Cybersecurity researchers have discovered a new variant of the Phobos ransomware family, named Faust. Fortinet FortiGuard Labs revealed that Faust spreads through a Microsoft Excel document (.XLAM) with a VBA script, using the Gitea service for storing malicious files.
This variant, part of the Phobos family which includes Eking, Eight, Elbie, Devos, and 8Base, initiates a file encryption attack by injecting files into the system’s memory. Faust operates by using a deceptive document that downloads encoded data and a disguised executable, simulating an AVG AntiVirus updater.
This binary then downloads another executable, “SmartScreen Defender Windows.exe,” to begin the encryption process. The ransomware is noted for its persistence and efficient execution through multiple threads. The report also highlights other emerging ransomware families like Albabat (White Bat), Kasseika, Kuiper, Mimus, and NONAME. Kuiper, attributed to a group named RobinHood, is notable for its use of the Golang programming language, offering cross-platform capabilities and efficient execution.
NONAME’s data leak site imitates the LockBit group, suggesting possible connections or shared resources. Further, ransomware threats have evolved to use various tactics for infiltration, such as TeamViewer for initial access and Microsoft Word files as resumes.
The increase in ransomware activity follows the shutdown of the Conti cybercrime syndicate, with new groups like 3AM (ThreeAM) showing significant overlap with former Conti-Ryuk-TrickBot operations. This evolution underscores the ongoing adaptability and threat posed by ransomware actors in the cybersecurity landscape.