Fadesoft Ransomware

Posted: February 10, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	16

First Seen:	February 10, 2017
Last Seen:	January 10, 2019
OS(es) Affected:	Windows

The Fadesoft Ransomware is a Trojan that encrypts your files to stop you from opening them until you pay its ransom. Although the extortionists sometimes reward any paying victims with actual decryption solutions, they may not do so necessarily, or provide a solution that causes further damage to your files. Keeping backups beforehand and having anti-malware protection able to delete the Fadesoft Ransomware before it attacks are two of the mainline defenses PC users can enact against this threat.

Everything You Need to Lose Your Money in One Pop-Up

Although the technical implementation of their payloads and installation exploits do matter, successful Trojans employing file-ransoming attacks also need to use some level of social engineering manipulation. One sample of a new threat just noted by malware experts, the Fadesoft Ransomware, encapsulates many of the methods that threat actors are abusing for siphoning money from their victims traditionally. As usual, the initial attack aims to block many of the files on your PC but leaves its core operations alone so that the user can follow the directions for paying.

The Fadesoft Ransomware protects its code from analysis with an open-source .NET utility, ConfuserEx. Like the Erebus 2017 Ransomware, the Fadesoft Ransomware uses an exploit to install itself with full system access automatically. In addition to using an exceptionally obfuscated method of contacting one of two C&C domains for sharing information with the remote attacker, the Fadesoft Ransomware also encrypts a range of over two hundred file types. However, malware analysts verified that the Trojan avoids encoding any content in various directories, including ones related to the operating system, gaming applications and temporary system data.

For the victim, the Fadesoft Ransomware's most detectable and full-featured symptom is the pop-up message it displays after it locks your content. The Fadesoft Ransomware incorporates a live countdown, a modifiable field for the wallet address to pay its demanded ransom, a thorough explanation of the attack (including possibly falsified information about the encoding cipher), a built-in decryptor and a feature for viewing which files are under encryption currently. Accordingly, the Trojan gives its victims everything they need to know for persuasion into paying the ransom or risking the permanent locking of all affected data.

Teaching a Trojan to Fade Away Softly

The Fadesoft Ransomware offers a glimpse into how threat actors implement code deliberately obfuscated to hide the goals of a threatening program and, potentially, evade some security solutions. Its four-day time limit also puts the victim into a scenario where a fast response is necessary, either for recovering one's data or washing one's hands of it. For most users, backing up their files to safe locations, such as USB storage, will offer the most realistic protection from Trojan campaigns trying to ransom local content such as the Fadesoft Ransomware's campaign. Ordinarily, malware analysts advise against relying only on local backups, which are often subject to being deleted before or after the Trojan's encryption routine immediately.

This Trojan includes several internal defenses against being detected by traditional security utilities, but no information is yet accessible on its distribution model. The ransom the Fadesoft Ransomware levies, equivalent to 300 USD in Bitcoin cryptocurrency, is found in campaigns against casual PC users more commonly, but business systems also are subject to similar, more expensive attacks. Practicing safe Web-browsing protocols and keeping anti-malware programs for detecting and removing threats like the Fadesoft Ransomware during spearhead infection attempts are critical to blocking most threats of this classification.

None of the Fadesoft Ransomware's details are new to the world of file-enciphering Trojans, but it implements all of them in an organized and competent package. PC owners seeing pop-ups asking for money under duress suddenly should pause and consider the ramifications of rewarding ill-minded behavior before following the advice of threats.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

file.exe

File name: file.exe
Size: 328.19 KB (328192 bytes)
MD5: 956ca97632c94f0e4f618501f42c7590
Detection count: 89
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 15, 2017

file.exe

File name: file.exe
Size: 333.31 KB (333312 bytes)
MD5: 4dde80332568b82241d60217234859fb
Detection count: 80
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 16, 2017

Additional Information

The following directories were created:

%ALLUSERSPROFILE%\Fadesoft%LOCALAPPDATA%\Fadesoft