Ransomware Report – “FACTFULL”

(a.k.a. files that suddenly show the double extension .factfull, e.g. Annual_Report.xlsx.factfull)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

Exact extension added: .factfull (lower-case, no wild-cards, no serial/UID).
Renaming convention:
– Appended directly to the original name and extension → picture.jpg.factfull, VM-Backup.bkf.factfull.
– Does not touch the first 2–4 bytes of the file, so file-magic remains valid – a quick check with xxd file.jpg.factfull | head still shows FF D8 FF for JPG, etc.
– Each folder receives one plain-text ransom note HOW_TO_RECOVER_FILES.txt; no desktop wallpaper change, no HTML note, no network share–level note.

2. Detection & Outbreak Timeline

First submissions to ID-Ransomware / VirusTotal: 15 Aug 2021 (UTC) – Russia, Ukraine, then Turkey.
Peak activity: September-October 2021.
Still sporadically seen through 2022 (usually re-deployment of the same builder binary).
Detection names (snapshot):
– Trojan-Ransom.Win32.Shade.* (Kaspersky)
– Ransom:Win32/Tibs.DE (Microsoft)
– Ransom.FACTFULL (Malwarebytes)

3. Primary Attack Vectors

Phishing with ISO / IMG attachments – email claims “Copier Invoice”. Inside the ISO: a .WSF or .LNK that fetches a COVID-named DLL via Puush or Discord CDN.
Exploitation of internet-facing RDP with weak / reused credentials – scans TCP/3389, 135, 445; uses rdpwrap + * Mimikatz* to escalate.
EternalBlue (MS17-010) still works – the dropper carries both x86/x64 SMB exploiter and the DoublePulsar shellcode to push the factfull.exe payload.
Software bugs leveraged in-the-wild:
– CVE-2021-34527 (PrintNightmare) to obtain SYSTEM before file encryption starts.
– Citrix ADC gateways (CVE-2019-19781) still un-patched in some victim orgs used as beach-head.

After foothold:

Living-off-the-land to disable SQL, Veeam, Acronis, Shadow Copy, MBAMService.
Exfiltration of customer folders via MEGASync or rclone to threaten “double-extortion” (most cases leaked on “FACTLEAKS” .onion blog).

REMEDIATION & RECOVERY STRATEGIES

1. PREVENTION – harden before it hits

☑ Patch: MS17-010, CVE-2021-34527, CVE-2019-19781, latest Windows cumulative update.
☑ Kill SMBv1 / block 445 at the perimeter; restrict RDP via VPN + MFA.
☑ Use LAPS for local admin passwords; change any “Password123” you still have on service accounts.
☑ Application whitelisting (WDAC / AppLocker) – deny %AppData%\*.exe execution.
☑ Disable Office macros from the Internet; block ISO, IMG, VBS at the mail gateway unless digitally signed.
☑ Backup 3-2-1 rule: 3 copies, 2 media, 1 off-line (cloud with IMMUTABILITY or tape). Include AD/GPO state.

2. REMOVAL – step-by-step

Identify patient-zero:

Open Event-ID 4624/4625 on DC – look for external IP & odd logins.
Use wevtutil qe Security /rd:true /f:text | findstr “2021-xx-xx” | findstr “factfull.exe” (sometimes leaves a 4688).

Physically isolate (pull LAN or shut VM NIC).
Boot into Safe-Mode with Networking and run an up-to-date AV rescue disk/USB (Kaspersky Rescue, MS Defender Offline).
Manually delete persistence:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FctServ
%ProgramData%\factfull\factfull.exe
Scheduled Task \Microsoft\Windows\Application Experience\FactSyn

Clean residual Print-Nightmare package cache (C:\Windows\System32\spool\drivers\x64\3\Old\*) – otherwise reinfection risk at next driver install.
Reboot normally → confirm network share accessibility before re-connecting any NAS/SAN volume (to avoid encrypting your backup target).

*Want extra certainty? Restore critical hosts from *known-good* image or rebuild; data comes back from backup (see 3).

3. FILE DECRYPTION & RECOVERY – the facts

FACTFULL is based on the publicly leaked “TibS/Shade v3” builder → uses Curve25519 + AES-256 in CBC mode with random IV per file.
NO flaw discovered so far; bruteforce is numerically infeasible.
Free decryptor? – None officially released by law-enforcement or vendors because the criminals still hold the private keys.
Branded “guaranteed-decrypt” vendors normally just negotiate & pay the ransom – try to avoid that path.
➔ Therefore, decryption is ONLY possible:
a) from your own, clean & offline backups, or
b) from a Shadow-Copy/Data-Protection-Manager snapshot (if not wiped) via:
vssadmin list shadows → mklink /d C:\shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy{N}\ → copy data out.

USEFUL TOOLS / PATCHES TO HAVE READY

Kaspersky ShadeDecrypt (works on older Shade v1/v2 samples but not on .factfull) – keep it, it may evolve.
CISA “StopRansomware” playbook & PowerShell script to disable SMBv1: Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol.
Microsoft’s PrintNightmare out-of-band patch (July-Sept 2021 rollups) – install KB5005033 or newer.
“RDP-Blocker” GPO template (free from SANS) to auto-lockout RDP brute attempts after 3 failures.

4. OTHER CRITICAL INFORMATION

Dual personality: Factfull behaves like “big-game hunting” ransomware (manual deployment, AD recon, data theft) but still uses an inexpensive, automated builder leased on Russian-speaking forums – price $300 lifetime.
Extortion only, no chat: Victims write to [email protected], [email protected] with company name; no TOR portal, no ticket number – makes negotiation clumsy and often ignored.
Does NOT encrypt:
– anything below C:\Windows\ except Users\Public\
– File extensions .bat, .cmd, .msi, .factfull, .hta, .exe → OS survives, operators rely on your ability to read the ransom note.
EDR/NGAV bypass note: Factfull is frequently packed with “Shoggoth” open-source crypter → uses Fool’s-Run-Time-language to generate every payload uniquely; hash-hunting alone won’t scale. Behavioural rules (cryptographic API, mass rename, entropy jump) are the better bet.
Wider impact: Because it relies on 2017-vintage exploits and 2021 PrintNightmare, the strain has been utilised by entry-level affiliates – meaning smaller municipalities, dental offices, and schools that “never got around to patching” are disproportionately hit, not just Fortune-500.

Bottom line: Treat FACTFULL as you would any TibS derivative – no shortcut decryptor today, so solid, offline backups and prompt patching are your only rescue. Isolate early, audit every RDP account, and keep macros disabled. Stay safe!