top of page
  • Writer's pictureSecneurX Threat Analysis

What is Fox Ransomware ?

Fox is a ransomware that belongs to the Matrix Ransomware family. Secneurx Analysts found Fox ransomware in the wild and analysed the sample. Fox ransomware encrypts files and appends its extension (".Fox") to filenames. Also, it drops the “#FOX_README#.rtf“ file that contains a ransom note. After executing the Fox ransomware all files and folders got encrypted and appended their filenames with a ".Fox" extension and all documents stored in Desktop their filenames are changed to [PabFox@protonmail.com].Wm5TGGez-hZvY8RD9.FOX.

Screenshot of files encrypted by Fox ransomware



Fox Ransomware Overview

Fox ransomware notes inform victims that their files have been encrypted. It instructs victims that all files are encrypted with AES-128+RSA-2048 crypto algorithms. And also mentioned an email address ("PabFox@protonmail.com,FoxHelp@cock.li, FoxHelp@tutanota.com") and instructed the victim to send mail to above email address within seven days if not all files will deleted automatically and data will not be recovered.


How does ransomware infect my computer?

Malware (ransomware included) is spread using phishing and social engineering tactics. Malicious programs are typically presented as or bundled with ordinary content. Infectious files can be executables (.exe, .run, etc.), archives (ZIP, RAR, etc.), Microsoft Office and PDF documents, JavaScript, and so on. When a virulent file is executed, run, or otherwise opened - the infection process is jumpstarted.


Screenshot of Fox Ransomware Text file (“#FOX_README#.rtf)

Ransomware Note (#FOX_README#.rtf) in Text


HOW TO RECOVER YOUR FILES INSTRUCTION

ATTENTION!!!

 

We are realy sorry to inform you that ALL YOUR FILES WERE ENCRYPTED

by our automatic software. It became possible because of bad server security.


ATENTION!!!

Please don't worry, we can help you to RESTORE your server to original

state and decrypt all your files quickly and safely!

INFORMATION!!!

Files are not broken!!!

Files were encrypted with AES-128+RSA-2048 crypto algorithms.

There is no way to decrypt your files without unique decryption key and special software. Your unique decryption key is securely stored on our server. For our safety, all information about your server and your decryption key will be automaticaly DELETED AFTER 7 DAYS! You will irrevocably lose all your data!

* Please note that all the attempts to recover your files by yourself or using third party tools will result only in irrevocable loss of your data!

* Please note that you can recover files only with your unique decryption key, which stored on our side. If you will use the help of third parties, you will only add a middleman.

HOW TO RECOVER FILES???

Please write us to the e-mail (write on English or use professional translator):

PabFox@protonmail.com

FoxHelp@cock.li

FoxHelp@tutanota.com

You have to send your message on each of our 3 emails due to the fact that the message may not reach their intended recipient for a variety of reasons!


We recommed you to attach 3 encrypted files to your message. We will demonstrate that we can recover your files.

* Please note that files must not contain any valuable information and their total size must be less than 5Mb.

OUR ADVICE!!!

Please be sure that we will find common languge. We will restore all the data and give you recommedations how to configure the protection of your server.

We will definitely reach an agreement ;) !!!

ALTERNATIVE COMMUNICATION

If yоu did nоt rеcеivе thе аnswеr frоm thе аfоrеcitеd еmаils fоr mоrе then 24 hours please sеnd us Bitmеssаgеs frоm а wеb brоwsеr thrоugh thе wеbpаgе https://bitmsg.me. Bеlоw is а tutоriаl оn hоw tо sеnd bitmеssаgе viа wеb brоwsеr:

1. Оpеn in yоur brоwsеr thе link https://bitmsg.me/users/sign_up аnd mаkе thе rеgistrаtiоn bу еntеring nаmе еmаil аnd pаsswоrd.

2. Уоu must cоnfirm thе rеgistrаtiоn, rеturn tо уоur еmаil аnd fоllоw thе instructiоns thаt wеrе sеnt tо уоu.

3. Rеturn tо sitе аnd сlick "Lоgin" lаbеl оr usе link https://bitmsg.me/users/sign_in, еntеr уоur еmаil аnd pаsswоrd аnd click thе "Sign in" buttоn.

4. Сlick thе "Сrеаtе Rаndоm аddrеss" buttоn.

5. Сlick thе "Nеw mаssаgе" buttоn.

6. Sеnding mеssаgе

 

IOC DETAILS

2e4c3ae32372bb1b189665e8e84c13bcc88e7f2c7459f71e075694fd3aaf8376


What can you do to avoid being a ransomware victim?


As dangerous as ransomware is, simply being aware and staying updated with the latest ransomware trends can go a long way in securing your data and systems. Here are helpful tips on how you can defend yourself from a likely attack.


Scrutinize emails & its attachments before opening them


Be wary of emails from unverified sources. You can check by communicating directly with the purported sender to confirm if they sent the messages. To check its validity, you can use SecneurX Sandbox to verify the sanity of the email


Avoid clicking embedded links found in unverified emails


Such social engineering tricks can lead to the download of ransomware. Additionally, be wary of sites that prompt you to enter a CAPTCHA code as this could be linked to a ransomware attack. To check its validity, you can use services like SecneurX Sandbox to verify the reputation of the site.


Back up your important files


While prevention is always better than the cure, having a backup of important files can at least lessen the potential damage done by a ransomware attack. While being locked out of your own system is always a bad thing, at least it's not a total disaster since you can always retrieve your important files. The 3-2-1 backup rule applies here—three backup copies of your data on two different media, and one of those copies in a separate location.


Regularly update software, programs, applications


Updating them to the latest versions can provide an added layer of protection against online threats as some ransomware arrive via vulnerability exploits.


Use a layered protection suite


Doing so can detect threats before they enter your network. Security solutions like SecneurX ATP can block Infectious files (like executables (.exe, .run, etc.), archives (ZIP, RAR, etc.), Microsoft Office and PDF documents, JavaScript, and so on) by scanning them at the point of entry of the organizations (File uploads, USB file transfers etc)

19 views0 comments
bottom of page