Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


Fadesoft Ransomware – Remove and Restore Your Files

The article will help you remove Fadesoft ransomware in full. Follow the ransomware removal instructions provided at the end of the article.

Fadesoft is a ransomware cryptovirus. Over 320 different file extensions will become encrypted and a ransom message will be displayed afterward in a window. From there, you can see the demands for payment of the cybercriminals that made the Fadesoft cryptovirus. The TOR network is used to contact one of four C&C (Command and Control) servers. Read on below to see how you could try to potentially restore some of your data.

Threat Summary

Name Fadesoft
Type Ransomware
Short Description The ransomware will encrypt files with over 320 different extensions on a compromised computer.
Symptoms The ransomware encrypts files on your computer and displays a ransom message on a graphical interface afterward.
Distribution Method Spam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Fadesoft

Download

Malware Removal Tool

User Experience Join Our Forum to Discuss Fadesoft.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Fadesoft Ransomware – Infection Spread

Fadesoft ransomware could spread its infection via different methods. The payload file that initiates the malicious script for this ransomware, which in turn infects your computer machine, could be circling the Internet at the moment of writing of this article.

Fadesoft ransomware might also distribute its payload file on social media sites and file-sharing services. Freeware found on the Web can be presented as useful but could also hide the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them, especially if they come from suspicious sources like links and e-mails. Instead, you should scan them beforehand with a security tool, while also checking their size and signatures for anything that seems out of ordinary. You should read the ransomware prevention tips topic in our forum.

Fadesoft Ransomware – Technical Analysis

Fadesoft is a ransomware virus that was dubbed that way by malware researchers. The reason for the name is that inside of the malware’s code, there are lots of instances of the phrase Fadesoft. The virus encrypts files with a little over than 320 different extensions.

Fadesoft ransomware could make entries in the Windows Registry to achieve persistence, launch and repress processes in Windows. Some entries are designed in a way that will start the virus automatically with each launch of the Windows Operating System. Inside the code of the Fadesoft virus is seen that it will try to connect to one out of four different C&C (Command and Control) servers on the TOR network.

The ransom note will appear when the encryption process ends. The note is written in English and gives details about what the ransom price is, along with other demands for paying. You can view the ransom message that loads after the file encryption process right here:

That ransom note reads the following:

YOUR PERSONAL FILES ARE ENCRYPTED !
All your important files stored on this computer and attached drives have been encrypted using strong AES-256 + RSA-2048 cryptography algorithms.
Click on [SHOW LOCKED FILES] button to see which files have been encrypted.
The only way to recover your files is to obtain a unique private decryption key stored on our server. There is no other way to decrypt your data without the private key.

To receive the private key, you have to buy Bitcoins and send 0.33 BTC to our address.

You can buy bitcoins on www.localbitcoins.com or use GOOGLE to find out how to buy and send bitcoin in your region.

YOU HAVE 96 HOURS (4 DAYS) TO PAY BEFORE THE DECRYPTION KEY I DESTROYED ON OUR SERVER. AFTER THIS TIME YOUR DATA WILL BE LOST FOREVER!
Dont try to delete me if you want your files back. YOU HAVE BEEN WARNED.
Click on [DECRYPT MY FILES] button if you have already paid.
Decryption process is fully automated.

send 0.33 Bitcoin to this address:
[REDACTED] Check address balance and transaction progress

The note of the Fadesoft ransomware states that your files are encrypted with a combination of military-grade encryption algorithms, AES and RSA. A ransom sum of 0.33 Bitcoins is asked as payment for unlocking your data by the cyber crooks. The equivalent of that sum in US dollars is currently around 322 dollars. You are given 96 hours or four days’ time by the ransom criminals to pay up and unlock your files. You should NOT under any circumstances pay these cybercriminals. Your files may not get restored, and nobody could guarantee you that. Moreover, giving money to these criminals will likely motivate them to create more ransomware or do other criminal activities.

