Crooks hijack the FSociety brand for a lame ransomware. Fans of the Mr. Robot TV show would be glad to know that real-life crooks are taking inspiration from the TV series, and are now using the FSociety name and logo to develop a ransomware around this brand.
Mr. Robot is a USA Network TV show that revolves around the life of Elliot, a talented security engineer that has an alter ego as Mr. Robot, the leader of the FSociety hacking crew.
The show, which deals with a lot more than hacking, got to a spectacular start, winning a Golden Globe for Best Television Series – Drama, for its first season.
Mr. Robot TV show dealt with ransomware at the start of season 2
The show is now well embedded in the infosec community, which respects it so much for the accuracy it depicts hacks and technical details that it nominated Marc Rogers, the security expert consulting on the show, to a Pwnie Award for Epic Achievement at this year’s Black Hat security conference.
In the season two opening episodes, FSociety launched a ransomware attack against ECorp, the giant multinational they’re trying to take down. That particular ransomware used in the show looked more like a modified CryptoWall ransom screen.
Real-life FSociety ransomware is at a pre-alpha stage
Today, security researcher Michael Gillespie discovered a ransomware variant, albeit still in development, that used the FSociety logo as its ransom screen.
According to Lawrence Abrams of Bleeping Computer, the ransomware is in its very, very, very early stages of development.
At this point, the FSociety ransomware, as it was obviously named, uses a basic encryption scheme to lock a few files, and then does nothing else than show a ransom note that features the FSociety logo. No text, no ransom fee, no explanation, nothing else.
FSociety ransomware is not even original, based on EDA2
A closer look at the source code reveals that this is another ransomware variant developed on EDA2, a ransomware building toolkit that contains a backdoor in its server-side component, which allows security researchers to recover data from the C&C servers.
The EDA2 ransomware kit was released in 2015 but was taken down by its creator in early 2016, after a famous fiasco. Since then, other crooks used it to create different ransomware brews, but nothing as professional as the big ransomware names such as Locky, Cerber, CryptXXX, or others.
EDA2 locks each file individually with an AES key then takes this encryption key and encrypts it with a two-key RSA algorithm, with one key stored locally, and one on the crook’s server.
At this point, the real-life FSociety ransomware has a long way to go to reach the effectiveness of the movie version of the FSociety ransomware.