Fox Ransomware Overview

Fox Ransomware is categorized as a member of the Dharma family, a prominent ransomware lineage first noted in 2016. It is known for its evolution into Ransomware-as-a-Service (RaaS) models. This family is notorious for encrypting both local and network-shared files. It also disables system firewalls and deletes Volume Shadow Copies to hinder recovery efforts. Fox, specifically, is designed to lock user files, demanding a ransom for decryption, and can cause significant data loss and financial impact.

The Dharma family’s characteristics include manual installation via RDP exploitation, often targeting small and medium-sized businesses. Its variants, including Fox, are distributed through brute-force attacks on port 3389. This manual distribution method, unlike automated spam emails, highlights the targeted nature of these attacks. It exploits vulnerabilities in remote access protocols to gain unauthorized access.

How Does It Work?

Fox ransomware’s infection vector primarily involves manual intrusion through compromised RDP connections. Attackers scan the internet for computers with open RDP, typically on TCP port 3389, and attempt to brute-force passwords. Once access is gained, the malware is installed and begins encrypting files. It uses a combination of AES-128 and RSA-2048 algorithms, ensuring strong encryption that is nearly impossible to break without the unique decryption key, which is stored on a remote server.

The encryption process involves renaming files, with Fox appending the .FOX extension. For example, a file named “document.pdf” might be renamed to “document.pdf.FOX”. Fox ensures persistence by copying itself to the %LOCALAPPDATA% directory and registering with Windows Registry Run keys. It also gathers location data and may exclude predefined locations from encryption. This thorough approach makes detection easier during encryption due to its slow process. However, by the time it is noticed, significant damage may already be done.

Ransom Note Overview

The ransom note for Fox ransomware is typically named #FOX_README#.rtf and is placed on the desktop, a common tactic within the Dharma family to ensure visibility. This note contains contact emails such as PabFox@protonmail.com, FoxHelp@cock.li, and FoxHelp@tutanota.com. It instructs victims that their files are encrypted with AES-128+RSA-2048 and demands payment, usually in Bitcoins, Monero, or other cryptocurrencies.

The ransom typically ranges from $500 to $1500, though exact amounts are provided via email. The note often sets a deadline, threatening data deletion if not paid within a specified period. This approach aligns with Dharma family’s tactics, where ransom notes vary by strain but consistently aim to extort money, leveraging fear and urgency. The use of multiple contact emails suggests a network of operators, potentially affiliates within the RaaS model, enhancing the family’s reach and profitability.

How to Remove Virus?

As other serious malware, removing Fox Ransomware requires a complex approach. The first step is to isolate the infected system by disconnecting it from the network or booting your Windows into Safe Mode. This prevents lateral movement and additional encryption, limiting the ransomware’s spread. Next, use GridinSoft Anti-Malware to detect and remove the threat all at one time, with a guarantee of it not returning. Download it by clicking the banner below and run a Full scan, so the program will scan the system down to the most remote corner.

After the attack, I would recommend you to keep GridinSoft Anti-Malware on the device, with its proactive protection enabled. This will ensure an immediate reaction on any phishy activity happening in your system. Keep all your software up to date: ransomware actors often use exploits to infect systems and networks, and updates often contain fixes for important flaws that you should not miss.

Can I Recover Encrypted .FOX Files?

File recovery for Fox ransomware victims depends on pre-existing measures and post-infection options. Without backups, recovery is challenging, as there are no known public decryption tools for Fox (Dharma) Ransomware. Some antivirus vendors offer decryption tools for specific ransomware families, but these are not guaranteed for Fox.

Paying the ransom is strongly discouraged, as research shows criminals often ignore victims post-payment, offering no positive result and potentially scamming users. This approach not only fails to guarantee file recovery but also fuels further criminal activity, with risks that attackers may not provide the decryption key, aligning with cybersecurity best practices to avoid funding cybercrime.

The most reliable method is restoring files from backups, provided they are stored securely off-site and not accessible to the malware during infection. Regular backups, maintained on remote servers or unplugged storage devices, are critical, as the malware can encrypt backups if stored locally.

The post Fox Ransomware appeared first on Gridinsoft Blog.

Ransomware remains a major threat, attacking both organizations and individuals. GridinSoft Anti-Malware provides excellent protection even against the most modern malware samples. Get yourself proper ransomware protection

What is Hunt Ransomware (bughunt@keemail.me)?

