fast

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Files hit by “FAST” ransomware acquire the suffix “.fast” (lowercase, no additional digits or brackets).
  • Renaming Convention: Original file names are kept intact and the four-letter extension is simply appended—Project.xlsxProject.xlsx.fast. Folders receive a plain-text ransom note (README.txt) but their names are not changed.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First uploaded samples and public victim reports appeared 19-20 May 2024; a second, larger wave was observed late June 2024 (v. 1.3 & 1.4). Most incidents still fall in the June-August 2024 window.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • Malicious Microsoft Excel/OneNote e-mails (“payment advice”, “DHL invoice”) that launch a concealed .LNK → PowerShell → Windows Script Host downloader.
  • Exploitation of public-facing RDP or AnyDesk sessions secured only with weak or prior-leaked credentials; internal lateral movement via SMB/445 using living-off-the-land exe /c commands instead of EternalBlue.
  • Abuses two recently patched privileges-escalation flaws to gain SYSTEM context:
    • CVE-2023-36884 (Windows Search 0-day used as n-day)
    • CVE-2024-26238 (Windows Print Spooler LPE)
  • Once inside, an embedded TOR-less actor-controlled Telegram Bot API is used for key exchange and victim tracking.

Remediation & Recovery Strategies:

1. Prevention

  • Apply Microsoft’s cumulative updates from June 2024 (KB5039212 / KB5039211) to close CVE-2023-36884 & CVE-2024-26238.
  • Enforce least-privilege RDP: restrict port 3389 via VPN, multi-factor authentication, and “Network Level Authentication”.
  • Disable Office macros by GPO; block OneNote file execution of embedded .wsh/.ps1/.exe (new Office 365 ADMX available).
  • Deploy controlled-folder-access (Windows ASR rule Block credential stealing from the Windows credential directory) to stop the ransomware process from reaching lsass or VSS.
  • Maintain offline, versioned backups (3-2-1 rule); FAST specifically wipes shadow copies, so cloud snapshots with immutability are essential.

2. Removal

  • Isolate station from network (pull cable / disable Wi-Fi).
  • Power-down unnecessary shares to prevent further encryption.
  • Boot into Safe-Mode-With-Networking and:
  1. Delete persistence scheduled task SysFastLocker (Task Scheduler).
  2. Remove dropped executables in %ProgramData%\Oracle\Java\ and %TEMP%\svchost64.exe.
  3. Clean malicious registry Run-keys (HKCU\Software\Microsoft\Windows\CurrentVersion\Run\JavaUpdateCheck).
  4. Run an up-to-date anti-malware engine (Defender 1.415.xxxx, ESET, SentinelOne) to quarantine Trojan:Win32/FastRansom.PVA; reboot normally.
  • Verify network propagation checks: scan for newly-created service entries named FASvc.

3. File Decryption & Recovery

  • Recovery Feasibility: As of September 2024 FAST uses Curve25519 + ChaCha20 with per-victim keys kept only on the criminals’ server. No flaw has been found → free decryptor does not exist.
  • Options Without Paying:
  • Restore from offline backups (nightly Veeam, Windows Server Backup, or immutable S3).
  • Search unwiped drives for unencrypted copies in e-mail attachments, SharePoint recycle bin, or previous shadow copies before the vssadmin wipe.
  • Try data-recovery carving tools (Photorec, R-Studio) on spindle disks; SSD TRIM makes this unlikely.
  • Paying is discouraged (no guarantee, funds organised crime, and some victims reported non-functional keys after payment).

4. Other Critical Information

  • Additional Precautions:
  • FAST self-terminates on machines with Russian, Belarusian or Ukrainian keyboard layouts—do not rely on this as protection.
  • Deletes shadow copies but interestingly leaves SymbolicLink-Evaluation untouched, so junction-based backup drives may survive if they are disconnected quickly.
  • Telegram beaconing uses legit api.telegram.org—URL filtering on web-proxies should include */bot if Telegram is not normally required.
  • Broader Impact:
  • Mainly hits SMEs in Europe/US via opportunistic phishing; largest single incident encrypted ≈ 400 ESXi & Hyper-V guests and forced a week-long production shutdown.
  • Fast is part of the “MeowIsBack” RaaS cluster, sharing code overlap with “MeowPro” (.meow) and the info-stealer “CatLogs”—expect double-extortion (data theft + encryption) in enterprise intrusions.

Key Take-away: Patch CVE-2023-36884 & CVE-2024-26238 immediately, disable risky Office objects, harden RDP, and keep immutable offline backups—decryption will otherwise be impossible because no flaw has been published.