Fadesoft Ransomware – Remove and Restore Your Files

Fadesoft Ransomware – Remove and Restore Your Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

The article will help you remove Fadesoft ransomware in full. Follow the ransomware removal instructions provided at the end of the article.

Fadesoft is a ransomware cryptovirus. Over 320 different file extensions will become encrypted and a ransom message will be displayed afterward in a window. From there, you can see the demands for payment of the cybercriminals that made the Fadesoft cryptovirus. The TOR network is used to contact one of four C&C (Command and Control) servers. Read on below to see how you could try to potentially restore some of your data.

Threat Summary

Short DescriptionThe ransomware will encrypt files with over 320 different extensions on a compromised computer.
SymptomsThe ransomware encrypts files on your computer and displays a ransom message on a graphical interface afterward.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Fadesoft


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Fadesoft.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Fadesoft Ransomware – Infection Spread

Fadesoft ransomware could spread its infection via different methods. The payload file that initiates the malicious script for this ransomware, which in turn infects your computer machine, could be circling the Internet at the moment of writing of this article.

Fadesoft ransomware might also distribute its payload file on social media sites and file-sharing services. Freeware found on the Web can be presented as useful but could also hide the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them, especially if they come from suspicious sources like links and e-mails. Instead, you should scan them beforehand with a security tool, while also checking their size and signatures for anything that seems out of ordinary. You should read the ransomware prevention tips topic in our forum.

Fadesoft Ransomware – Technical Analysis

Fadesoft is a ransomware virus that was dubbed that way by malware researchers. The reason for the name is that inside of the malware’s code, there are lots of instances of the phrase Fadesoft. The virus encrypts files with a little over than 320 different extensions.

Fadesoft ransomware could make entries in the Windows Registry to achieve persistence, launch and repress processes in Windows. Some entries are designed in a way that will start the virus automatically with each launch of the Windows Operating System. Inside the code of the Fadesoft virus is seen that it will try to connect to one out of four different C&C (Command and Control) servers on the TOR network.

The ransom note will appear when the encryption process ends. The note is written in English and gives details about what the ransom price is, along with other demands for paying. You can view the ransom message that loads after the file encryption process right here:

That ransom note reads the following:

All your important files stored on this computer and attached drives have been encrypted using strong AES-256 + RSA-2048 cryptography algorithms.
Click on [SHOW LOCKED FILES] button to see which files have been encrypted.
The only way to recover your files is to obtain a unique private decryption key stored on our server. There is no other way to decrypt your data without the private key.

To receive the private key, you have to buy Bitcoins and send 0.33 BTC to our address.

You can buy bitcoins on www.localbitcoins.com or use GOOGLE to find out how to buy and send bitcoin in your region.

Dont try to delete me if you want your files back. YOU HAVE BEEN WARNED.
Click on [DECRYPT MY FILES] button if you have already paid.
Decryption process is fully automated.

send 0.33 Bitcoin to this address:
[REDACTED] Check address balance and transaction progress

The note of the Fadesoft ransomware states that your files are encrypted with a combination of military-grade encryption algorithms, AES and RSA. A ransom sum of 0.33 Bitcoins is asked as payment for unlocking your data by the cyber crooks. The equivalent of that sum in US dollars is currently around 322 dollars. You are given 96 hours or four days’ time by the ransom criminals to pay up and unlock your files. You should NOT under any circumstances pay these cybercriminals. Your files may not get restored, and nobody could guarantee you that. Moreover, giving money to these criminals will likely motivate them to create more ransomware or do other criminal activities.

Fadesoft ransomware seeks to encrypt files with a little over than 320 different extensions, which you can see in the following list:

→.indl, .gdb, .xls, .odb, .xlt, .cas, .apk, .nsf, .cdr, .wav, .mpg, .xlam, .epk, .dxf, .mcmeta, .wb2, .py, .tex, .pmd, .dwk, .litemod, .mp4, .rm, .kdc, .prel, .nv2, .erf, .x3f, .arj, .rgss3a, .mpa, .xltm, .mdf, .nbf, .qic, .sko, .mov, .mpeg, .accdb, .iwi, .vcxproj, .upk, .4db, .tar, .dwfx, .xml, .saj, .potm, .ofx, .m2, .sum, .qbb, .mpqge, .db0, .sid, .dotm, .vfs0, .slm, .docx, .bc7, .sldm, .zip, .gif, .vdf, .lua, .ps, .3gp, .asf, .vpk, .wps, .snx, .pak, .pfx, .srw, .dbx, .sidn, .txt, .ntl, .gif, .psw, .raf, .gho, .rar, .bak, .doc, .wdb, .php, .swf, .ifx, .sql, .mef, .w3x, .bkf, .pef, .pst, .vcf, .xla, .t13, .fla, .re4, .png, .kf, .flv, .mpd, .mlx, .m3u8, .bc6, .m4u, .odm, .efx, .msg, .xlsx, .tax, .ppj, .rtf, .aep, .ppt, .jpeg, .key, .iff, .3fr, .ff, .pdf, .7zip, .dat, .bsa, .ltx, .bay, .m, .hvpl, .dmp, .aet, .pgp, .max, .docb, .bar, .mddata, .fpx, .big, .class, .der, .ibank, .7z, .jpg, .p12, .bpw, .crw, .odt, .ztmp, .syncdb, .sb, .layout, .idx, .idml, .rw2, .mpp, .xf, .bkp, .aepx, .c, .fsh, .nba, .ppam, .p7c, .ncf, .odp, .kdb, .dcr, .ava, .menu, .qba, .sis, .xlm, .jar, .dtd, .itl, .dxg, .fos, .aaf, .dot, .arw, .cs, .pdd, .as3, .gpg, .map, .ai, .dbf, .desc, .forge, .tor, .mdb, .srf, .xltx, .icxs, .qfx, .fdb, .asp, .vtf, .cfr, .vob, .dotx, .sdf, .crp, .asset, .potx, .sie, .m3u, .sdc, .lbf, .pptm, .bmp, .nrw, .ses, .kdbx, .docm, .3ds, .wotreplay, .tif, .hplg, .aes, .xlw, .csv, .as, .vpp_pc, .psd, .sav, .sldx, .itm, .pps, .wallet, .indb, .hpp, .rwl, .psk, .r3d, .ppsx, .gxk, .inx, .dazip, .arch00, .PAS, .qbo, .hkdb, .pot, .pl, .d3dbsp, .ra, .qbw, .cpp, .iso, .prproj, .pem, .raw, .orf, .plb, .lrf, .ptx, .dng, .indt, .db, .svg, .mrwref, .indd, .esm, .das, .xll, .bik, .xlk, .odc, .obj, .avi, .blob, .t12, .xqx, .wma, .java, .tib, .p7b, .sxc, .pkpass, .h, .accdt, .ksd, .3dm, .qdf, .asx, .dwg, .crt, .ppsm, .backup, .wpd, .wmv, .4dd, .xlsm, .mdbackup, .rb, .jpe, .cer, .mid, .tbl, .pptx, .3g2, .aif, .hkx, .pdb, .ass, .itdb, .xxx, .cr2, .sr2, .rim, .js, .dba, .iwd, .myo, .eml, .eps, .ods, .sidd, .mp3, .lvl, .xlsb

Each file that has one of the extensions from the list above will get encrypted. Interestingly enough, there is also a “Whitelist” with directories, which to be excluded from the encryption process. You can view that list down here:

  • Windows
  • Appdata
  • Programdata
  • Program files
  • Recycle.bin
  • System volume
  • Cookies
  • Temporary internet files
  • Games
  • nVidia
  • Intel
  • pagefile

The Fadesoft cryptovirus is more than likely to delete the Shadow Volume Copies from the Windows Operating System by utilizing the following command:

→vssadmin.exe Delete Shadows /All /Quiet

Continue reading and check out what ways you could try to potentially restore some of your data.

Remove Fadesoft Ransomware and Restore Your Files

If your computer got infected with the Fadesoft ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Berta Bilbao

Berta is a dedicated malware researcher, dreaming for a more secure cyber space. Her fascination with IT security began a few years ago when a malware locked her out of her own computer.

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share