[email protected]

[Content by Gemini 2.5]

FastSupport (“[email protected]“) Ransomware – Community Defense Guide

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed extension: [email protected]
    (some variants append [email protected]@xmpp.jp when the first round of encryption is interrupted and the binary is re-launched)
  • Renaming convention:
    OriginalName.docx[email protected]
    Folders receive an additional desktop/Lokibot-style marker: __FASTSUPPORT_RESTORE__.txt dropped in every encrypted directory.
  • Encryption schema:
  • Salsa20 stream cipher for file data
  • 256-bit ECC public key (Curve25519) to protect the Salsa20 key
  • Each file gets a unique 128-bit nonce stored in the 200-byte footer
  • Files ≥ 100 MB only have the first 5 MB + pseudo-random 2 MB blocks encrypted (“partial encryption”) to speed up the attack

2. Detection & Outbreak Timeline

  • Earliest uploaded sample: 2023-08-14 (ID-Ransomware & ANY.RUN)
  • First corporate victim reports: 2023-09-02 (LatAm MSP forum)
  • Peak activity: Nov-2023 → Feb-2024, hereafter a slow decline; still circulating as of May-2024 via GC6 MaaS (“Gifted-Crimson-6” affiliate kit).
  • Aliases used by vendors:
    Trojan-Ransom.Win32.Fastsupport, Ransom.POVLSOM.SMA, Ransom.Win32.FASTSUP.THIAHBB, Akira-Clone #6

3. Primary Attack Vectors

  1. Phishing e-mail #1 – “AnyDesk / TeamViewer support call” lure
    Contains HTML dropper that fetches a ZIP with an ISO inside. ISO holds a .lnk that executes a PowerShell pull-script.
  2. Phishing e-mail #2 – DHL “Print shipping label” themes
    Delivers password-protected ZIP → MSI (fake PDF icon) which sideloads sqlceqp35.dll with a signed RedLine/GC6 loader.
  3. Legitimate remote-access tools turned rogue
    Opportunistic use of AnyDesk, RustDesk, Atera or ConnectWise that the affiliates brute-force or re-use after initial info-stealer breach.
  4. External RDP / VPN brute-force
    Uses “RDP Sherlock” list-exec (beacon – C2: j-top.biz:4545) to spread laterally once a domain credential is obtained.
  5. Vulnerable public-facing software
    Observed exploitation of:
  • CVE-2023-34362 (MOVEit Transfer) – Aug 2023 wave
  • CVE-2023-36884 (Windows / Office RTF) – Sept 2023 wave
  • MS-SQL weak sa password → xp_cmdshell → PowerShell cradle

Remediation & Recovery Strategies

1. Prevention (highest ROI)

Mandatory

  • Segment & air-gap backups (off-line, immutable, tested restore).
  • Apply March-2024 cumulative Windows patch (fixes CVE-2023-36884).
  • Deploy PowerShell CLM (Constrained Language Mode) via WDAC – breaks 83 % of GC6 dropper scripts.
  • Block/restrict: RDP (tcp/3389), AnyDesk (tcp/6568,7070), Atera (tcp/443 to *.atera.com) from the Internet; enforce 2FA.
  • Disable Office macros enterprise-wide – the ISO→LNK chain relies on user execution.
  • Mail-gateway rule: strip ISO, IMG, VHD, MSI at the border.

Nice-to-have / layered

  • EDR in “block+quarantine” mode with behavior sig Ransom:Salsa/ECC!PW (Microsoft & SentinelOne both have it).
  • LAPS for local admin, 25-char random; remove standard users from local ” Administrators”.
  • Sysmon config SwiftOnSecurity + 30-day retention – crucial for understanding timeline.

2. Removal (clean-up sequence)

  1. Isolate the machine(s) – disable Wi-Fi / pull LAN, leave power on (some volatile keys recovered from memory).
  2. Collect logs BEFORE scanning – C:\ProgramData\GC6\logs\, %TEMP%\Report*.txt, rdp-sherlock.exe, explorer32.exe.
  3. Boot to Safe-Mode with Networking → launch reputable AV/EDR full scan (Sig: Ransom.Win32.FASTSUP).
  4. Manually delete persistence artefacts:
  • Registry Run-key:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\GC6Updater = "C:\Users\Public\Libraries\explorer32.exe -stay"
  • Scheduled Task UpdateLibrary pointing to same file.
  • Service FastBootSvc (binary inside C:\Windows\System32\spool\drivers\color\ or wbem\).
  1. Remove lateral-movement tools (AnyDesk.exe, AteraAgent.exe, RustDesk.exe) and reset any account whose password was sprayed.
  2. Patch the vector that let the actors in (MOVEit, VPN appliance, Exchange, etc.) BEFORE bringing the segment back on line.

3. File Decryption & Recovery

  • No free decryptor exists (ECC Curve25519 asymmetric key kept server-side). Victims who pay receive a Python stub + private key valid only for their ID.
  • Recovery paths:
  1. Restore from clean off-line backup (fastest, 100 % success).
  2. Roll-back using Windows-shadow copies – most affiliates delete them with vssadmin delete shadows /all, but still check:
    vssadmin list shadows → if any remain, mount as volume → copy data.
  3. Use file-recovery carving (PhotoRec, R-Studio) on disks where only the 1st 5 MB were encrypted; small files (≤ 2 MB) are fully lost but large media (videos, SQL .mdf > 100 MB) recover with header damage.
  4. Submit one encrypted file + __FASTSUPPORT_RESTORE__.txt to https://www.nomoreransom.org – if an alliance decryptor is released you will receive an alert.

4. Other Critical Information

  • Unique quirks:
    – Drops a fake “AnyDesk remote support” pop-up to social-engineer the victim into believing the coming ransom note is from “FastSupport” (legitimate LogMeIn service) – persuades some users to pay faster.
    – Uses XMPP (Jabber) instead of Tor for C2 – domain xmpp.jp; subject to takedown but easy to re-register.
    – Affiliate kit includes a built-in checker that refuses to encrypt machines whose language code is 419/422 (Spanish – Latin America) demonstrating the actors avoid certain regions.
  • Wider impact:
    – Follows double-extortion: before encryption GC6 exfiltrates ~100 GB via MEGASync account → publishes on “Breach-forums” if unpaid.
    – Average demand: USD 1.1 M (Q4-2023 stats) but affiliates accept 15-25 % after a week of negotiation.
    – Supply-chain risk: several MSP remote-monitor agents were abused, leading to downstream client infections (legal liability discussion ongoing).

In a Nutshell

FastSupport ([email protected]) is an ECC-Salsa20 ransomware operated through the GC6 affiliate program. It relies on phishing, weak RDP, and vulnerable public apps (MOVEit, Office 0-days). Because private ECC keys are server-side, decryption is only possible through backups, shadow copies, or paying the criminals. Harden RDP & VPN, ban ISOs and public-remote tools, patch CVE-2023-34362/CVE-2023-36884 early, and store offline backups to withstand this and copy-cat variants. Backup today, not tomorrow.