Faust Ransomware
The malware threat tracked as the Faust Ransomware is designed specifically to prevent its victims from accessing their own data. The threat will target most of the file types stored on the computers it infects and lock them using a military-grade cryptographic algorithm. The impacted documents, photos, images, archives, databases, and many other files will become inaccessible and completely unusable. The operators of the Faust Ransomware will then extort the affected users or organizations for money, in exchange for promising to provide them with a decryptor tool.
All encrypted files will have drastically modified names. Indeed, victims will notice that the encrypted files now have an ID string, an email address, and a new file extension attached to their names. The ID string will be unique for each victim, the email address used by the threat is 'gardex_recofast@zohomail.eu' and the new file extension is '.faust.' Two ransom notes will be delivered to the breached devices - one shown as a pop-up window created from an 'info.hta' file and one contained inside a text file named 'info.txt.'
The instructions delivered in the text file are extremely brief and lack many important details. They simply instruct victims to contact the attackers by messaging either 'gardex_recofast@zohomail.eu' or 'annawong@onionmail.org.' The pop-up window displays the main ransom note. It reveals that victims must pay a ransom using Bitcoins specifically. They also are apparently allowed to send up to 5 files to be decrypted for free. However, according to the ransom note, the chosen files should be less than 4MB in total size and must not contain any important data.
The full ransom note of the Faust Ransomware is:
'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail gardex_recofast@zohomail.eu
Write this ID in the title of your message -
In case of no answer in 24 hours write us to this e-mail:annawong@onionmail.org
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
The message dropped as a text file is:
!!!All of your files are encrypted!!!
To decrypt them send e-mail to this address: gardex_recofast@zohomail.eu.
If we don't answer in 24h., send e-mail to this address: annawong@onionmail.org'
Faust Ransomware Video
Tip: Turn your sound ON and watch the video in Full Screen mode.
