Re: Linux machine hit by ransomware

To: Debian-User <debian-user@lists.debian.org>
Subject: Re: Linux machine hit by ransomware
From: Cindy Sue Causey <butterflybytes@gmail.com>
Date: Mon, 07 Jul 2025 00:32:37 -0400
Message-id: <[🔎] e67811911a724b1b1065af443849c74769972905.camel@gmail.com>
In-reply-to: <[🔎] 764bc306-57ba-4194-ae45-ca1029b37083@shaw.ca>
References: <[🔎] 764bc306-57ba-4194-ae45-ca1029b37083@shaw.ca>

On Sun, 2025-07-06 at 20:47 -0600, Rick Macdonald wrote:
> I apologize for the length of this question.
> 
> After running Debian for nearly 30 years (and other distros prior to 
> that), my Linux server has been hit by a ransomware attack about 11
> days 
> ago. I have backups, so nothing important has been lost at this
> point. 
> However, I can't figure out how it got in, how it works, if there are
> executables on my computer that need to be cleaned, etc. I believe I 
> have been able to stop the attack, by simply fixing permissions on 
> directories and files. However, that obviously doesn't remove or
> block 
> the attack from my machine.
> 
> When I search for this malware on the web, I find Windows-specific 
> discussions. If I'm unable to learn what to do from the folks here, 
> suggestions about where to go for information and help would be most 
> welcome.
> 
< snipped for brevity >
> 
> The ransomeware notification file:
> 
> ATTENTION!
> 
> All your files documents, photos, databases and other important files
> are encrypted by FuxSocy encryptor.
> The only method of recovering files is to purchase a private key. It
> is 
> on our server and only we can recover your files.
> 
< snipped for safety's sake >

I tried a quick search, too. The dang thing's on GitHub. Looks like
it's 8 years old. Description fits exactly what happened so HOW is it
still online?! Answering myself: Has GitHub gone that far out of style
(out of user favor) that no one thinks to search it anymore?

I'm not going to link directly to its GitHub, either. The user and
project name is "D34thByte/fuxsocy".

I hopped over to Brian Krebs' website, too. His search engine said
there was no reference to fuxsocy:

https://krebsonsecurity.com/?s=FuxSocy

An unrelated blurb in Internet search results said this is a known
ransomware so I'm little bit surprised to see no mention at Brian's
site. Maybe he wouldn't mind hearing from you about it. Seeking out and
destroying garbage like this is what he does (effectively enough to
find himself threatened on regular occasion).

Best wishes in as complete a recovery as is possible. Sounds like
you've got a good handle on it so far.

Cindy :)
-- 
Talking Rock, Pickens County, Georgia, USA
* runs with birdseed! *

Reply to:

References:
- Linux machine hit by ransomware
  - From: Rick Macdonald <rickmacd@shaw.ca>

Prev by Date: Re: Linux machine hit by ransomware
Next by Date: LPI Open Source Essentials Certification
Previous by thread: Re: Linux machine hit by ransomware
Next by thread: Re: Linux machine hit by ransomware
Index(es):
- Date
- Thread