As I’ve said in the introduction, Hunt is a novice sample of the Dharma ransomware family. Being its part, Hunt ransomware follows its behavior patterns. The most noticeable one for the victim is the application of a complex extension, that contains the victim’s ID, the contact email (bughunt@keemail[.]me) and its .hunt extension. The files start looking as below after the encryption:

image.png → image.png.id-C3B22A85.[bughunt@keemail.me].hunt
document.docx → document.docx.id-C3B22A85.[bughunt@keemail.me].hunt

Hunt ransomware goes through the entirety of user disks, searching for the files it can encrypt. It is capable of ciphering the vast majority of ones, from images and videos to project files of specific software suites. However, this malware carefully avoids any system files – probably, to prevent system malfunctions that can potentially force the user into reinstalling the system.

Before applying the encryption, this malware disables built-in Windows backup options, such as Restore Points and Shadow Copies. They are rather useful for reverting the system state to pre-encryption, so such action is rather expected. Hunt ransomware uses the command you can see below to accomplish this.

vssadmin delete shadows /all /quiet

After finishing the encryption (i.e. it can’t find more unencrypted files), Hunt ransomware spawns a text file with a ransom note. It also opens an HTA file with the information about with more detailed information about what’s happened and instructions for the ransom payment. You can see the example of this pop-up window below.

How to Decrypt .hunt Files?

There is no dedicated decrypting utility for Hunt ransomware available at the moment. This malware uses strong encryption algorithms, so brute force will take gazillion years to accomplish. However, not everything is lost – tools that exploit flaws in encryption algos may appear, or law enforcement may take the ransomware down and release the decryption keys. During the first quarter of 2024, several decryption tools were released, so chances are not that slim.

For now, I can advise you to seek backups outside of the infected system. Cloud storages can contain the files this malware damaged in the attack. Places like social media, email conversations and messengers may contain the originals of the files, too. Even though they may not contain the latest changes, it is better than nothing.

How to Remove Ransomware?

To get rid of the ransomware, I recommend using GridinSoft Anti-Malware. This step is incredibly important to do before performing any attempts to recover the files. The malware remains active, and will instantly encrypt the fresh files. To prevent this and get rid of the infection, run a Full Scan with GridinSoft program and clean all the detected malicious programs.

The post Hunt Ransomware (bughunt@keemail.me) appeared first on Gridinsoft Blog.

What is mrB Ransomware?

As I’ve described in the introduction, mrB is a sample of Dharma ransomware, a malware family active since 2016. It is known for adding a long extension to every file it encrypts; it consists of the victim ID, contact email and the extension itself. At the end, the encrypted file name starts looking like this:

Media1.mp3 → Media1.mp3.id-C3B22A85.[mirror-broken@tuta[.]io].mrB

MrB ransomware encrypts a wide range of file formats, from images and documents to files of some specific software suites. After finishing the encryption, it opens a pop-up ransom note in a form of HTA file, and also spawns a readme text file. The latter appears in every folder that contains the encrypted files. Below, you can see the contents of both ransom notes.

Contents of the readme text file:

Your data has been stolen and encrypted!

email us

mirror-broken@tuta[.]io

How to Recover Encrypted Files?

Unfortunately, there are no recovery options available for mrB ransomware. The imperfections in its early Dharma samples were used to make the decryptor, though the flaws were fixed, and it is not effective nowadays. Options you can find online, like “professional hackers” or file recovery services will at best act as a medium between you and the hackers. At worst, they will take your money and disappear.

The most effective option for file recovery is a decryptor tool, dedicated to the specific ransomware family. Those are usually released when a vulnerability in the encryption mechanism is found, or when ransomware servers are seized. It may sound like it is unlikely to happen, but there were 4 such decryptors released in the first months of 2024. Be patient, do not lose hope – and you get the files back.

For now, your best option in mrB ransomware file recovery is to seek for the possible backups. Social networks and email messages may act as ones – we usually ignore them for this purpose. Places like removable drives, NAS, or even your smartphone, where you could accidentally copy the files to, may keep unencrypted files. Even an older version of the file is better than nothing.

How to Remove mrB Ransomware?

One more important thing, that you should do before getting to any file recovery operations, is ransomware removal. Viruses like mrB ransomware do not cease to exist once the encryption is over. They keep idling in the background, waiting for new unencrypted files to appear. Therehence, it is essential to get rid of the infection before you can start further actions.

For ransomware removal, I’d recommend GridinSoft Anti-Malware. Effective and easy-to-use, this program will easily repel this malware and fix all the damage it dealt to the system. Just run a Full scan, wait until it finishes, and remove all the detected things. Further, with its proactive protection, you will never get infected with ransomware again.

The post MrB Ransomware (.mrB Files) – Analysis & File Decryption appeared first on Gridinsoft Blog.

What is SYSDF Ransomware?

