The malware feels at home in other people's networks, not sparing the data of victims.
Cybersecurity researchers have discovered a new variant of the Phobos ransomware family, called Faust. A report on the latest iteration of the virus was published by FortiGuard Labs researchers from Fortinet.
The Faust variant is the latest in a number of Phobos variants, including Eking, Eight, Elbie, Devos, and 8Base. In November 2023, Faust was already documented by Cisco Talos. It is reported that this virus has been active since 2022 and does not target specific industries or regions.
The attack starts via an infected Microsoft Excel document in the ".XLAM " format with a built-in VBA script. The attackers used the Gitea service to store Base64-encoded files, each of which contains a malicious binary file.
In parallel, an executable file disguised as an AVG AntiVirus update ("AVG updater.exe"). This file, in turn, loads and runs another executable file "SmartScreen Defender Windows.exe", which starts the encryption process.
Faust is able to maintain a constant presence in the environment and creates multiple threads at once for efficient data encryption.
Other threats identified include new ransomware families such as Albabat (or White Bat), Kasseika , Kuiper, Mimus, and NONAME.
Kuiper, studied in detail by Trellix, is attributed to an attacker under the pseudonym "RobinHood", who began advertising the malware on underground forums in September 2023.
NONAME is notable for the fact that its data leak site mimics the site of the LockBit group, which may indicate a connection with LockBit or the use of their leaked databases.
The report of the French company Intrinsec notes a link between the new malware 3AM and the Royal/BlackSuit ransomware, which appeared shortly after the liquidation of the Conti cybercrime syndicate in May 2022.
In addition, researchers have identified a trend that attackers are once again using TeamViewer to gain initial access to target environments.
Despite the volatile nature of the ransomware ecosystem, there are signs that victims are increasingly refusing to pay the ransom. The percentage of victims who agreed to the payment decreased to 29% in Q4 2023, compared to 41% and 34% in the previous quarters. The average amount of repurchases during this period also decreased by 33% — from $850,700 to $568,705.
Cybersecurity researchers have discovered a new variant of the Phobos ransomware family, called Faust. A report on the latest iteration of the virus was published by FortiGuard Labs researchers from Fortinet.
The Faust variant is the latest in a number of Phobos variants, including Eking, Eight, Elbie, Devos, and 8Base. In November 2023, Faust was already documented by Cisco Talos. It is reported that this virus has been active since 2022 and does not target specific industries or regions.
The attack starts via an infected Microsoft Excel document in the ".XLAM " format with a built-in VBA script. The attackers used the Gitea service to store Base64-encoded files, each of which contains a malicious binary file.
In parallel, an executable file disguised as an AVG AntiVirus update ("AVG updater.exe"). This file, in turn, loads and runs another executable file "SmartScreen Defender Windows.exe", which starts the encryption process.
Faust is able to maintain a constant presence in the environment and creates multiple threads at once for efficient data encryption.
Other threats identified include new ransomware families such as Albabat (or White Bat), Kasseika , Kuiper, Mimus, and NONAME.
Kuiper, studied in detail by Trellix, is attributed to an attacker under the pseudonym "RobinHood", who began advertising the malware on underground forums in September 2023.
NONAME is notable for the fact that its data leak site mimics the site of the LockBit group, which may indicate a connection with LockBit or the use of their leaked databases.
The report of the French company Intrinsec notes a link between the new malware 3AM and the Royal/BlackSuit ransomware, which appeared shortly after the liquidation of the Conti cybercrime syndicate in May 2022.
In addition, researchers have identified a trend that attackers are once again using TeamViewer to gain initial access to target environments.
Despite the volatile nature of the ransomware ecosystem, there are signs that victims are increasingly refusing to pay the ransom. The percentage of victims who agreed to the payment decreased to 29% in Q4 2023, compared to 41% and 34% in the previous quarters. The average amount of repurchases during this period also decreased by 33% — from $850,700 to $568,705.
