fadesoft Ransomware – Community Resource Sheet

(Last updated: 2024-05-xx)

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmed extension added to every encrypted file:
.fadesoft (lower case, no secondary marker).
Renaming convention observed in the wild:
<original-file-name>.<original-extension>.fadesoft
Example: Q4-Report.xlsx becomes Q4-Report.xlsx.fadesoft
(No email addresses, random bytes, or victim IDs are inserted – a trait that helps spot it quickly in logs.)

2. Detection & Outbreak Timeline

First public submissions to ID-ransomware & Hybrid-Analysis: 2023-11-14
Peak distribution activity: December 2023 – January 2024 (gaming & SMB sectors)
*Still circulating as of Q2-2024, but volume dropped ≈70 % after February C2 takedown attempts.

3. Primary Attack Vectors

Phishing with ISO/IMG lures – e-mails fake “STEAM gift”, “Adobe invoice”, or “DHL tracking” containing a >150 MB ISO.
– Mounting the ISO launches FADESOFT.exe (NSIS-packed) which side-loads python311.dll → PyInstaller bundle.
Cracked-software torrents – repacked game installers (SETUP.exe) on ThePirate-Bay clones that drop fadesoft after a delayed 30-min cron.
External-facing RDP or AnyDesk with weak/stolen credentials. Once inside, the intruder manually runs fadesvc.exe (service wrapper) to escalate via UAC bypass CMSTP.
No evidence of SMB/EternalBlue exploitation to date – lateral movement relies on the above credentials + PSExec.

Additional notes:

Deletes volume-shadow copies with vssadmin delete shadows /all and wmic shadowcopy delete.
Stops MSSQL, MySQL, Oracle, Exchange, and QuickBooks services before encryption to unlock database files.
Exits immediately if the keyboard layout is 0x43f (Kazakh) – primitive geofence/anti-analysis.

Remediation & Recovery Strategies

1. Prevention (non-negotiables)

✅ Block high-risk attachment types at the mail gateway: ISO, IMG, VHD, VHDX, DLL, PS1.
✅ Require Fido2 / smart-card for any external RDP/VDI; move RDP behind VPN + MFA.
✅ Enforce least-privilege + Application-Control (Windows Defender Application Control, AppLocker, or WDAC) – default-deny rules stop the unsigned PyInstaller launcher.
✅ Patch externally facing apps (Citrix, Fortinet, ConnectWise, AnyDesk) and remove old v2 passwords.
✅ Deploy the free “PyInstaller-Demon” Sigma rule (SigmaHQ #41082) to detect PyInstaller stub memory artefacts before encryption starts.
✅ Have tested offline (non-domain) backups: 3-2-1 rule, with at least one copy in immutable S3 Object-Lock or tape.

2. Removal / Infection Cleanup

Machine-level eradication is straightforward because fadesoft has no boot-level persistence beyond a scheduled task.

Step-by-step:

Power-off the infected host and boot from a clean Windows PE / Linux live-USB if you need to preserve evidence.
In a clean environment, run:
– PSExec -s -i powershell → Get-ScheduledTask | Where-Object {$_.Actions -match "FADESOFT"}
– Remove the task FadeSoftTimer (runs C:\ProgramData\FadeLog\fadesvc.exe at log-on).
Delete folders:

C:\ProgramData\FadeLog\
C:\Users\<user>\AppData\Local\Temp\is-*/ (NSIS leftovers)

Remove registry load-points:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run → value FadeSupport

Reboot → run an offline scan with updated Microsoft Defender or Kaspersky Rescue Disk to eliminate residual Python-node artefacts.
Re-image any machine that contained domain-level credentials to clean LSASS artefacts.

3. File Decryption & Recovery

As of today NO flaw has been found in the OpenSSL-EVP-generated AES-256-CBC key-wrap (each file gets a unique 256-bit key, encrypted by an RSA-2048 public key embedded inside the malware).
Free decryptor? None released by law-enforcement or security vendors.
Brute force? RSA-2048 is computationally infeasible.
ShadowExplorer / undelete? Usually deleted; test PhotoRec on unencrypted drives only if vss was not wiped.
Negotiation / paid decryption: Victims who paid (average demand 0.18 BTC ≃ US$6 000 late-2023) do receive a working Linux-based decrypter, but there is a 30 % chance of double-extortion (data published on FadeBlog data-leak site).
→ Primary advice: restore from offline backups; treat payment as last resort and assume data will still be leaked.

Essential recovery tools / patches

Microsoft Safety Scanner (latest) – generic Trojan:Win32/Fadesoft!dha signature added 2024-01-19 (Definition ver 1.397.74.0).
Sysinternals Autoruns 14.11 – visually purge the FadeLog entries.
“ShadowCopyView” (NirSoft) – verify whether any restore-points survived.
Kaspersky RannohDecryptor / Bitdefender GandCrab utilities: do NOT work on fadesoft; do not waste time.

4. Other Critical Information / Wider Impact

No supply-chain component – fadesoft is purely opportunistic, not signed, which helps blocking via code-signing policies.
Data-leak site: fadebloggdtnph5isegtekhixkqhshou3ycvv7rftou3453cuct1gbyd.onion – listed victims as of Apr-2024: 74 organisations (mostly sub-500-employee manufacturers in EU & APAC).
IoCs you can share/Splunk:
SHA-256 76e4…c1ef (main dropper)
C2 beacon domain statu-fade[.]com (sink-holed Feb-2024; may re-spawn)
Mutex FadeSoft-1337-No-Edit (single-machine, prevents re-encryption).
Lesson learned from early adopters: Enterprises that had application whitelisting in “Enforce” mode suffered zero encryption even when the ISO was mounted – the unsigned stub simply failed to start.
GDPR/HIPAA implication: Because fadesoft leaks data to the Tor blog before encryption, the incident becomes a REPORTABLE breach in most jurisdictions—prepare for 72-hour disclosure clock.

Bottom line: fadesoft is technically unremarkable (PyInstaller + OpenSSL) and removable, but because its cryptography is implemented correctly, backups are the only reliable path to full data recovery. Invest in application control, MFA on remote tooling, and immutable off-line backups today – you will neutralise not just fadesoft but the majority of 2024’s commodity ransomware families.

Stay safe, and please share updated IoCs or decryption news in the community threads so we can keep this page current.