FastWind Ransomware – Community Resource Sheet Compiled by: Cyber-defense & Incident-response Team Technical Breakdown 1. File Extension & Renaming Patterns Confirmed extension: .fastwind (lowercase). Renaming convention: OriginalName<dot>ext → OriginalName.ext.fastwind No e-mail address, random string, or campaign-ID is inserted. Files in network shares acquire the same suffix, indicating the encryption driver walks mounted drives alphabetically. Shadow…

FastSupport (“[email protected]“) Ransomware – Community Defense Guide Technical Breakdown 1. File Extension & Renaming Patterns Confirmed extension: [email protected] (some variants append [email protected]@xmpp.jp when the first round of encryption is interrupted and the binary is re-launched) Renaming convention: OriginalName.docx → [email protected] Folders receive an additional desktop/Lokibot-style marker: __FASTSUPPORT_RESTORE__.txt dropped in every encrypted directory. Encryption schema: Salsa20…

Technical Breakdown: Ransomware associated with the e-mail address “[email protected]” (there is no single “brand” name; most vendors track it as a Phobos/Eldorado cluster) 1. File Extension & Renaming Patterns Encrypted file extension: .<originalName>.id-<8-hex-chars>.[[email protected]].fastrecovery ‑ Example: Report.xlsx → Report.xlsx.id-A1B2C3D4.[[email protected]].fastrecovery ‑ The same sample drops both “info.txt” and “info.hta” ransom notes. ‑ No generic extension – every…

Comprehensive Ransomware Resource for the .fastrecovery.xmpp.jp / “J-Sec Ransomware” Technical Breakdown 1. File Extension & Renaming Patterns Extension affixed: .fastrecovery.xmpp.jp Example: Q4-Budget.xlsx → Q4-Budget.xlsx.fastrecovery.xmpp.jp No file-name scrambling – the malware preserves the original base name and simply appends the full domain string. Dropped marker file: ReadMe.txt (sometimes Read_Me.txt or Restore-My-Files.txt) in every folder containing encrypted…

Ransomware Profile – “FASTBOB” (.FASTBOB file extension) TECHNICAL BREAKDOWN 1. File Extension & Renaming Patterns Extension appended: .FASTBOB (lower-case letters, no space or hyphen) Renaming convention: – Original name is preserved, extension is simply added to the tail. Example: Quarterly_Report.xlsx → Quarterly_Report.xlsx.FASTBOB – No email address, victim-ID, or random string is inserted in the name…

FASTBACKDATA Ransomware – Community Defense Resource Technical Breakdown 1. File Extension & Renaming Patterns Confirmation of File Extension: “.fastbackdata” (extension is appended, NOT substituted). Example: Budget2024.xlsx.fastbackdata Renaming Convention: Original file name + “.fastbackdata” (no e-mail, ID string, or random bytes are inserted). Folders receive a plain-text ransom note ##-FASTBACKDATA-README-##.txt (sometimes duplicated as .hta dropped into…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: Files hit by “FAST” ransomware acquire the suffix “.fast” (lowercase, no additional digits or brackets). Renaming Convention: Original file names are kept intact and the four-letter extension is simply appended—Project.xlsx → Project.xlsx.fast. Folders receive a plain-text ransom note (README.txt) but their names are…

Ransomware Brief: “.fartplz” (a.k.a. “FARTPLZ RANSOMWARE”) TECHNICAL BREAKDOWN 1. File Extension & Renaming Patterns Confirmed extension appended: .fartplz (lower-case, no space or extra digit) Renaming convention: Original file: 2024-Budget.xlsx After encryption: 2024-Budget.xlsx.fartplz Folder-level marker dropped: FARTPLZ-README.txt (sometimes HOW_TO_RECOVER.hta) in every affected directory and on the desktop. No changes to the file’s internal name/time-stamp—only the double…

Technical Breakdown: 1. File Extension & Renaming Patterns Confirmation of File Extension: .FARTINGGIRAFFEATTACKS (lower-case variants .fartinggiraffeattacks have also been observed). Renaming Convention: Original file names are kept in full, but the 19-byte extension is appended immediately after the final dot. Example: Project_Q4.xlsx → Project_Q4.xlsx.FARTINGGIRAFFEATTACKS Holiday-2023.jpg → Holiday-2023.jpg.FARTINGGIRAFFEATTACKS 2. Detection & Outbreak Timeline Approximate Start Date/Period:…

Ransomware Resource Sheet – “Fargo3” (also sold as “Mallox”, “TargetCompany”, “Mawaq”) Technical Breakdown 1. File Extension & Renaming Patterns Extension appended: .fargo3 (earlier campaigns used .fargo, .fargo2, .mallox, .mafa1/2, .mawaq, .xollam, .backservice, .tocue, etc.) Renaming convention: OriginalName.OriginalExtension.[VictimID].[ATTACKER-EMAIL].fargo3 Example: ProjectQ3.xlsx.{F3E9A7C1}[email protected] If the file was in a deeply-nested path, only the file name is touched; the folder…