SYSDF ransomware is a yet another example of Dharma ransomware, a malware family active since 2016. First detected on February 16, it appends its unique SYSDF extension to the files, along with the complex mask with the attack information. The latter includes victim ID and the contact email the victim is supposed to reach the hackers on. Following the encryption, the files start looking like the following:

Image1.png → Image1.png.id-C3B22A85.[Dec24hepl@aol.com].SYSDF

Upon finishing the encryption, malware creates its specific README!.txt files in each folder that includes encrypted files, and also on the desktop. Additionally, malware spawns and opens a file named info.hta, so it acts as notification for a victim. Below, you can see the messages from both ransom notes.

Text in the README!.txt ransom note:

Your data has been stolen and encrypted!

email us

Dec24hepl@aol.com or Dec24hepl@cyberfear.com

How to Recover .SYSDF Files?

Unfortunately, there are no options for Dharma ransomware decryption available at the moment. The majority of file recovery services of “certified hackers” you can meet online will in fact only arrange negotiations with cybercriminals. Paying them is not a great idea, as this motivates them to continue the attacks. Losing the files is unpleasant, that is for sure, but as statistics shows, there are quite a few opportunities to get them back.

Try searching for backups or file duplicates, stored away from the affected system or network. Even a past version of the file is better than nothing at all. Aside from the backups, there is quite a hope on ransomware decryptors that exploit vulnerabilities in the encryption mechanism and allow you to get the files back for free. For January and February 2024, 4 decryptors for different ransomware families were published. Patience is key here, and considering the latest trends, this becomes a more and more popular option.

How to Remove Ransomware?

But before you do any file recovery operations, it is important to remove the malware beforehand. It did not disappear after finishing the encryption: SYSDF is still active, seeking for the new files to cipher. And be sure, it will do this as soon as you get a fresh unencrypted file to the disk.

For ransomware removal, I’d recommend GridinSoft Anti-Malware. Its advanced detection techniques along with live database updates allow it to detect even the most recent malware samples. Run a Full scan, wait until it is over, remove the detected stuff – and your system will be ready to any further actions, free of malware.

The post SYSDF Ransomware (.SYSDF Files) – Malware Analysis & Removal appeared first on Gridinsoft Blog.

Dharma Ransomware Actors Detained in Ukraine

In the statement on the official website, Europol claimed searches in 30 properties in 4 cities in Ukraine, namely Kyiv, Cherkasy, Vinnytsia and Rivne. During the action, law enforcement detained the key person of the malware group, and some other actors. Searches also resulted in seizing a huge amount of data related to the criminal activity.

Detained persons are charged with compromising corporate networks in more than 70 countries around the globe and cryptocurrency laundering. Using malicious phishing, vulnerability exploitation and tactics the like, hackers were penetrating the networks. Further, they were using other tools to expand their presence in the environment and launch the ransomware attack. Overall, cybercriminals encrypted over 250 servers of different companies, which resulted in multi-million euro losses.

Europol has proven the relationship of the suspects to Dharma and Hive (which is defunct at the moment) ransomware groups. Investigation also shows that hackers are as well related to the spread of MegaCortex and LockerGoga ransomware back in late 2019. Dharma is the most active among the named ransomware, which is still an outsider of the modern threat landscape.

This operation accomplishes the list of anti-cybercrime actions that take place in Ukraine. Back in 2021, key criminals who standed behind Emotet malware were detained. Another operation that year led to the imprisonment of several cybercriminals related to the same Dharma gang. And even now, amidst the war course, local law enforcement are able to effectively cooperate with international agencies and combat cybercrime.

Europol Detains Group Members – But Why?

As usual, physical detainment of cybercriminals took quite some time, and required a team of investigators to perform property searches. This apparently became a redundant practice over the last time, as law enforcement tends to combat cybercrime in a different way.

The “Duck Hunt” operation, performed by the FBI in summer 2023, took place exclusively in the cloud. Law enforcement managed to detect and seize the entire network of tier 2 command servers of QakBot and managed to delete the malware from infected devices. Same story happened to the IPStorm botnet: the FBI beheaded the network of infected systems by seizing the command server and detaining its creator.

Is this practice effective? Yes, as it disrupts the malware operations, and makes it impossible for hackers to move on. At the same time though hackers remain free, and nothing stops them from joining other cybercrime groups. While decreasing the activity for a short period of time, this approach does not make a lot of difference in the long run.

The post Dharma Ransomware Criminals Captured in Ukraine, Europol Reports appeared first on Gridinsoft Blog.

Researchers believe Tycoon was used for targeted and very rare attacks, in favor of this theory says number of victims and applied delivery mechanism. Thus, the ransomware was clearly intended to attack small and medium-sized enterprises, as well as educational institutions and software developers.

