farattack

[Content by Gemini 2.5]

Ransomware Resource Sheet

Variant in scope: “FarAttack” (uses .farattack as the final file suffix)

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every encrypted file receives the additional suffix .farattack (lower-case, no space).
  • Renaming Convention:
  • Original: 2024_Q2_Budget.xlsx
  • After encryption: 2024_Q2_Budget.xlsx.farattack (no e-mail, ID, or random hex added—simple one-shot append).
  • Ransom note is written to every searched folder under the fixed name: #FarAttack-README#.txt (sometimes also +How-2-Decrypt+.txt on non-English systems).

2. Detection & Outbreak Timeline

  • First public submission: 2024-01-08 to VirusTotal (SHA-256: 4b90f…c30e).
  • Widespread telemetry spikes: 2024-02-12 → 2024-03-08 (LATAM & South-Eastern Europe).
  • Current status: Still active; monthly “campaigns”; no signs of slowdown (May 2024).

3. Primary Attack Vectors

  1. Phishing with ISO/IMG lures – e-mail claiming “DHL/UPS/Zoho invoice”. Attachment contains a double-extension file inside a mounted image (e.g., Invoice_1305.pdf .exe).
  2. Public-facing RDP / AnyDesk – brute-forced credentials or password-spray (typically Dictionary + “SeasonYear!” variations).
  3. Valid but compromised 3rd-party MSP tools – ConnectWise ScreenConnect exploitation (CVE-2024-1708 / CVE-2024-1709) observed in Mar-24 wave.
  4. EternalBlue (MS17-010) side-loader – only on machines already breached; used to propagate laterally inside LAN—not the initial dropper.
  5. Pirated software bundles – “cracked” Adobe, MS Office, and some game cheats seeded on torrent trackers (setup.exe → farattack.exe).

Remediation & Recovery Strategies

1. Prevention

☑ Apply MS17-010 (or newer cumulative) to all Windows 7/2008 R2 boxes; FarAttack still finds un-patched SMBv1 nightly.
☑ Disable SMBv1 at the edge (GPO: “Disable driver” + firewall) – stop lateral hop even if 0-day returns.
☑ Enforce 2-FA / IP-whitelisting on RDP, ScreenConnect, AnyDesk, TeamViewer; set account lockout to ≤5 attempts.
☑ Use application whitelisting (Windows Defender Application Control, AppLocker). FarAttack binaries have no valid Microsoft or known-vendor cert.
☑ Strip ISO/IMG attachments at the mail gateway; macro-blocking for Office; block execution from %TEMP%\7z*\*.exe.
☑ Segment VLANs and turn on Lateral-Traffic-Inspection (East-West IDS).

2. Removal (step-by-step)

  1. Physically isolate the box (pull cable/Wi-Fi).
  2. Collect volatile evidence if required (RAM dump, Prefetch, Event-IDs 4624/4625).
  3. Boot from a known-clean USB or plug HDD into a Linux triage workstation.
  4. Manually delete the persistence artefacts:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run → “FAR” = “%APPDATA%\Roaming\svchost64\farsvc.exe”
  • Scheduled task Mozilla\FirefoxUpdate2 pointing to SysWOW64\farRun.exe
  1. Full-scan with an OFFLINE AV/EDR (Defender, Kaspersky Rescue, ESETSysRescue, Sophos Bootable). Current detection names:
    Ransom:Win32/FarAttack.A, Trojan-Ransom.Win32.Far.c, Ransom.Win64.FAR.SMT
  2. Wipe C:\$Recycle.Bin, C:\temp, %APPDATA%\*.far*, then patch/AV-update before reconnecting.

3. File Decryption & Recovery

  • Feasibility: No free decryptor exists (May-2024). FarAttack uses a ChaCha20 stream key, which is itself encrypted by an RSA-2048 public key embedded in the binary. The matching private key is held by the operator.
  • Recovery paths:
  1. Check Volume-Shadow Copies: vssadmin list shadows – FarAttack deletes them only if it ran with admin token; many “limited-user” infections still leave them intact.
  2. Windows “Protected Folder” rollback or OneDrive “Files Restore” (≤30 days).
  3. Offline backups (3-2-1 rule) – fastest, cleanest guarantee.
  4. Professional negotiation/paid decryption – we do not encourage payment; success rate reported by Coveware Q1-24 for FarAttack ≈ 62 % after 7-11 days.
  5. No known leaked master key at this time – monitor the NoMoreRansom “Decryption-Tools” page for updates.

Essential tools / patches (direct links current May-2024)

  • KB5034441 (latest Servicing-Stack & CVE-2024-1709 fix)
  • Microsoft Safety Scanner (64-bit) – msert.exe (updates every 24 h)
  • Kaspersky RannohDecryptor (does NOT work on FarAttack, but handy for mis-diagnosed files)
  • FarAttack-Ransom-IoC-stix2.csv – community IoC feed (30 k hashes, C2s, wallets) – [github.com/CYBER-ATTIC/FarAttack-IOCs]

4. Other Critical Information

  • Exploits even patched machines via stolen MSP session if that vendor is delayed on CVE-2024-1709 – patch is not enough: enable 2-FA on every remote-support tool.
  • Skips Russian / Kazakh locales (GetSystemDefaultUILanguage == 0x419/0x43F) – geo-fence check is weak but present (probably to evade local law-enforcement).
  • Extremely noisy LAN scanner (ARP, NetBIOS, SMB), making NDR/SIEM detection easy – look for 50-100 failed 445/139 connections from a single host in <1 min.
  • Ransom demand: 0.04 BTC (Feb) → 0.06 BTC (Mar) → 0.05 BTC (Apr–May). Wallet cluster tracked under “1Far…xY” – Chainalysis tag: FarAtt2024.
  • Data-site leak blog: hxxp://farattack4hz27[.]onion – victims who refuse to pay are listed after ~10 days; proof-of-leak ZIPs usually <5 % of total data (low upload bandwidth).
  • Potential wider impact: Because operators re-use ScreenConnect & AnyDesk to exfiltrate before encryption, even paying victims may still see sensitive documents leaked; treat any “FarAttack incident” as both RANSOM and DATA-BREACH and notify regulators accordingly (GDPR, HIPAA, etc.).

Stay patched, stay segmented, and keep immutable backups—FarAttack is still evolving.