Dark Web Profile: FSociety (Flocker) Ransomware

FSociety or Flocker ransomware, discovered in 2024, is a relatively new strain operating as Ransomware-as-a-Service (RaaS), enabling cybercriminals to exploit its features without requiring deep technical expertise. Developed by the group, Flocker employs encryption to lock victims’ data, demanding ransoms for its release. The group uses double extortion tactics, threatening to leak sensitive data in addition to encryption. FSociety maintains a Telegram group and an Onion site for communication and operations.

Threat actor card of FSociety

Who is FSociety?

FSociety ransomware has resurfaced as a dangerous Ransomware-as-a-Service (RaaS) operation in 2024, but this is not the first time the name has appeared in the cybercrime landscape. A lesser-known ransomware strain bearing the same name emerged in 2016, inspired by the fictional hacker group from Mr. Robot. Despite the shared branding, these two iterations of FSociety ransomware most probably differ.

Telegram channel logo of FSociety

The 2016 FSociety ransomware was directly inspired by the popular TV series Mr. Robot. It borrowed the show’s imagery and branding to create an intimidating presence, targeting individual users rather than large-scale organizations.

This early variant was a Python ransomware, making it relatively easy to analyze and crack. It spreads through malicious downloads and exploits kits, encrypting victims’ files and appending a unique extension to them. Victims were then presented with a ransom note demanding payment in Bitcoin.

The novel FSociety ransomware, emerging in 2024, operates as a Ransomware-as-a-Service (RaaS). This means the group provides its ransomware tools to affiliates, who then conduct attacks in exchange for a share of the ransom payments.

Therefore, while the 2016 and 2024 FSociety ransomware strains share a name and aesthetic inspired by Mr. Robot, their impact and methodologies differ vastly.

Thus it’s not the only alleged relation of the group. FunkSec has recently partnered with FSociety to boost the efficiency of their attacks. While details of the alliance remain scarce, the groups plan to work together like “wolf packs” in targeting victims, combining their strengths for more effective operations.

For further info, check out our Dark Web Profile for FunkSec as well.

Dark Web Profile: FunkSec

What are The FSociety’s Targets?

FSociety is known for its unique approach to publishing victim data. Initially, the group would mostly reveal only partial information about their targets, withholding full victim names. However, they seem to have shifted to fully disclosing the names of their victims in 2025.

FSociety’s data leak site (DLS)

As of the writing date, the group has claimed 41 victims, with targets spanning multiple industries. The United States remains a key focus for the group, continuing the trend of targeting high-value regions. In addition to sectors like Business Services, Retail, Governmental, and Financial, it has expanded its reach to include Technology and Education industries.

Organizations in these sectors are highly attractive targets due to the sensitive nature of the data they handle, making them likely to remain prime targets for FSociety. Given their strategic targeting of both public and private sector entities, the group’s operations continue to have a significant impact across a wide range of industries globally.

What are The FSociety’s Tactics?

FSociety operates as a Ransomware-as-a-Service (RaaS) group, offering affiliates a platform to carry out attacks in exchange for a share of the ransom profits. This model allows cybercriminals with less technical expertise to deploy ransomware while leveraging the group’s infrastructure. The group’s affiliations with multiple partners enhance their reach, as affiliates are tasked with breaching targeted networks and delivering the ransomware. The group’s success hinges on this collaborative approach, allowing them to scale operations quickly while maintaining a degree of anonymity and operational flexibility.

Affiliate program for FSociety

FSociety operates a Ransomware-as-a-Service (RaaS) model, leveraging double extortion tactics by encrypting victims’ data and exfiltrating sensitive information. The group deploys the Flocker ransomware and offers an affiliate program targeting FunkSec followers, access brokers, hackers, and insiders.

FSociety collaborates with the ransomware group FunkSec, even using their forum infrastructure. In mid-January 2025, a user named FSOCIETY in that forum announced a strategic alliance between FSociety and FunkSec on the FunkSec forum. This user holds the titles Mod and DAMN and has shared leaked data through MEGA links. FSociety’s affiliate program requires candidates to complete an interview and provide proof of their skills and network access before joining.

Affiliates gain access to the Flocker V5 builder, which includes command-and-control (C2) capabilities, a crypto stealer, keylogger, Remote Access Trojan (RAT), DDoS functionality, and a playbook for advanced attack methods. The group also provides 24/7 support, with upcoming features such as AI-driven attack automation.

What are The Mitigation Tactics Against The FSociety and RaaS Groups?

To protect your organization from FSociety and similar ransomware threats, it’s essential to implement a multi-layered defence strategy:

1. Implement Robust Endpoint Security: Use advanced anti-malware solutions to detect and block ransomware activities.
2. Regular Patch Management: Ensure your systems are updated to fix vulnerabilities frequently exploited by attackers.
3. Data Backups: Isolate backups to ensure they’re not compromised by ransomware encryption.
4. Zero Trust Architecture: Apply least-privilege access to limit exposure to critical assets.
5. Multi-Factor Authentication (MFA): Strengthen login security to prevent unauthorized access.
6. Network Traffic Monitoring: Continuously track for suspicious activity indicative of a ransomware attack.
7. Actionable Threat Intelligence (XTI): Utilize SOCRadar’s Extended Threat Intelligence platform for real-time updates on ransomware tactics and emerging threats, enabling proactive defense strategies.
8. Employee Training: Regularly train staff on phishing prevention and cyber hygiene practices.

How Can SOCRadar Help?

SOCRadar offers comprehensive solutions to defend against FSociety and similar ransomware threats. Here’s how:

1. Extended Threat Intelligence: SOCRadar’s real-time platform provides insights into the group’s tactics, techniques, and procedures (TTPs), enabling organizations to proactively defend against evolving threats.
2. Dark Web Monitoring: SOCRadar continuously scans the dark web for compromised data and stolen credentials, offering early detection to prevent ransomware attacks.
3. Proactive Vulnerability Management: Identifies vulnerabilities targeted by RaaS groups like FSociety, helping organizations prioritize patching.

SOCRadar’s Ransomware Intelligence

By using SOCRadar, organizations can bolster their defense against FSociety and other ransomware groups.

In Summary

FSociety, also known as Flocker, is a ransomware-as-a-service (RaaS) operation that emerged in 2024. It enables cybercriminals to deploy ransomware without advanced technical expertise. The group employs double extortion tactics, encrypting victims’ files and threatening to leak stolen data. tThe group operates through Telegram and an Onion site, facilitating communication and ransom negotiations.

While the FSociety name was previously linked to a 2016 ransomware inspired by Mr. Robot, the 2024 variant is a more sophisticated RaaS platform. The group has also formed alliances with other cybercriminal entities like FunkSec to enhance its operations.

The group primarily targets organizations in the U.S. across industries such as business services, retail, government, finance, technology, and education. Their data leak site has listed 41 victims as of 2025.

To mitigate FSociety threats, organizations should adopt robust endpoint security, regular patch management, network monitoring, multi-factor authentication, and employee cybersecurity training. SOCRadar’s extended threat intelligence and dark web monitoring solutions offer proactive defense against FSociety and similar RaaS threats.