In a curious case of life imitating art, a new ransomware variant inspired by the popular TV show, Mr. Robot, has emerged. The critically acclaimed show focuses on a fictional group of political hacktivists, and follows a young cybersecurity engineer called Elliot Alderson who suffers from social anxiety disorder and forms connections through hacking. The paranoid antihero leader of the group is known as Mr. Robot, who leads an underground hacker society named (you’ve guessed it) FSociety.
In the Season 2 premiere, FSociety uses ransomware, based on Cryptowall, to lock an evil corporation out of their systems. The eventual aim of the hacker group is to erase all consumer debts by attacking the mega-corporation E-Corp and destroying all of their data. The anti-consumerist and anti-establishment spirited show has become very popular with the cybersecurity community due to its accuracy in portraying the world of hacking and cybercrime. The show even won an award at the 2016 Black Hat security conference due to “the epic achievement of actually getting things right” when it comes to its portrayal of the IT world and hacking.
While the hacks portrayed in the show may be fictional, the growing scourge of ransomware is real. Not a day goes past without an announcement by the media that yet another company, bank, or service provider has been hit and had their critical files locked up by cybercriminals. Private individuals are targets too, with an estimated $200 million in payouts made to malware authors in the first half of 2016 alone. Once infected by ransomware, the user’s data is usually only recoverable by paying a ransom, often charged in non-traceable bitcoin. And if the malware author’s coding is sloppy or the ransomware is active but abandoned, chances of data recovery are slim to none.
Meet FSociety, a Ransomware Based on the EDA2 Project
Unfortunately, the above may be true with the newly discovered FSociety ransomware. FSociety is an embryonic ransomware variant that is likely either a show-themed prank, or something more malicious that is still gestating. Discovered on August 18, 2016 by security researcher Michael Gillespie and christened FSociety by Lawrence Abrams, owner of Bleeping Computer, the budding FSociety ransomware is based on EDA2, which is open source code for creating ransomware.
Originally developed as an educational tool by Turkish security researcher Utku Sen and posted on GitHub, the web-based Git repository hosting service, EDA2 was Sen’s second project after his first open source software contribution, Hidden Tear. Both projects were allegedly created and posted for purely educational purposes, as evidenced by the disclaimer Sen left on the site hosting the code (see screenshot below). However, as word of the freebie code spread, gleeful wannabe malware authors descended in droves and pounced on the code, using it to form the basis of new and deadly malware such as CryptXXX and Locky.
Hidden Tear, the more complete software developed by Sen, uses AES encryption to encrypt the user’s files, then displays a ransom note letting users know how to get their files back by paying a ransom to a specific email address. EDA2 was also initially posted to GitHub, but is now marked as an ‘abandoned project’. This is apparently as the result of a blackmail attempt against the developer by hackers who had used his code to develop their own ransomware, and then decided they wanted the original online free code removed, presumably either to deter competition or to thwart security researchers.
Figure 1: EDA2 Hosting Page Disclaimer
Sen recently inserted security flaws into both Hidden Tear and EDA2 to foil any future cybercriminals who decided to use his proof-of-concept ransomware. Unfortunately, with EDA2, Sen made an error when developing the code, meaning that in many cases the victim’s files could not be recovered at all. This error appears to have made its way into the FSociety ransomware, which as of the time of writing, has limited functionality and no way for any infected users to recover their files. However, this may change in the future if the malware author decides to fix the code.
Unluckily for the user, with the FSociety ransomware variant, there is no ransom note or contact email address to pay the ransom or engage with the malware author. Users are on their own, and if unfamiliar with ransomware, they may just be confused and left with no way forward. The attack is currently limited to a test folder on the user’s desktop, and the sole purpose of the infection appears to be to display the FSociety logo on the victim’s desktop. It is possible that the ransomware was created simply to pay homage to the show and create a little mayhem in its wake. This assumption may change in future as this variant evolves.
