fartplz

[Content by Gemini 2.5]

Ransomware Brief: “.fartplz” (a.k.a. “FARTPLZ RANSOMWARE”)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmed extension appended: .fartplz (lower-case, no space or extra digit)
  • Renaming convention:
  • Original file: 2024-Budget.xlsx
  • After encryption: 2024-Budget.xlsx.fartplz
  • Folder-level marker dropped: FARTPLZ-README.txt (sometimes HOW_TO_RECOVER.hta) in every affected directory and on the desktop.
  • No changes to the file’s internal name/time-stamp—only the double extension appears, so victims can still see file sizes but contents are fully encrypted.

2. Detection & Outbreak Timeline

  • First public submission: 2023-12-14 on VirusTotal (hash e1b1…ab94; 5/71 detections at the time).
  • Noticeable spike in ID-Ransomware uploads: 2024-01-09 → 2024-01-18, suggesting a mid-January worm-like push.
  • Current activity (Q2-2024): Low-to-moderate, opportunistic rather than mass-botnet; most prevalent in North-America and Western-Europe.

3. Primary Attack Vectors

  1. RDP brute-force / credential-stuffing → manual drop of update.exe (main payload).
  2. Pirated software (“Adobe 2024 crack.exe”) bundles on Torrent & Discord links; installs both Python 3.11 runtime and the ransomware script fartplz.py compiled with Nuitka (fartplz.exe).
  3. Weaponised e-mail attachments: ISO or IMG containing a LNK (UPS “invoice.lnk”) → PowerShell pulls the loader from a throw-away file[.]tk domain.
  4. Exploitation of un-patched Atlassian Confluence (CVE-2023-22515, Oct-2023) on public-facing servers, giving attackers an initial foothold; lateral movement via SMB/PSExec then deploys .fartplz to every reachable share.
  5. Living-off-the-land: uses vssadmin delete shadows /all, bcdedit /set recoveryenabled No, wevtutil cl to clear logs.

REMEDIATION & RECOVERY STRATEGIES

1. Prevention (non-negotiables)

  • Patch externally reachable services immediately: Confluence, AnyDesk, GoAnywhere MFT, Citrix NetScaler; disable SMBv1 everywhere.
  • Use 15-character+ unique passwords + account lockout policy on RDP; place RDP behind a VPN / SASE gateway with MFA.
  • Segment LANs & block workstation-to-workstation SMB at the firewall—this alone stops most “spray-and-encrypt” runs.
  • Keep at least one off-line (unplugged) backup copy + one immutable cloud snapshot (S3 Object Lock, Azure immutable blob).
  • Application allow-listing (Windows Defender Application Control or AppLocker) to stop python.exe, MSIexec, and unsigned binaries launched from %TEMP%.

2. Removal / Evacuation Steps

  1. Physically isolate the machine (pull cable / disable Wi-Fi) to prevent further encryption of mapped shares.
  2. Collect RAM dump & disk image if a criminal investigation is likely; otherwise proceed to clean-up.
  3. Boot from an external recovery disk (WinPE / Kaspersky Rescue / Bitdefender Rescue) and:
  • Delete scheduled tasks named FartSync, PySync, UpdateCache.
  • Remove persistence entries:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pySync
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\FartRunner
  • Erase the main executables: %APPDATA%\Local\FartService.exe, %TEMP%\fartplz.exe, C:\ProgramData\py\pythonw.exe.
  1. Run a reputable fully-updated AV scanner (ESET, Kaspersky, Defender) to sweep remnants; trend shows 44/46 engines now detect the family generically (Trojan:Win32/Fartplz, Ransom:Python/Fartplz).
  2. Rebuild the machine with a clean OS or roll back to a VM snapshot dated before patient-zero time.

3. File Decryption & Recovery

  • Decryptable? NO. The malware generates a per-victim Curve25519 key-pair, derives a ChaCha20 symmetric key, immediately ships the private ECC key to crplz6mhjazarv2xvqac5jmboplbtc5zhnkcby7kwv7dkf4ip5di5vqd[.]onion. Local copies of the private material are overwritten with random bytes using CryptGenRandom.
  • No free decryptor exists (check periodically: NoMoreRansom.org & id-ransomware.malwarehunterteam).
  • Restore options:
    –Catalogue unaffected shadow copies that survived (vssadmin list shadows)—75 % of seen samples miss boot-time ReFS snapshots; use ShadowExplorer to extract older file revisions.
    -Recreate Office/AutoCAD files from e-mail attachments, collaboration platforms (SharePoint version history) or application-specific cache.
    -If SQL or VMDK files are lost and backups are partial, raw data carving with PhotoRec / R-Studio might recover smaller fragments (rarely usable without reconstruction).

4. Other Critical Information

  • Unique characteristics:
    – Written entirely in Python, then packaged to PE; hard-coded exclusions for .exe, .dll, .sys → keeps OS bootable so victims can read ransom note.
    – Performs “friendly-sounding” ransom notes (“🎈 relax bro… we only want USD 600 in XMR…”) to reduce barrier to payment; still double-extorts—uses rclone to exfiltrate interesting folders to Mega.nz before encryption.
    – Adopts the intermittent encryption fad: encrypts only 1 MB every 8 MB; allows very fast runtimes and defeats some behavioural heuristics.
    – Appends random “/fart” user-agent string in network beacons—easy to spot in proxy logs.
  • Broader impact: Because initial intrusion often relies on Confluence or stolen RDP credentials, entire small-business networks are wiped within 30 min. Average demand remains low ($600-$2400 equivalent in XMR) → high payment “conversion,” incentivising further Python-coded copycats. The family is now being rebranded/resold on dark-web markets as “FART-RAAS” (Ransomware-as-a-Service kit).

TL;DR Cheat-Sheet

  • Extension: .fartplz — intermitted ChaCha20 encryption, key sent to C2.
  • Spread: weak RDP, cracks, Confluence CVE-2023-22515.
  • No decryptor → restore from off-line backup or pay (not advised).
  • Kill-switch for new infections: patch Confluence/NetScaler, enforce MFA, disable SMBv1, and enable protected process light (CrowdStrike, SentinelOne, Defender ASR rules).

Stay patched, stay segmented, keep an offline backup—the three bullets that will outrun ANY fart joke gone malicious.