In a recent discovery by Fortinet FortiGuard Labs, a new iteration of the Phobos ransomware family, known as Faust, has been detected in the wild. More particularly, the researchers came across an Office document housing a VBA script designed to distribute the Faust variant. The perpetrators employed the Gitea service to store multiple files encoded in Base64, each harboring a malicious binary.
Phobos has evolved into a family of ransomware variants, each bearing unique characteristics and tactics. Phobos infiltrates systems through various vectors, often exploiting vulnerabilities in software or leveraging social engineering techniques. Over time, the ransomware has spawned numerous offshoots, including Faust, Eking, Eight, Elbie, Devos, and 8Base.
The family’s evolution has been marked by continuous adaptations to circumvent cybersecurity defenses. Notably, Phobos garnered attention from security researchers and organizations worldwide, prompting collaborative efforts to understand its intricacies and develop countermeasures. The history of Phobos ransomware unfolds as a cat-and-mouse game between cybercriminals and cybersecurity experts, with each iteration introducing new challenges and necessitating innovative defense strategies.
Faust Ransomware Devious Tactics: The Gitea Connection and File Encryption
Security researcher Cara Lin, in a technical report, reveals that Faust utilizes the Gitea service to store malicious files encoded in Base64. These files, when injected into a system’s memory, initiate a file encryption attack. This part of the article delves into the technical aspects of Faust’s attack chain, shedding light on its stealthy tactics and potential impact on targeted systems.
Faust joins the ranks of several ransomware variants from the Phobos family, including Eking, Eight, Elbie, Devos, and 8Base. Notably, Faust had been previously documented by Cisco Talos in November 2023.
Conclusion
Despite the continuous evolution of ransomware threats, there is a notable decline in victims opting to pay. Coveware’s data highlights this trend, indicating a shift in the industry’s response. The conclusion explores possible reasons behind this decline, emphasizing the role of cybersecurity firms in providing guidance to victims and the industry’s overall adaptability in the face of cyber threats.