32\\vboxoglarrayspu.dll\r\nsystem32\\vboxoglcrutil.dll\r\nhttps://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/\r\nPage 5 of 8\n\nsystem32\\vboxoglerrorspu.dll\r\nsystem32\\vboxoglfeedbackspu.dll\r\nsystem32\\vboxoglpackspu.dll\r\nsystem32\\vboxoglpassthroughspu.dll\r\nsystem32\\vboxservice.exe\r\nsystem32\\vboxtray.exe\r\nsystem32\\VBoxControl.exe\r\nsystem32\\drivers\\vmmouse.sys\r\nsystem32\\drivers\\vmhgfs.sys\r\nsystem32\\drivers\\vm3dmp.sys\r\nsystem32\\drivers\\vmci.sys\r\nsystem32\\drivers\\vmmemctl.sys\r\nsystem32\\drivers\\vmrawdsk.sys\r\nsystem32\\drivers\\vmusbmouse.sys\r\nAnother strange feature is that the FuxSocy Encryptor does not encrypt the entire file.\r\nAccording to Michael Gillespie, the ransomware will start encrypting files at 0x708 bytes, which for the most part will make\r\ndocuments unusable.\r\nPartially Encrypted Image\r\nSome image files, though, will have their unencryption regions viewable as shown below, with the rest being corrupted.\r\nhttps://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/\r\nPage 6 of 8\n\nCorrupted Image File\r\nFinally the ransom notes are different, with Cerber using a Tor payment site, while FuxSocy asks you to contact them via the\r\nToxChat messaging app.\r\nFuxSociety Ransom Note\r\nWhile the similarities and differences are interesting, ultimately both ransomware infections do the same thing. They encrypt\r\nyour data and make you pay a ransom to get your files back.\r\nUnfortunately, at this time preliminary research of this ransomware indicates that the ransomware cannot be decrypted for\r\nfree.  It is advised that any victims restore their files backup rather than paying the ransom.\r\nUpdate 10/28/19: Made a correction that some of the folders we stated were bypassed are actualy given prioritized\r\nencryption.\r\nhttps://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/\r\nPage 7 of 8\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/\r\nhttps://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/"
	],
	"report_names": [
		"new-fuxsocy-ransomware-impersonates-the-notorious-cerber"
	],
	"threat_actors": [],
	"ts_created_at": 1775439058,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f5abd327a80cd305727fd3006d65658ba46003e8.pdf",
		"text": "https://archive.orkl.eu/f5abd327a80cd305727fd3006d65658ba46003e8.txt",
		"img": "https://archive.orkl.eu/f5abd327a80cd305727fd3006d65658ba46003e8.jpg"
	}
}