A new variant of the Matrix ransomware has surfaced in the wild, dubbed Fox Ransomware. This variant renames encrypted files and then adds the “.FOX” extension to the file name. The attackers crafted the ransomware to ensure that each and every file isn’t already opened to guarantee it is available for encryption. Fox is installed through computers running Remote Desktop Services and is openly connected to the internet. The attackers behind the ransomware will then scan a range of IP addresses in order to find open RDP services and brute force the password. Once the attackers gain access to the computer, the ransomware will manually be installed and display different windows that show the progress of the encryption process. Fox is a very “chatty” ransomware that communicates frequently with its C&C server. When the ransomware is executed, it connects to a C&C server to start logging different stages of the encryption process. During this process, it will communicate with the C2 to provide status updates. The attackers can monitor the progress through two consoles that are open while files are being encrypted. The first window displays the updating status while the second window shows network addresses that were scanned for open shares. Following this, Fox will drop a batch file that attempts to close all open file handles for the file that it’s about to encrypt. According to researchers, this is done by “first removing all attributes from the files, changing permissions, taking ownership, and finally using a renamed version of the Handle.exe program from Sysinternals to close all open handles to the file.” For the files that are encrypted, Fox will execute a batch file on them to encrypt the file. Once the file is encrypted, the ransomware will rename it and change them.FOX extension to the encrypted file’s new name. A file is created for each folder containing a ransom note that includes instructions on how to get in contact with the attacker for payment and decryption. At the end of the encryption stages, a randomly named .vbs file located in the “%AppData%” folder will be launched which will register a scheduled task called DSHCA. This is used to run a batch file with admin privileges to perform a cleanup of the machine and disable different repair features. The batch file is located in the same folder as the .vbs file and will delete shadow volume copies. Because Fox has a slow encryption process, users might be able to detect that they are infected prior to the encryption process being completed. It is unclear who is behind the ransomware, however, users are advised to be cautious when opening files from unfamiliar sources.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased