The article will help you remove Fadesoft ransomware in full. Follow the ransomware removal instructions provided at the end of the article.
Fadesoft is a ransomware cryptovirus. Over 320 different file extensions will become encrypted and a ransom message will be displayed afterward in a window. From there, you can see the demands for payment of the cybercriminals that made the Fadesoft cryptovirus. The TOR network is used to contact one of four C&C (Command and Control) servers. Read on below to see how you could try to potentially restore some of your data.
|Short Description||The ransomware will encrypt files with over 320 different extensions on a compromised computer.|
|Symptoms||The ransomware encrypts files on your computer and displays a ransom message on a graphical interface afterward.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by Fadesoft |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Fadesoft.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Fadesoft Ransomware – Infection Spread
Fadesoft ransomware could spread its infection via different methods. The payload file that initiates the malicious script for this ransomware, which in turn infects your computer machine, could be circling the Internet at the moment of writing of this article.
Fadesoft ransomware might also distribute its payload file on social media sites and file-sharing services. Freeware found on the Web can be presented as useful but could also hide the malicious script for the cryptovirus. Refrain from opening files right after you have downloaded them, especially if they come from suspicious sources like links and e-mails. Instead, you should scan them beforehand with a security tool, while also checking their size and signatures for anything that seems out of ordinary. You should read the ransomware prevention tips topic in our forum.
Fadesoft Ransomware – Technical Analysis
Fadesoft is a ransomware virus that was dubbed that way by malware researchers. The reason for the name is that inside of the malware’s code, there are lots of instances of the phrase Fadesoft. The virus encrypts files with a little over than 320 different extensions.
Fadesoft ransomware could make entries in the Windows Registry to achieve persistence, launch and repress processes in Windows. Some entries are designed in a way that will start the virus automatically with each launch of the Windows Operating System. Inside the code of the Fadesoft virus is seen that it will try to connect to one out of four different C&C (Command and Control) servers on the TOR network.
The ransom note will appear when the encryption process ends. The note is written in English and gives details about what the ransom price is, along with other demands for paying. You can view the ransom message that loads after the file encryption process right here:
That ransom note reads the following:
YOUR PERSONAL FILES ARE ENCRYPTED !
All your important files stored on this computer and attached drives have been encrypted using strong AES-256 + RSA-2048 cryptography algorithms.
Click on [SHOW LOCKED FILES] button to see which files have been encrypted.
The only way to recover your files is to obtain a unique private decryption key stored on our server. There is no other way to decrypt your data without the private key.
To receive the private key, you have to buy Bitcoins and send 0.33 BTC to our address.
You can buy bitcoins on www.localbitcoins.com or use GOOGLE to find out how to buy and send bitcoin in your region.
YOU HAVE 96 HOURS (4 DAYS) TO PAY BEFORE THE DECRYPTION KEY I DESTROYED ON OUR SERVER. AFTER THIS TIME YOUR DATA WILL BE LOST FOREVER!
Dont try to delete me if you want your files back. YOU HAVE BEEN WARNED.
Click on [DECRYPT MY FILES] button if you have already paid.
Decryption process is fully automated.
send 0.33 Bitcoin to this address:
[REDACTED] Check address balance and transaction progress
The note of the Fadesoft ransomware states that your files are encrypted with a combination of military-grade encryption algorithms, AES and RSA. A ransom sum of 0.33 Bitcoins is asked as payment for unlocking your data by the cyber crooks. The equivalent of that sum in US dollars is currently around 322 dollars. You are given 96 hours or four days’ time by the ransom criminals to pay up and unlock your files. You should NOT under any circumstances pay these cybercriminals. Your files may not get restored, and nobody could guarantee you that. Moreover, giving money to these criminals will likely motivate them to create more ransomware or do other criminal activities.
Fadesoft ransomware seeks to encrypt files with a little over than 320 different extensions, which you can see in the following list:
→.indl, .gdb, .xls, .odb, .xlt, .cas, .apk, .nsf, .cdr, .wav, .mpg, .xlam, .epk, .dxf, .mcmeta, .wb2, .py, .tex, .pmd, .dwk, .litemod, .mp4, .rm, .kdc, .prel, .nv2, .erf, .x3f, .arj, .rgss3a, .mpa, .xltm, .mdf, .nbf, .qic, .sko, .mov, .mpeg, .accdb, .iwi, .vcxproj, .upk, .4db, .tar, .dwfx, .xml, .saj, .potm, .ofx, .m2, .sum, .qbb, .mpqge, .db0, .sid, .dotm, .vfs0, .slm, .docx, .bc7, .sldm, .zip, .gif, .vdf, .lua, .ps, .3gp, .asf, .vpk, .wps, .snx, .pak, .pfx, .srw, .dbx, .sidn, .txt, .ntl, .gif, .psw, .raf, .gho, .rar, .bak, .doc, .wdb, .php, .swf, .ifx, .sql, .mef, .w3x, .bkf, .pef, .pst, .vcf, .xla, .t13, .fla, .re4, .png, .kf, .flv, .mpd, .mlx, .m3u8, .bc6, .m4u, .odm, .efx, .msg, .xlsx, .tax, .ppj, .rtf, .aep, .ppt, .jpeg, .key, .iff, .3fr, .ff, .pdf, .7zip, .dat, .bsa, .ltx, .bay, .m, .hvpl, .dmp, .aet, .pgp, .max, .docb, .bar, .mddata, .fpx, .big, .class, .der, .ibank, .7z, .jpg, .p12, .bpw, .crw, .odt, .ztmp, .syncdb, .sb, .layout, .idx, .idml, .rw2, .mpp, .xf, .bkp, .aepx, .c, .fsh, .nba, .ppam, .p7c, .ncf, .odp, .kdb, .dcr, .ava, .menu, .qba, .sis, .xlm, .jar, .dtd, .itl, .dxg, .fos, .aaf, .dot, .arw, .cs, .pdd, .as3, .gpg, .map, .ai, .dbf, .desc, .forge, .tor, .mdb, .srf, .xltx, .icxs, .qfx, .fdb, .asp, .vtf, .cfr, .vob, .dotx, .sdf, .crp, .asset, .potx, .sie, .m3u, .sdc, .lbf, .pptm, .bmp, .nrw, .ses, .kdbx, .docm, .3ds, .wotreplay, .tif, .hplg, .aes, .xlw, .csv, .as, .vpp_pc, .psd, .sav, .sldx, .itm, .pps, .wallet, .indb, .hpp, .rwl, .psk, .r3d, .ppsx, .gxk, .inx, .dazip, .arch00, .PAS, .qbo, .hkdb, .pot, .pl, .d3dbsp, .ra, .qbw, .cpp, .iso, .prproj, .pem, .raw, .orf, .plb, .lrf, .ptx, .dng, .indt, .db, .svg, .mrwref, .indd, .esm, .das, .xll, .bik, .xlk, .odc, .obj, .avi, .blob, .t12, .xqx, .wma, .java, .tib, .p7b, .sxc, .pkpass, .h, .accdt, .ksd, .3dm, .qdf, .asx, .dwg, .crt, .ppsm, .backup, .wpd, .wmv, .4dd, .xlsm, .mdbackup, .rb, .jpe, .cer, .mid, .tbl, .pptx, .3g2, .aif, .hkx, .pdb, .ass, .itdb, .xxx, .cr2, .sr2, .rim, .js, .dba, .iwd, .myo, .eml, .eps, .ods, .sidd, .mp3, .lvl, .xlsb
Each file that has one of the extensions from the list above will get encrypted. Interestingly enough, there is also a “Whitelist” with directories, which to be excluded from the encryption process. You can view that list down here:
- Program files
- System volume
- Temporary internet files
The Fadesoft cryptovirus is more than likely to delete the Shadow Volume Copies from the Windows Operating System by utilizing the following command:
→vssadmin.exe Delete Shadows /All /Quiet
Continue reading and check out what ways you could try to potentially restore some of your data.
Remove Fadesoft Ransomware and Restore Your Files
If your computer got infected with the Fadesoft ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.