Fadesoft ransomware seeks to encrypt files with a little over than 320 different extensions, which you can see in the following list:

→.indl, .gdb, .xls, .odb, .xlt, .cas, .apk, .nsf, .cdr, .wav, .mpg, .xlam, .epk, .dxf, .mcmeta, .wb2, .py, .tex, .pmd, .dwk, .litemod, .mp4, .rm, .kdc, .prel, .nv2, .erf, .x3f, .arj, .rgss3a, .mpa, .xltm, .mdf, .nbf, .qic, .sko, .mov, .mpeg, .accdb, .iwi, .vcxproj, .upk, .4db, .tar, .dwfx, .xml, .saj, .potm, .ofx, .m2, .sum, .qbb, .mpqge, .db0, .sid, .dotm, .vfs0, .slm, .docx, .bc7, .sldm, .zip, .gif, .vdf, .lua, .ps, .3gp, .asf, .vpk, .wps, .snx, .pak, .pfx, .srw, .dbx, .sidn, .txt, .ntl, .gif, .psw, .raf, .gho, .rar, .bak, .doc, .wdb, .php, .swf, .ifx, .sql, .mef, .w3x, .bkf, .pef, .pst, .vcf, .xla, .t13, .fla, .re4, .png, .kf, .flv, .mpd, .mlx, .m3u8, .bc6, .m4u, .odm, .efx, .msg, .xlsx, .tax, .ppj, .rtf, .aep, .ppt, .jpeg, .key, .iff, .3fr, .ff, .pdf, .7zip, .dat, .bsa, .ltx, .bay, .m, .hvpl, .dmp, .aet, .pgp, .max, .docb, .bar, .mddata, .fpx, .big, .class, .der, .ibank, .7z, .jpg, .p12, .bpw, .crw, .odt, .ztmp, .syncdb, .sb, .layout, .idx, .idml, .rw2, .mpp, .xf, .bkp, .aepx, .c, .fsh, .nba, .ppam, .p7c, .ncf, .odp, .kdb, .dcr, .ava, .menu, .qba, .sis, .xlm, .jar, .dtd, .itl, .dxg, .fos, .aaf, .dot, .arw, .cs, .pdd, .as3, .gpg, .map, .ai, .dbf, .desc, .forge, .tor, .mdb, .srf, .xltx, .icxs, .qfx, .fdb, .asp, .vtf, .cfr, .vob, .dotx, .sdf, .crp, .asset, .potx, .sie, .m3u, .sdc, .lbf, .pptm, .bmp, .nrw, .ses, .kdbx, .docm, .3ds, .wotreplay, .tif, .hplg, .aes, .xlw, .csv, .as, .vpp_pc, .psd, .sav, .sldx, .itm, .pps, .wallet, .indb, .hpp, .rwl, .psk, .r3d, .ppsx, .gxk, .inx, .dazip, .arch00, .PAS, .qbo, .hkdb, .pot, .pl, .d3dbsp, .ra, .qbw, .cpp, .iso, .prproj, .pem, .raw, .orf, .plb, .lrf, .ptx, .dng, .indt, .db, .svg, .mrwref, .indd, .esm, .das, .xll, .bik, .xlk, .odc, .obj, .avi, .blob, .t12, .xqx, .wma, .java, .tib, .p7b, .sxc, .pkpass, .h, .accdt, .ksd, .3dm, .qdf, .asx, .dwg, .crt, .ppsm, .backup, .wpd, .wmv, .4dd, .xlsm, .mdbackup, .rb, .jpe, .cer, .mid, .tbl, .pptx, .3g2, .aif, .hkx, .pdb, .ass, .itdb, .xxx, .cr2, .sr2, .rim, .js, .dba, .iwd, .myo, .eml, .eps, .ods, .sidd, .mp3, .lvl, .xlsb

Each file that has one of the extensions from the list above will get encrypted. Interestingly enough, there is also a “Whitelist” with directories, which to be excluded from the encryption process. You can view that list down here:

  • Windows
  • Appdata
  • Programdata
  • Program files
  • Recycle.bin
  • System volume
  • Cookies
  • Temporary internet files
  • Games
  • nVidia
  • Intel
  • pagefile

The Fadesoft cryptovirus is more than likely to delete the Shadow Volume Copies from the Windows Operating System by utilizing the following command:

→vssadmin.exe Delete Shadows /All /Quiet

Continue reading and check out what ways you could try to potentially restore some of your data.

Remove Fadesoft Ransomware and Restore Your Files

If your computer got infected with the Fadesoft ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Manually delete Fadesoft from your computer

Note! Substantial notification about the Fadesoft threat: Manual removal of Fadesoft requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Fadesoft files and objects
2.Find malicious files created by Fadesoft on your PC

Automatically remove Fadesoft by downloading an advanced anti-malware program

1. Remove Fadesoft with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Fadesoft
Optional: Using Alternative Anti-Malware Tools

Berta Bilbao

Berta is the Editor-in-Chief of SensorsTechForum. She is a dedicated malware researcher, dreaming for a more secure cyber space.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.