Security researchers theorize that the malware was most likely uploaded to an online multi-engine virus scanner in order to test the code against a number of participating brand-name AV vendors.
Under the Hood of FSociety Ransomware
While it is generally agreed that FSociety is unfinished malware, Cylance security researchers took a quick peek under the hood, just to see what is going on. The first thing we noticed is that there is no code obfuscation for FSociety. The coding is .net and can be seen with any .net decompiler. The code uses AES encryption with really poor salt, and posts the decryption key (private key) to the C2 server.
Figure 2: A Peek Under the Hood of FSociety Ransomware
Figure 3: Fake PDF Icon Hides FSociety’s .exe File
Figure 4: AES Encryption Key
Figure 5: Posting HostInformation to C2
Figure 6: FSociety Encryption Method
Figure 7: File and Directory Transversal
Figure 8: The Salt FSociety Uses for Encryption
Figure 9: The Ransomware Gets its Wallpaper From imgur (imgur.com/PNZaSrX.jpg)
Figure 10: FSociety Ransomware Logo – Copied From the Show ‘Mr. Robot’
Figure 11: The GET Request for the Iconic Wallpaper
As of the date of writing this (9/1/2016), FSociety only encrypts files in a directory named ‘test’ on the desktop. (C:\Users\[username]\Desktop\test\). The ransomware currently locks document and picture files, including the following popular file types:
.txt, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .odt, .jpg, .png, .csv, .sql, .mdb, .sln, .php, .psp, .aspx, .html, .xml, .psd
Figure 12: Encrypting Files and Appending “.locked”
Figure 13: Array of Filetypes FSociety Will Encrypt
Figure 14: Files Before They Were Locked by FSociety Ransomware
Figure 15: Files That Have Been Locked by FSociety Ransomware
FSociety: Real Threat or Viral Marketing for Mr. Robot?
While FSociety ransomware is not currently much of a threat due to the early stage of its development, there is a chance that might change in future if the author finishes the code and adds in traditional ransomware features such as full encryption capabilities, a ransom demand note and so on. For a really determined malware author, the sky is the limit insofar as developing and releasing FSociety into the wild.
However, one idea making the rounds in the speculative cybersecurity journalism circuit this week is the thought that maybe, just maybe, the malware author – perhaps a fan of the show - released this ‘teaser’ snippet of code to garner publicity for the series. With ransomware such a hot topic right now, malware researchers are constantly on guard for new uploads of ransomware to multi-engine scanning platforms. Any malware that purports to be based on a fictional ransomware publicized via a popular show is bound to be caught, analyzed, and written about in the security press.
It is doubtful in today’s litigious society whether anyone officially connected with the show would risk the show’s reputation and the studio’s finances by deliberately messing with the innocent home user’s data, but as the malware author remains as yet unidentified, that question will most likely remain in the realm of speculation.
FSociety Ransomware vs. CylancePROTECT
We tested our endpoint security product, CylancePROTECT, against a live sample of FSociety ransomware. CylancePROTECT uses artificial intelligence and math-based machine learning to stop threats dead, pre-execution.
We started by extracting the ransomware file onto the desktop to be analyzed. As you can see in the video below, the file was immediately detected as being malicious by the CylancePROTECT agent. CylancePROTECT instantly removed the file from the desktop and placed it in quarantine, pre-execution.
By reviewing the Events and Threats tab, we can see that the threat has been detected and blocked and the endpoint protected from the ransomware.
Figure 16: A Sample of FSociety Ransomware is
Extracted and Placed on the Desktop
Figure 17: CylancePROTECT Instantly Detects and
Quarantines the Ransomware, Pre-execution
Figure 18: By Reviewing the Events and Threats Tab, We See the Threat is Safely Quarantined
Our malware researchers here at Cylance have made a short video showing CylancePROTECT detecting and quarantining a live sample of the FSociety ransomware:
VIDEO: CylancePROTECT vs. FSociety Ransomware
Indicators of Compromise (IOCs):