Researchers from FortiGuard Labs have discovered a new ransomware strain the FAUST ransomware, a variant of the notorious Phobos family. This malicious software, designed to encrypt files on a victim’s computer, demands a ransom in exchange for the decryption key, marking a sinister evolution in cyber threats.
FAUST ransomware, emerging from the depths of cyber malfeasance, appends a “.faust” extension to each encrypted file, leaving behind a breadcrumb trail of info.txt and info.hta files that left behind to engage in ransom negotiations. This variant not only encrypts the victims’ files but also leaks them in a web of extortion, demanding payment for the promise of retrieval.
The attack cycle begins with an Office document, a Trojan horse bearing a VBA script poised to unleash chaos. FAUST ransomware embeds itself within the system’s memory, initiating a relentless encryption onslaught. This sophisticated attack chain, a testament to the attackers’ ingenuity, employs obfuscation techniques and process injections to evade detection and complicate analysis.
Once gains the persistence within the system, FAUST ransomware meticulously encrypts files, appending its signature “.faust” extension, and deploys its ransom notes, setting the stage for its extortionate demands.
It checks the Mutex object to ensure only one process is running, and it adds persistence by adding a registry to “HKCU\Software\Microsoft\Windows\CurrentVersion\Run “and copying itself to two folders: “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup and “C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup.”
To avoid system destruction or the encryption of its ransom demands, FAUST ransomware wields an exclusion list as given below
- File extensions: faust, actin, DIKE, Acton, actor, Acuff, FILE, Acuna, fullz, MMXXII, GrafGrafel, kmrox, s0m1n, qos, cg, ext, rdptest, S0va, 6y8dghklp, SHTORM, NURRI, GHOST, FF6OM6, blue, NX, BACKJOHN, OWN, FS23, 2QZ3, top, blackrock, CHCRBO, G-STARS, faust, unknown, STEEL, worry, WIN, duck, fopra, unique, acute, adage, make, Adair, MLF, magic, Adame, banhu, banjo, Banks, Banta, Barak, Caleb, Cales, Caley, calix, Calle, Calum, Calvo, deuce, Dever, devil, Devoe, Devon, Devos, dewar, eight, eject, eking, Elbie, elbow, elder, phobos, help, blend, bqux, com, mamba, KARLOS, DDoS, phoenix, PLUT, karma, bbc, capital, wallet, lks, tech, s1g2n3a4l, murk, makop, ebaka, jook, logan, fiasko, gucci, decrypt, ooh, non, grt, lizard, flscrypt, sdk, 2023, and vhdv.
- Directories: C:\Windows and C:\ProgramData\microsoft\windows\caches
- Filenames: info.hta, info.txt, boot.ini, bootfont.bin, ntldr, ntdetect.com, and io.sys.
The FAUST variant is an perfect example of an ever evolving landscape of cyber threats. With its ability to maintain persistence and deploy efficient encryption across a network, the menace of FAUST cannot be overstated. Users are implored to exercise utmost caution, refraining from opening documents from untrusted sources, a simple yet effective measure against the complex web of ransomware threats.
Indicators of Compromise
- 426284b7dedb929129687303f1bf7e4def607f404c93f7736d17241e43f0ab33
- 50e2cb600471fc38c4245d596f92f5444e7e17cd21dd794ba7d547e0f2d9a9d5
- a0a59d83fa8631d0b9de2f477350faa89499e96fd5ec07069e30992aaabe913a
- ebe77c060f8155e01703cfc898685f548b6da12379e6aefb996dbcaac201587c
- c10dc2f6694414b68c10139195d7db2bb655f3afdcc1ac6885ef41ef1f0078df
