Fadesoft Ransomware
Threat Scorecard
EnigmaSoft Threat Scorecard
EnigmaSoft Threat Scorecards are assessment reports for different malware threats which have been collected and analyzed by our research team. EnigmaSoft Threat Scorecards evaluate and rank threats using several metrics including real-world and potential risk factors, trends, frequency, prevalence, and persistence. EnigmaSoft Threat Scorecards are updated regularly based on our research data and metrics and are useful for a wide range of computer users, from end users seeking solutions to remove malware from their systems to security experts analyzing threats.
EnigmaSoft Threat Scorecards display a variety of useful information, including:
Ranking: The ranking of a particular threat in EnigmaSoft’s Threat Database.
Severity Level: The determined severity level of an object, represented numerically, based on our risk modeling process and research, as explained in our Threat Assessment Criteria.
Infected Computers: The number of confirmed and suspected cases of a particular threat detected on infected computers as reported by SpyHunter.
See also Threat Assessment Criteria.
Threat Level: | 100 % (High) |
Infected Computers: | 7 |
First Seen: | February 10, 2017 |
Last Seen: | January 10, 2019 |
OS(es) Affected: | Windows |
The Fadesoft Ransomware was first observed on February 9, 2017. The Fadesoft Ransomware seems to be related to the Erebus 2017 Ransomware, another known ransomware Trojan. These two, and the ever-merging other ransomware threats share a tactic that allows them to bypass the User Account Control (UAC) on the targeted computer and communicate with Command and Control servers using TOR. To bypass the UAC, the Fadesoft Ransomware alters the infected computer's Registry to associate certain file types with the Fadesoft Ransomware's executable, which then prompts the infected computer to run the Fadesoft Ransomware without activating the UAC. The Fadesoft Ransomware receives its name because the word 'Fadesoft' appears several times in the Fadesoft Ransomware's code.
Table of Contents
There’s Nothing Soft on the Fadesoft Ransomware Attack
When the Fadesoft Ransomware is installed on the victim's computer, one of the first actions it takes is to install a TOR browser and establish a connection with its Command and Control server to connect to one of the several domains that are included in its code. The Fadesoft Ransomware communicates with its Command and Control server, sending it a unique decryption key, as well as information about the infected computer. Then, like other ransomware Trojans, the Fadesoft Ransomware scans the infected computer's hard drives searching for files that have certain extensions. The Fadesoft Ransomware has a list of 340 different extensions in its configuration. Whenever the Fadesoft Ransomware finds a file with one of these extensions, it uses a strong encryption algorithm to encrypt that file. Ransomware Trojans like the Fadesoft Ransomware rely on making sure that Windows remains functional during the attack. Because of this, the Fadesoft Ransomware will skip the following directories while carrying out its encryption operations:
AppData
Cookies
Games
Intel
Nvidia
Pagefile
ProgramData
Recycle.bin
System Volume
Temporary Internet
Windows
Program Files
How the Fadesoft Ransomware Attack Works
The Fadesoft Ransomware uses the AES 256 encryption to make the victim's files inaccessible completely. The files that have been encrypted by the Fadesoft Ransomware will not have their name changed as with other ransomware Trojans. However, the Fadesoft Ransomware will modify the affected files' headers and content. To deliver its ransom note to the victim, the Fadesoft Ransomware opens an HTA program window, which allows the victim to interact with the payment website without the TOR Web browser. The Fadesoft Ransomware's ransom note reads as follows:
'YOUR PERSONAL FILES ARE ENCRYPTED
All your important files stored on this computer and attached drives have been encrypted using strong AES-256 + RSA-2048 cryptography algorithms.
Click on [SHOW LOCKED FILES] button to see which files have been encrypted. The only way to recover your files is to obtain a unique private decryption key stored on our server. There is no other way to decrypt your data without the private key.
To receive the private key, you have to buy Bitcoins and send 0.33 BTC to our address. You can buy bitcoins on or use GOOGLE to find out how to buy and send bitcoin in your region.
YOU HAVE 96 HOURS (4 DAYS) TO PAY BEFORE THE DECRYPTION KEY IS DESTROYED ON OUR SERVER. AFTER THIS TIME YOUR DATA WILL BE LOST FOREVER!
Dont try to delete me if you want your files back. YOU HAVE BEEN WARNED.
Click on [DECRYPT MY FILES] button if you have already paid. Decryption process is fully automated.
send 0.33 BTC to this address: [34 RANDOM CHARACTERS]'
Dealing with the Fadesoft Ransomware
The Fadesoft Ransomware's ransom amount is equivalent to $325 USD approximately. PC security researchers strongly advise against paying the ransom, since this allows con artists to continue creating threats like the Fadesoft Ransomware and does not guarantee restored access to the infected files. PC security analysts recommend taking precautionary methods to ensure that your computer is protected against the Fadesoft Ransomware and other ransomware Trojans. The best precaution computer users can take against the Fadesoft Ransomware and similar threats is to have backups of all files on an external memory device or the cloud. This will make you completely invulnerable to attacks like the Fadesoft Ransomware. The use of a reliable security application that is fully up-to-date is also essential.
SpyHunter Detects & Remove Fadesoft Ransomware
File System Details
# | File Name | MD5 |
Detections
Detections: The number of confirmed and suspected cases of a particular threat detected on
infected computers as reported by SpyHunter.
|
---|---|---|---|
1. | file.exe | 956ca97632c94f0e4f618501f42c7590 | 0 |
2. | file.exe | 4dde80332568b82241d60217234859fb | 0 |
Directories
Fadesoft Ransomware may create the following directory or directories:
%ALLUSERSPROFILE%\Fadesoft |
%LOCALAPPDATA%\Fadesoft |
Submit Comment
Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.