“The use of Java and JIMAGE are unique. Java is very rarely used to write malware for endpoints, since Java Runtime Environment is required to execute the code. Image files are also rarely used for malware attacks”, — say BlackBerry experts.

In this case, the attack begins quite normally: the initial compromise is carried out through unsafe RDP servers that are “visible” from the Internet. However, the investigation showed that the attackers then use Image File Execution Options (IFEO) injection to ensure a stable presence in the system, launch a backdoor along with the Microsoft Windows On-Screen Keyboard (OSK), and disable anti-virus products using ProcessHacker.

Having gained a foothold in the company’s network, attackers launch a ransomware module in Java that encrypts all file servers connected to the network, including backup systems.

The encryptor itself is deployed from a ZIP archive containing a malicious Java Runtime Environment (JRE) assembly and a compiled JIMAGE image. This file format is typically used to store custom JRE images and is used by the Java Virtual Machine. Researchers note that this file format, first introduced along with Java 9, is poorly documented and developers overall rarely use it.

It is also noted that Tycoon deletes the source files after encryption, and overwrites them to accurately prevent information recovery. For this task is used the standard Windows utility cipher.ex. In addition, during encryption, the malware skips parts of large files to speed up the process, which leads to damage of these files and inability to use them.

In addition, each file is encrypted using a new AES key. The ransomware uses the asymmetric RSA algorithm to encrypt the generated AES keys, that is, to decrypt the information, a private attacker RSA key is required.

“However, one of the victims who asked for help on the Bleeping Computer forum published an RSA private key, allegedly obtained from the decryptor, which the victim acquired from the attackers. This key worked successfully to decrypt some files affected by the earliest version of Tycoon ransomware, which added the .redrum extension to encrypted files”, — write the experts, but warn that, unfortunately, for encrypted files with the .grinch and .thanos extensions, this tactics no longer work.

The researchers also identified a possible link between Tycoon and the Dharma/CrySIS ransomware, which, for example, also spread through infected pdf files. Their theory is based on the coincidence of email addresses, the similarity of texts from notes with a ransom demand, as well as the coincidence in the names that are assigned to encrypted files.

Interestingly that MyKingz botnet uses not exotic picture formats, but, for example, Taylor Swift to infect target machines.

The post Tycoon ransomware uses exotic JIMAGE format to avoid detection appeared first on Gridinsoft Blog.

Let me remind you that this year the FBI called Dharma the second most profitable ransomware in recent years during its report at the conference and RSA. Therefore, from November 2016 to November 2019, ransomware operators received $24 million in ransom from their victims.

The most dangerous ransomware last year, I recall, was called Emotet.

“The current sale of the Dharma code is likely to soon result in a leak to the public. That is, the malware will become available to a wider audience. This, in turn, will lead to a wide distribution of source code among many hack groups, and this will ultimately be followed by a surge of attacks”, – ZDNet quotes an unnamed information security expert.

However, the head of the cyber intelligence department at McAfee told ZDNet that the Dharma code has been circulating among hackers for a long time, and now it just arrived on public forums.

At the same time, the expert expressed the hope that sooner or later the source code will fall into the hands of information security specialists, and this will help to identify the shortcomings of the malware and create decoders.

“Dharma existed since 2016, and the ransomware underlying this malware was originally called CrySiS. It worked on the Ransomware-as-a-Service (RaaS) scheme, that is, other criminals could create their versions of malware to distribute, usually through spam campaigns, exploit kits, or RDP brute force”, – noted ZDNet reporters.

At the end of 2016, a user with the nickname crss7777 posted on the Bleeping Computer forums a link to Pastebin containing master keys from the CrySiS encryptor, which, as experts later established, were genuine. After that, CrySiS ceased to exist, “reborn” as Dharma.

Although Dharma keys suffered the same fate in 2017, this time the ransomware operators did not rebrand and continued to work, eventually turning their RaaS into one of the most popular ransomware on the market.

“So, in recent years, Dharma regularly receives updates. For example, in 2018 and 2019, the criminal underground adapted to new trends and moved from the mass distribution of ransomware through mail spam to targeted attacks on corporate networks. So did the Dharma operators”, – says the ZDNet publication.

It is noted that in the spring of 2019, a new strain of Phobos ransomware appeared on the network, used mainly for targeted attacks. Researchers at Coveware and Malwarebytes have noted that it is almost identical to Dharma. However, at the same time, Dharma did not stop existing and continued to work in parallel with Phobos. For example, Avast experts noticed three new versions of Dharma last week.

The post Dharma ransomware source code put for sale appeared first on Gridinsoft Blog.