Fadesoft Ransomware

The Fadesoft Ransomware was first observed on February 9, 2017. The Fadesoft Ransomware seems to be related to the Erebus 2017 Ransomware, another known ransomware Trojan. These two, and the ever-merging other ransomware threats share a tactic that allows them to bypass the User Account Control (UAC) on the targeted computer and communicate with Command and Control servers using TOR. To bypass the UAC, the Fadesoft Ransomware alters the infected computer's Registry to associate certain file types with the Fadesoft Ransomware's executable, which then prompts the infected computer to run the Fadesoft Ransomware without activating the UAC. The Fadesoft Ransomware receives its name because the word 'Fadesoft' appears several times in the Fadesoft Ransomware's code.

There’s Nothing Soft on the Fadesoft Ransomware Attack

When the Fadesoft Ransomware is installed on the victim's computer, one of the first actions it takes is to install a TOR browser and establish a connection with its Command and Control server to connect to one of the several domains that are included in its code. The Fadesoft Ransomware communicates with its Command and Control server, sending it a unique decryption key, as well as information about the infected computer. Then, like other ransomware Trojans, the Fadesoft Ransomware scans the infected computer's hard drives searching for files that have certain extensions. The Fadesoft Ransomware has a list of 340 different extensions in its configuration. Whenever the Fadesoft Ransomware finds a file with one of these extensions, it uses a strong encryption algorithm to encrypt that file. Ransomware Trojans like the Fadesoft Ransomware rely on making sure that Windows remains functional during the attack. Because of this, the Fadesoft Ransomware will skip the following directories while carrying out its encryption operations:

AppData
Cookies
Games
Intel
Nvidia
Pagefile
ProgramData
Recycle.bin
System Volume
Temporary Internet
Windows
Program Files

How the Fadesoft Ransomware Attack Works

The Fadesoft Ransomware uses the AES 256 encryption to make the victim's files inaccessible completely. The files that have been encrypted by the Fadesoft Ransomware will not have their name changed as with other ransomware Trojans. However, the Fadesoft Ransomware will modify the affected files' headers and content. To deliver its ransom note to the victim, the Fadesoft Ransomware opens an HTA program window, which allows the victim to interact with the payment website without the TOR Web browser. The Fadesoft Ransomware's ransom note reads as follows:

'YOUR PERSONAL FILES ARE ENCRYPTED
All your important files stored on this computer and attached drives have been encrypted using strong AES-256 + RSA-2048 cryptography algorithms.
Click on [SHOW LOCKED FILES] button to see which files have been encrypted. The only way to recover your files is to obtain a unique private decryption key stored on our server. There is no other way to decrypt your data without the private key.
To receive the private key, you have to buy Bitcoins and send 0.33 BTC to our address. You can buy bitcoins on or use GOOGLE to find out how to buy and send bitcoin in your region.
YOU HAVE 96 HOURS (4 DAYS) TO PAY BEFORE THE DECRYPTION KEY IS DESTROYED ON OUR SERVER. AFTER THIS TIME YOUR DATA WILL BE LOST FOREVER!
Dont try to delete me if you want your files back. YOU HAVE BEEN WARNED.
Click on [DECRYPT MY FILES] button if you have already paid. Decryption process is fully automated.
send 0.33 BTC to this address: [34 RANDOM CHARACTERS]'

Dealing with the Fadesoft Ransomware

The Fadesoft Ransomware's ransom amount is equivalent to $325 USD approximately. PC security researchers strongly advise against paying the ransom, since this allows con artists to continue creating threats like the Fadesoft Ransomware and does not guarantee restored access to the infected files. PC security analysts recommend taking precautionary methods to ensure that your computer is protected against the Fadesoft Ransomware and other ransomware Trojans. The best precaution computer users can take against the Fadesoft Ransomware and similar threats is to have backups of all files on an external memory device or the cloud. This will make you completely invulnerable to attacks like the Fadesoft Ransomware. The use of a reliable security application that is fully up-to-date is also essential.

SpyHunter Detects & Remove Fadesoft Ransomware