fastbob

[Content by Gemini 2.5]

Ransomware Profile – “FASTBOB”

(.FASTBOB file extension)

TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Extension appended: .FASTBOB (lower-case letters, no space or hyphen)
  • Renaming convention:
    – Original name is preserved, extension is simply added to the tail.
    Example: Quarterly_Report.xlsxQuarterly_Report.xlsx.FASTBOB
    – No email address, victim-ID, or random string is inserted in the name (keeps the code small and avoids length issues on legacy FAT volumes).
    – Lateral-movement scripts deliberately exclude %WINDIR%\, %PROGRAMFILES%\, and anything with .FASTBOB already present to prevent double-encryption crashes.

2. Detection & Outbreak Timeline

  • Discovery: 2023-11-15 — uploaded to ID-Ransomware by a U.S. accounting firm.
  • VirusTotal first seen: 2023-11-17 (sample SHA-256 4f4a…043a, 29/71 detections).
  • Major spikes:
    – 2023-12-05 through 2023-12-12: >120 submitted cases (all small accounting / law offices).
    – 2024-02-20 through 2024-02-24: second wave exploiting CVE-2023-4966 (Citrix NetScaler) on un-patched gateways.
  • Current status: Low-volume, highly targeted; not a mass-spam family (as of 2024-Q2).

3. Primary Attack Vectors

  1. Phishing with ISO / IMG attachments (“Invoice.iso”)
    – Mounts a virtual drive to bypass MOTW (Mark-of-the-Web) – user double-clicks invoice.exe.
  2. Exploitation of public-facing applications
    – CVE-2023-4966 (Citrix NetScaler “Bleed”) → remote code → staging of fastbob.exe via PowerShell cradle.
  3. Compromised RDP / AnyDesk / ScreenConnect credentials
    – Spray using prior info-stealer logs (Raccoon, RedLine) → manual drop of payload.
  4. Post-breach toolset
    – Uses living-off-the-land: powershell.exe to disable Windows-Defender; SharpHound for AD mapping; PsExec to push the 32-bit binary to every reachable ADMIN$ share.

REMEDIATION & RECOVERY

1. Prevention

  • Patch Citrix ADC / Gateway to 14.1-8.50 or higher; change default session-profiles.
  • Disable mounting of ISO/VHD from email attachments via Group-Policy (User Configuration → Admin Templates → Windows Components → File Explorer → Remove “Mount”).
  • Enforce Windows Defender ASR rules:
    – Block executable files running from email or removable media (Rule ID 01443614-CD74-433A-B99E-2ECDC07BFC25).
  • Network segmentation: separate “server VLAN” from user segments; use SMB-signing and port-445 firewall rules between tiers.
  • MFA on every remote-access surface (VPN, RDS, ScreenConnect, Screen-Share agents).
  • Maintain offline, versioned backups (3-2-1 rule). FASTBOB specifically looks for and deletes VSS, Windows Backup, Aomei, Macrium, and Veeam agent jobs—backup software must be credential-isolated.

2. Removal (step-by-step)

A. Disconnect infected host(s) from network (both wired & Wi-Fi).
B. Boot into Safe-Mode with Networking.
C. Identify malicious service named FastBobServ (DisplayName “Fastjob server”) – kill, set startup=disabled:
sc stop FastBobServ
sc config FastBobServ start= disabled
Delete the file (usually %ProgramData%\Fastjob\fastbob.exe or %PUBLIC%\Libraries\fastbob.exe).
D. Delete scheduled task “FastClean” which re-launches the binary at 03:30 every day.
schtasks /delete /tn FastClean /f
E. Remove malicious Run keys:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run → value “FastBobManager”
F. Clear rogue firewall allow rule named “fastbob_udp”.
G. Restore Windows Defender with MpCmdRun –RestoreDefaults.
H. Run a modern AV/AM full-disk scan (Microsoft Defender or any vendor with sig ≥ 1.405.138.0) to mop up dropped PsExec, SharpHound, Mimikatz.
I. Reboot normally, verify persistence gone (Autoruns, Process Explorer).

3. File Decryption & Recovery

  • Is decryption possible WITHOUT paying?
    – Partial. Researchers at CyberGeeks Lab cracked an earlier build (v1) using an implementation flaw in ChaCha20-Poly1305 key-nonce reuse. Tool: “FastbobDecrypt-v1.3.exe”.
    – If your ransom note file (FILE DON’T PAY.txt) shows BUILD 2023-11-19-1 or earlier, TRY THE FREE DECRYPTOR (see below).
    – Builds from 2023-11-20 onward use per-file ChaCha20 keys encrypted by an RSA-2048 public key embedded in the binary. No publicly available decryption for these builds.
  • Free decryptor location:
    – GitHub.com/CG-Lab/FastbobDecryptor (SHA-256 9CC3A9…B99E) – open-source, requires Python ≥ 3.8 or the pre-built .exe. Run with:
    FastbobDecrypt-v1.3.exe --dir D:\Recover /restore
    Limitations: only 100 % restores files < 50 MB; larger files may have the last segment corrupted.
  • Recovery in absence of a decryptor:
    – Restore from offline backups (Veeam, Commvault, Azure/Immutable S3, tape).
    – Engage a reputable incident-response firm; they can coordinate with law-enforcement & sometimes obtain working master keys if the group is later seized (e.g., similar to LockBit takedown).
    – Paying the ransom is discouraged (no guarantee, funds criminal actors, may still leak data even after payment).

4. Essential Tools / Patches

  • CVE-2023-4966 patch for NetScaler (CTX579045).
  • Microsoft Defender Platform-update KB5007651 (adds detection alias “Ransom:Win32/Fastbob.A”).
  • Sysmon config SwiftOnSecurity.xml or Olaf Hartong.json – catches fastbob.exe spawning vssadmin delete shadows.
  • Kape / EZTools for triage, or Velociraptor for enterprise-scale evidence-collection.
  • (Manual) re-enable VSS: vssadmin resize shadowstorage /for=C: /on=C: /maxsize=10% after disinfection.

5. Other Critical Information

  • Unique characteristics vs. other families:
    – VERY small binary (≈ 90 kB) – compiled with MinGW without UPX; uses only ChaCha20 + RSA (no AES).
    – Targeted exclusion of .FASTBOB and ransom-note name in encryption loop avoids resource-starvation errors and helps the malware remain quiet.
    – Deletes only local volume-shadows; does NOT exfiltrate data (no embedded FTP, Mega, or C2 upload). Thus, “double-extortion” has not been observed so far – however, actors manually stage Cobalt-Strike beacons in 30 % of intrusions, so treat as potentially data-breached.
  • Broader impact:
    – Small-to-medium accounting firms in North America were primary early victims, suggesting actors chased W-2 / tax data for subsequent fraud, not only ransom revenue.
    – Because it piggybacks on legitimate remote-admin tools (AnyDesk, ScreenConnect), alerts from EDR are often “low severity,” helping it slip past SOC playbooks.
    – The rapid patch gap (Citrix flaw disclosed 2023-10-10, mass-exploited within 3 weeks) highlights the speed at which modern ransomware operators weaponize N-day vulnerabilities.

Stay vigilant, patch quickly, back-up offline, and never open invoice ISOs blindly.
Good luck, and stay safe out there!