Analysis of Faust Ransomware, a Variant of the Phobos Ransomware Family

CloudSEK’s contextual AI digital risk platform XVigil discovered a financially motivated ransomware group, dubbed Faust, a variant of the Phobos ransomware family. The group encrypts victims’ files with a ‘.faust’ extension.
Updated on
April 19, 2023
Published on
February 8, 2023
Read MINUTES
5
Subscribe to the latest industry news, threats and resources.

Category: 

Malware Intelligence

Industry: 

Multiple     

Motivation:

Financial

Region: 

Global

Source:

A: Reliable

1: Confirmed by independent Sources

Executive Summary

CloudSEK’s contextual AI digital risk platform XVigil discovered a financially motivated ransomware group, dubbed Faust, a variant of the Phobos ransomware family. The group encrypts victims’ files with a ‘.faust’ extension.

In the ransom note, an email address (gardex_recofast@zohomail[.]eu) was shared for communication about the ransom. The ransomware group drops info.hta (HTML Application) and info.txt file which is for communication from the threat actors after encrypting victim files.

It is interesting to note that the ransomware group mentioned two email addresses, gardex_recofast@zohomail[.]eu and annawong@onionmail[.]org, for communication within 24 hours.

Analysis and Attribution

Open-Source Analysis

Based on our historical analysis of similar threats, we believe the presence of multiple email addresses indicates two possibilities. Either it belongs to multiple affiliates or threat actors are creating multiple email addresses to evade a ban from the email providers.

The email addresses mentioned for direct communication were used email provider services such as:

  • Zoho Mail
  • Onion Mail
  • Air Mail
  • ProtonMail
  • Tuta Nota
  • Cock.li
  • Gmail
  • Keemail

History of Phobos Ransomware Group

Phobos ransomware group started their operations in 2018 and it was known to spread via compromised or vulnerable RDP connections. By 2020, an operator of Phobos started recruiting via cybercriminal forums with the primary modes of communication via jabber (creakerBro@exploit[.]im) and email (sennadaSilva0194@keemail[.]me). 

Since then, multiple affiliates of Phobos ransomware can be seen appending their email address while encrypting the victim files. So far, there is no free decryptor available for Faust ransomware, a variant of Phobos ransomware. 

Phobos ransomware recruiting partners for their ransomware operations


Connection with Dharma/CrySis Ransomware


Several research reports suggest that Phobos is derived from Dharma and CrySis ransomware. CrySis ransomware was at the peak of its operations in 2016 but later its source code was shared by its original author. Therefore, striking similarities can be observed between the two groups, including their ransom note.

Indicators of Compromise (IOCs)

Based on the results from VirusTotal and Triage, following are the IOCs for Faust ransomware. The YARA rules detected Phobos as the primary signature for Faust ransomware.

MD5

9f14040a8875531ea00aa6f5aa90f218


SHA-1

caf2ae5b2b2d86e4cb52e03079c4ef82ed1c57d5

b9b10ce1f750c58236e8ad7137a03a4e4ab33924

SHA-256

b5475975e30be3c1ff6c97d148def1287dc3a0341d546198df85dbb66c1b6ffa

Ransom Note

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail [email protected]

Write this ID in the title of your message -

In case of no answer in 24 hours write us to this e-mail:[email protected]

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee

 Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.

hxxps://localbitcoins.com/buy_bitcoins

Also you can find other places to buy Bitcoins and beginners guide here:

 hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to ours) or you can become a victim of a scam.

```

YARA Rules to detect Phobos ransomware


[TLP:WHITE] win_phobos_auto (20230125 | Detects win.phobos.)
rule win_phobos_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.phobos."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 81c6b2000000 89b7a8000000 8b75fc 6a02 8945e0 8945e4 8d45e0 }
            // n = 7, score = 100
            //   81c6b2000000         | add                 esi, 0xb2
            //   89b7a8000000         | mov                 dword ptr [edi + 0xa8], esi
            //   8b75fc               | mov                 esi, dword ptr [ebp - 4]
            //   6a02                 | push                2
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8d45e0               | lea                 eax, [ebp - 0x20]

        $sequence_1 = { 8d440002 8945f8 8d45f4 50 6819010200 }
            // n = 5, score = 100
            //   8d440002             | lea                 eax, [eax + eax + 2]
            //   8945f8               | mov                 dword ptr [ebp - 8], eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   6819010200           | push                0x20119

        $sequence_2 = { ff7510 ff15???????? 8945fc 83f8ff 0f849c010000 ff75ec 8d4620 }
            // n = 7, score = 100
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ff15????????         |                     
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   83f8ff               | cmp                 eax, -1
            //   0f849c010000         | je                  0x1a2
            //   ff75ec               | push                dword ptr [ebp - 0x14]
            //   8d4620               | lea                 eax, [esi + 0x20]

        $sequence_3 = { ff7508 e8???????? 83c40c 8bd8 66ff4b04 66ff4e04 }
            // n = 6, score = 100
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8bd8                 | mov                 ebx, eax
            //   66ff4b04             | dec                 word ptr [ebx + 4]
            //   66ff4e04             | dec                 word ptr [esi + 4]

        $sequence_4 = { e8???????? 59 59 ff45f4 837dd800 743e 837dec00 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   59                   | pop                 ecx
            //   59                   | pop                 ecx
            //   ff45f4               | inc                 dword ptr [ebp - 0xc]
            //   837dd800             | cmp                 dword ptr [ebp - 0x28], 0
            //   743e                 | je                  0x40
            //   837dec00             | cmp                 dword ptr [ebp - 0x14], 0

        $sequence_5 = { 5b c6043080 3bc3 40 730e }
            // n = 5, score = 100
            //   5b                   | pop                 ebx
            //   c6043080             | mov                 byte ptr [eax + esi], 0x80
            //   3bc3                 | cmp                 eax, ebx
            //   40                   | inc                 eax
            //   730e                 | jae                 0x10

        $sequence_6 = { 8b4508 ebeb 8b7df8 eb1b 0fb707 }
            // n = 5, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   ebeb                 | jmp                 0xffffffed
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   eb1b                 | jmp                 0x1d
            //   0fb707               | movzx               eax, word ptr [edi]

        $sequence_7 = { eb01 4f ff75fc e8???????? 59 }
            // n = 5, score = 100
            //   eb01                 | jmp                 3
            //   4f                   | dec                 edi
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   e8????????           |                     
            //   59                   | pop                 ecx

        $sequence_8 = { 57 50 e8???????? 8b4604 ff760c }
            // n = 5, score = 100
            //   57                   | push                edi
            //   50                   | push                eax
            //   e8????????           |                     
            //   8b4604               | mov                 eax, dword ptr [esi + 4]
            //   ff760c               | push                dword ptr [esi + 0xc]

        $sequence_9 = { 837e0800 7446 8b06 85c0 7440 8b0f 894e04 }
            // n = 7, score = 100
            //   837e0800             | cmp                 dword ptr [esi + 8], 0
            //   7446                 | je                  0x48
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   85c0                 | test                eax, eax
            //   7440                 | je                  0x42
            //   8b0f                 | mov                 ecx, dword ptr [edi]
            //   894e04               | mov                 dword ptr [esi + 4], ecx

    condition:
        7 of them and filesize < 139264
}

References

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations