fatp

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .fatp
  • Renaming Convention:
    – Original filename is preserved, then the extension .fatp is simply appended (e.g., Budget2023.xlsxBudget2023.xlsx.fatp).
    – No fixed e-mail address, victim-ID, or random hex string is inserted, so spotting the compromise in a folder listing is easy, but it also means multiple re-runs of the ransomware will keep stacking .fatp if the earlier run did not finish—rare but possible.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First submissions to public malware repositories and ID-Ransomware appeared in the second half of May-2024, with a noticeable cluster of victims reported on 22-26 May 2024. Copy-cat/phishing waves continued through June.

3. Primary Attack Vectors

  • Propagation Mechanisms:
    Malspam (“Payment Advice”, “DHL Invoice”, “Voicemail attached”) carrying ISO or ZIP → LNK → PowerShell stager → .NET loader.
    Exposed RDP (TCP/3389 or tunneled via Cloudflare) secured only by weak or re-used passwords; once inside, actors drop fatp.exe to C:\ProgramData\.
    Software bundles (pirated “game mods”, fake Chrome updates) pushed through Discord/Telegram links.
    No current evidence of worm-like SMB/EternalBlue abuse; lateral movement is performed manually with psexec or WMIC using previously cracked local-admin hashes.

Remediation & Recovery Strategies:

1. Prevention

  • Disable RDP if unused; if required, put it behind a VPN, enforce NLA + 2FA, set “Account lockout threshold = 5”.
  • Block executables launched from %TEMP%, %LOCALAPPDATA%, \ProgramData\ via Windows ASR rules or AppLocker.
  • Mail-gateway filters: strip ISO, IMG, VHD, and macro-enabled Office files from external senders.
  • Keep a conservative backup “3-2-1” regime; OFFLINE copy (no SMB share letter) because fatp enumerates and deletes Volume Shadow copies (vssadmin delete shadows /all).
  • Update PowerShell to 5.x, enable ScriptBlock & Transcript logging; the stager is universally caught by AMSI once fully patched.

2. Removal

  1. Disconnect the machine from the network (disable Wi-Fi / pull ethernet).
  2. Boot into Safe-Mode-with-Networking or mount the disk from a clean WinPE.
  3. Delete the persistence item:
  • Scheduled task \Microsoft\Windows\DiskFootprint\fatpSync
  • Registry run-key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\footPrint
  1. Remove dropped binaries (paths vary):
    C:\ProgramData\fatp.exe; %APPDATA%\LocalFoot\svhost.exe; %PUBLIC%\Libraries\ntquery.dll (encrypted payload, inactive after first run).
  2. Clear malicious service named “NVSMBHelper” (display-name mismatch).
  3. Reboot normally, run a full scan with Defender / Malwarebytes / ESET; expect detection names:
    Ransom:MSIL/Fatp.A, Ransom.MSIL.FATP.PE, Trojan.MSIL.Cryptor.heur.
  4. Re-join network only after the scan is clean and you have externally-created backups ready.

3. File Decryption & Recovery

  • Recovery Feasibility: Files are encrypted with ChaCha20 (256-bit key) + ECDH-P384 public key embedded in the binary. Each victim gets a unique ECC private key stored only on the attacker’s server. Therefore OFFLINE decryption without the criminal’s private key is currently impossible.
  • Free decryptor: None released by law-enforcement or security vendors as of this writing.
  • Checklist:
    – Search for un-wiped Windows shadow copies (vssadmin list shadows) – occasionally the wiping fails on ancient (v4) VSS installations.
    – Inspect attached USB/cloud-sync folders; fatp encrypts drives A:–Z: but often skips Google Drive “Stream” stubs and OneDrive “Files-On-Demand” placeholders; victims sometimes recover cloud-resident originals.
    – Rebuild from the most recent OFFLINE backup; verify integrity before restoring entire DC/ERP.

4. Other Critical Information

  • Additional Precautions:
    fatp deletes the Windows RE image (\WinRE\Winre.wim) to prevent roll-back using “Reset this PC”. Re-create the partition after disinfection.
    – It lays a text file +-README_fatp-+-.txt in every folder; the note asks victims to contact [email protected] / @footCorp (Tox). The criminal price usually starts ~0.08 BTC, but negotiations halve that figure in ≤48 h.
    – Encryption ends with a forced bcdedit /set {default} bootstatuspolicy ignoreallfailures that will hide future BSODs—undesirable on business workstations. Revert with bcdedit /deletevalue bootstatuspolicy.
  • Broader Impact:
    – FATP appears to be operated by a small “affiliate” crew that also ran the former “Mimic” and “Ural” variants (code overlaps in ChaCha20 wrapper and identical ransom note wording). Because infection occurs post-compromise (rather than by worm), targeted SMEs in Germany, Spain, and U.S. municipalities are heavily over-represented—sectors where IT teams are lean and exposed RDP is common.
    – As of mid-June 2024, Chain analysis puts ≈38 BTC through their static wallet, indicating roughly 150–170 victims who paid; nevertheless enterprise-scale downtime costs still outweigh the demanded amount, underscoring why clean, tested backups remain the cheapest insurance.

Stay safe, patch boldly, and remember: good, offline backups make every ransomware author powerless.