Analysis of Faust Ransomware, a Variant of the Phobos Ransomware Family
CloudSEK’s contextual AI digital risk platform XVigil discovered a financially motivated ransomware group, dubbed Faust, a variant of the Phobos ransomware family. The group encrypts victims’ files with a ‘.faust’ extension.
Updated on
February 27, 2023
Published on
February 8, 2023
Read time
5
Subscribe to the latest industry news, technologies and resources.
Category:
Malware Intelligence
Industry:
Multiple
Motivation:
Financial
Region:
Global
Source:
A: Reliable
1: Confirmed by independent Sources
Executive Summary
CloudSEK’s contextual AI digital risk platform XVigil discovered a financially motivated ransomware group, dubbed Faust, a variant of the Phobos ransomware family. The group encrypts victims’ files with a ‘.faust’ extension.
In the ransom note, an email address (gardex_recofast@zohomail[.]eu) was shared for communication about the ransom. The ransomware group drops info.hta (HTML Application) and info.txt file which is for communication from the threat actors after encrypting victim files.
It is interesting to note that the ransomware group mentioned two email addresses, gardex_recofast@zohomail[.]eu and annawong@onionmail[.]org, for communication within 24 hours.
Analysis and Attribution
Open-Source Analysis
Based on our historical analysis of similar threats, we believe the presence of multiple email addresses indicates two possibilities. Either it belongs to multiple affiliates or threat actors are creating multiple email addresses to evade a ban from the email providers.
The email addresses mentioned for direct communication were used email provider services such as:
Zoho Mail
Onion Mail
Air Mail
ProtonMail
Tuta Nota
Cock.li
Gmail
Keemail
History of Phobos Ransomware Group
Phobos ransomware group started their operations in 2018 and it was known to spread via compromised or vulnerable RDP connections. By 2020, an operator of Phobos started recruiting via cybercriminal forums with the primary modes of communication via jabber (creakerBro@exploit[.]im) and email (sennadaSilva0194@keemail[.]me).
Since then, multiple affiliates of Phobos ransomware can be seen appending their email address while encrypting the victim files. So far, there is no free decryptor available for Faust ransomware, a variant of Phobos ransomware.
Phobos ransomware recruiting partners for their ransomware operations
Connection with Dharma/CrySis Ransomware
Several research reports suggest that Phobos is derived from Dharma and CrySis ransomware. CrySis ransomware was at the peak of its operations in 2016 but later its source code was shared by its original author. Therefore, striking similarities can be observed between the two groups, including their ransom note.
Indicators of Compromise (IOCs)
Based on the results from VirusTotal and Triage, following are the IOCs for Faust ransomware. The YARA rules detected Phobos as the primary signature for Faust ransomware.
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail gardex_recofast@zohomail.eu
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:annawong@onionmail.org
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here: