fastbackdata

[Content by Gemini 2.5]

FASTBACKDATA Ransomware – Community Defense Resource

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: “.fastbackdata” (extension is appended, NOT substituted).
    Example: Budget2024.xlsx.fastbackdata
  • Renaming Convention:
  • Original file name + “.fastbackdata” (no e-mail, ID string, or random bytes are inserted).
  • Folders receive a plain-text ransom note ##-FASTBACKDATA-README-##.txt (sometimes duplicated as .hta dropped into every directory).

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First submissions to ID-Ransomware & VirusTotal: mid-May 2024.
    Surge of enterprise alerts: 24–30 May 2024 (largest wave).
    Still actively maintained as of June 2024; new builds (hash shifts) observed weekly.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing e-mail with ISO/IMG or password-protected ZIP → contains JavaScript or MSI that fetches the payload from a Discord CDN URL (common TTP of the “Mindware” cluster that splintered off from Zeppelin).
  2. Compromised websites serving fake browser updates (“Chrome/Edge Critical Patch”) – leads to same MSI.
  3. Exploitation of un-patched Windows servers:
    • SonicWall SSLVPN CVE-2020-5135 (older but still un-patched appliances)
    • PaperCut NG/MF CVE-2023-39143 (when external-facing)
    • Remote Desktop Services with weak/stolen credentials → manual PSExec deployment (common in post-affiliate intrusions).
  4. Living-off-the-land once inside:
    • Uses wmic to delete shadow copies (shadowcopy delete).
    • Built-in cipher /w to zero free space and hamper recovery.
    • Stops services via net stop / sc config for SQL, Veeam, Acronis, etc. before encryption.

Remediation & Recovery Strategies

1. Prevention

Proactive Measures (stop it before it lands):

  • E-mail gateway: block ISO, IMG, JS, VBS, HTA, and password-ZIP at perimeter; enable “Mark external” + sandbox detonation.
  • Application control (Applocker / WDAC): block execution of unsigned binaries in %TEMP%\*, C:\Users\*\Downloads\*, and %PUBLIC%.
  • Patch aggressively (SonicWall, PaperCut, Fortinet, Exchange, and OS level MS-CVEs).
  • Disable SMBv1; require NLA on RDP; enforce MFA on every remote vector (VPN, RDP GW, Citrix).
  • Segment networks, especially backup VLAN, and use immutable/object-locked repositories (e.g., AWS S3 Object Lock, WORM tape, or hardened Linux repo with immutability flag).
  • Back-up hygiene: 3-2-1, offline/off-site copies tested monthly; backup credentials should use unique, non-domain service accounts.

2. Removal

Step-by-step Cleanup:

  1. Isolate: disconnect NIC / disable Wi-Fi; power-off unaffected peers if quick-spread suspected.
  2. Identify patient-zero: look for earliest xyz.fastbackdata timestamps or Sysmon events spawning msiexec.exe or wscript.exe from %Public%\Downloads.
  3. Collect forensics: export system event logs, MFT (via Kape/Velo), memory dump if possible, then proceed to eradicate.
  4. Delete persistence:
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FastBackSuite (msiconf32.exe).
  • Scheduled task \Microsoft\Windows\DiskCleanup\FastBackLogCleaner (executes payload).
  1. Remove binaries: kill msiconf32.exe, FastEnc.exe, random-named *.exe in %ProgramData%\Updates\{GUID}\, and clear C:\Users\Public\Libraries\fabdata.tmp (mutex file).
  2. Eliminate malicious user accounts (if RDP brute-forced).
  3. Patch / harden (remove SMBv1, enforce MFA, reset all harvested LSASS creds).

3. File Decryption & Recovery

  • Recovery Feasibility:

  • No known flaw or public master key (uses Curve25519 + ChaCha20).

  • Therefore, decrypting without the criminal’s private key is computationally infeasible as of June 2024.
    Options:
    a) Check for an offline key: examine the ransom note for “key-id = OFFLINE”. If present, submit note + one encrypted file to NoMoreRansom; researchers occasionally release an offline decrypter (has not happened yet but worth watching).
    b) Restore from backups only AFTER wiping and patching the environment.
    c) Shadow-copy / Recycle Bin usually purged; recovery tools (PhotoRec, R-Studio) will not help because files are encrypted, not erased.
    d) File repair (partial media recovery) may restore unencrypted headers of huge files that had “only” first 4 MB encrypted—still scarce success percentage.

  • Essential Tools/Patches to Deploy:

  • MS22-043 (SMB), SonicWall 10.2.1.3+, PaperCut 22.0.4+, Citrix NetScaler ADC/Gateway security update (June 2024).

  • Enable Windows Credential Guard + HVCI (helps block LSASS dumping).

  • Kaspersky Virus Removal Tool, Trend Micro Ransomware File Decryptor (no fastbackdata support yet but auto-updates).

  • Microsoft’s Ransomware BCD (Block at First Sight), if you cannot run Defender then CrowdStrike/ SentinelOne with rollback feature.

4. Other Critical Information

  • Unique Characteristics:

  • Recon phase uses renamed AdFind (adf.bat) to pull AD topology and exfiltrate to file.io; this data fuels negotiation pressure (double-extort).

  • Payload installs the legitimate Microsoft “Sync” framework DLL side-by-side to masquerade on allow-lists.

  • Intentionally skips files below 2 KB (likely to leave ransom notes intact).

  • Network traffic is light: only one outbound HTTPS beacon to a TOR .onion (no raw IP fallback), which complicates PCAP-based IOC hunting.

  • Broader Impact / Notable Effects:

  • Unlike volume-oriented families (e.g., STOP), FastBackData is aimed at mid-size enterprises (100–2000 seats), affiliates demand USD 80 k – 1.5 M in XMR.

  • Over half of the 24 known victims (as of 10 Jun 2024) refused to pay; data auction site “MindLeaks” now publishes 14 TB of exfil data under the “Mindware” header—expect GDPR/CCPA fines and downstream lawsuits.

  • Tape-rotation and offline dedupe appliances (Qnap, Exagrid) configured with simple SMB were destroyed; those with object-immunity (Veeam Hardened Repo, i50O locking) survived.

Key Defensive Take-away

Treat FastBackData as a hybrid ransomware+extortion campaign: patch public-facing apps, enforce MFA, isolate backups, monitor for AdFind, and keep recent OFFLINE copies—because decryption is currently impossible once encryption completes.

Stay safe,
Cyber-defense Community