Image: FortiGuard Labs
Recently, FortiGuard Labs uncovered the FAUST ransomware, a variant of the notorious Phobos family. This malicious software, designed to encrypt files on a victim’s computer, demands a ransom in exchange for the decryption key, marking a sinister evolution in cyber threats.
FAUST ransomware, emerging from the depths of cyber malfeasance, appends a “.faust” extension to each encrypted file, leaving behind a breadcrumb trail of info.txt and info.hta files. These serve as a sinister invitation for victims to engage in ransom negotiations. This variant not only encrypts the victims’ files but also ensnares them in a web of extortion, demanding payment for the promise of retrieval.
The cunning attack begins with an Office document, a Trojan horse bearing a VBA script poised to unleash chaos. Through a series of calculated maneuvers, including the use of the Gitea service for file storage and intricate PowerShell commands, FAUST ransomware embeds itself within the system’s memory, initiating a relentless encryption onslaught. This sophisticated attack chain, a testament to the attackers’ ingenuity, employs obfuscation techniques and process injections to evade detection and complicate analysis.
Once ensconced within the system, FAUST ransomware meticulously encrypts files, appending its signature “.faust” extension, and deploys its ransom notes, setting the stage for its extortionate demands. It ingeniously checks for Mutex objects to ensure its reign of terror is singularly effective and establishes persistence through registry modifications, ensuring its malicious grip withstands system reboots.
In a bid to avoid system destruction or the encryption of its ransom demands, FAUST ransomware wields an exclusion list, sparing specific file extensions, directories, and filenames from its wrath. This calculated mercy ensures its survival and the continuation of its malevolent campaign, a chilling reminder of the sophistication embedded within modern ransomware.
The FAUST variant of Phobos ransomware serves as a grim testament to the evolving landscape of cyber threats. With its ability to maintain persistence and deploy efficient encryption across a network, the menace of FAUST cannot be overstated. Users are implored to exercise utmost caution, refraining from opening documents from untrusted sources, a simple yet effective measure against the complex web of ransomware threats.
