Researchers in the field of cybersecurity have discovered a new version of the PHOBOS extortion program known as Faust. This latest iteration of the virus was reported by Fortinet.
Faust is the most recent addition to a series of Phobos variants, which include Eking, Eight, Elbie, Devos, and 8Base. Cisco Talos had already documented Faust back in November 2023. The virus has been active since 2022 and does not specifically target any particular industries or regions.
The attack begins with an infected Microsoft Excel document .xlam that contains a built-in VBA script. These attacks utilize GiteA service to store BASE64-encoded files, each of which contains a malicious binary file.
The executable file is discreetly extracted under the guise of an AVG Antivirus update (“AVG updater.exe”). This file then uploads and executes another executable file named “Smartscreen Defender Windows.exe,” which initiates the encryption process.
Faust is capable of maintaining a constant presence within the system and creates multiple streams for efficient data encryption.
Among the other identified threats are new ransomware families, such as albabat (or White Bat), kasseika, kuiper, Mimus, and Noname.
kuiper, as detailed by trellix, is attributed to the attacker known under the pseudonym “Robinhood,” who began advertising on malicious forums in September 2023.
Noname stands out because its leaked site imitates the site of the LockBit group, suggesting a possible connection or the use of their extensive databases.
In a report by French company Intrinsec, it is noted that there are similarities between the new malicious program 3am and the Royal/Blacksuit ransomware, which emerged shortly after the disbandment of the Conti cybercriminal syndicate in May 2022.
Additionally, researchers have identified a resurgence in attackers using TeamViewer to gain initial access to their targets.
Despite the ever-changing nature of the extortion program ecosystem, there are indications that more victims are refusing to pay the ransom. The percentage of victims who agreed to payment decreased to 29% in the fourth quarter of 2023, compared to 41% and 34% in previous quarters. The average ransom amount during this period also dropped by 33%, from $850,700 to $568,705.