forasom

[Content by Gemini 2.5]

Ransomware Brief – “.forasom”

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The malware appends the verbatim string .forasom (lower-case) to every encrypted file (e.g. Quarterly_Results.xlsx.forasom).
  • Renaming Convention: Original file name and internal extension are preserved; .forasom is simply concatenated to the right. No e-mail address, victim ID or brackets are inserted in the filename itself (all of that is placed inside the ransom note).

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: MalwareHunterTeam first tweeted samples on 18 Apr 2019; forasom infections peaked during the 2nd half of 2019 and are still seen sporadically in 2023 through re-packed droppers.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  • Mass-phishing campaigns carrying ISO, RAR or 7-Zip attachments (lures such as “DHL shipping docs”, “court writ”, “voice-mail”).
  • Exploitation of weak RDP credentials (brute-force, password-spray → manual code execution).
  • Fake software cracks/activators (KMS-pico, Adobe cracks) uploaded to file-sharing sites.
  • Secondary movement inside LAN: the operator disables services, turns off Windows Firewall, then manually launches the encryptor via PsExec or WMI.

Note: forasom is not worm-like; it does NOT use EternalBlue/SMBv1 exploits (those are characteristic of STOP/Djvu, WannaCry or Ryuk). Victims usually get hit because a single workstation/channel (VPN, e-mail, RDP) was compromised first.

Remediation & Recovery Strategies

1. Prevention (what blocks it today)

  • E-mail: block executables, ISO, 7-Zip and RAR at the gateway; sandbox attachments.
  • Disable RDP from the Internet or enforce 2-factor-authentication (Azure AD, Duo, etc.). Auditing of successful/failed RDS logins plus account-lockout stops most intrusion attempts.
  • Turn on Windows Credential Guard or LSA protection to hinder Mimikatz usage which accompanies manual deployment.
  • Keep solid, versioned, offline/encrypted backups: 3-2-1 rule (three copies, two media, one off-site and DISCONNECTED).
  • Application-control / WDAC / AppLocker: deny execution of %LOCALAPPDATA%\*.exe, %APPDATA%\[random-name]\*.exe (forasom drops here to bypass UAC).

2. Removal – step-by-step

  1. Physically disconnect affected machines from network (Wi-Fi/LAN).
  2. Using a Boot-USB or Safe-Mode with Networking, run a full scan with Microsoft Defender Offline (sig 1.313.836.0+), ESET, Kaspersky, Bitdefender, Sophos — all detect the main payload as “Ransom:Win32/Forasom” (or similar).
  3. Look for persistence only in Run-keys under the active user:
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run → [random].exe
    Val Samit or Autoruns64.exe will show it.
  4. Wipe contents of %TEMP% and check scheduled tasks for “Optimizer”, “Windows Update 5000” or similarly non-descript jobs.
  5. After the scan returns clean, reboot into normal Windows – step #6 below will tell you whether decryption tools exist so you know if you still need to restore from backups.

3. File Decryption & Recovery

  • Feasibility: Until now, forasom has NOT been cracked. It is based on the Chaos/FileCoder “open-source” ransomware kit, which uses:
  • AES-256 in CBC mode
  • Random 32-byte key/16-byte IV for each file
  • RSA-1024 public key embedded in the binary to encrypt the above session key
    Translation: without the criminal’s RSA private key you cannot revert the files.
  • Available decryption – there is none; neither Kaspersky “NoMoreRansom” nor Emsisoft provide a free decryptor.
  • Essential tools/patches for clean-up, not decryption:
  • Emergency patcher/ransom-rollback modules found in Kaspersky, Sophos and BitDefender 2019+ (they “freeze” infected files after behaviour detection). These do not decrypt, they just prevent additional losses once the ransomware is seen executing.
  • Microsoft Defender signature update platform 4.18, KB2267602 (Virus definition 1.313.836.0) – detects, does not decrypt.

Therefore: restore files from backups or shadow copies (vssadmin list shadows) if the attacker did not wipe them (they usually do). If no backups exist, file-recovery tools such as Photorec or R-Studio at best give you unencrypted originals that were already on disk before the attack – often fragmented and unusable.

4. Other Critical Information

  • Differentiators compared to STOP/Djvu or Phobos:
    – Ransom note name is fixed: “_readme.txt” (identical text as Djvu families, which causes confusion). Note demands $980 → $490 if crooks are contacted in 72 h.
    – Drops no network shares encrypting binary; it is single-thread; does not change wallpaper; it simply spams cmd windows to the user while encryption happens.
    – TA occasionally bundles either Maze-like info-stealer or RedLine stealer so treat every forasom incident as a potential data-breach.
  • Wider impact:
    Because the builder leaked on underground forums, anyone with minimal technical skills can compile a custom forasom variant (changing the extension and swapping RSA keys). Hence, different “brands” (luceq, ge0l0gic, bguu, format) all descend from the 2019 forasom/GitHub builder and remain functionally identical.
    Lesson: Even “script-kiddie” ransomware is unbreakable if proper asymmetric encryption is implemented — so backups are the only reliable safety net.

One-page closure (share with staff/IT)

  • No public decryptor – ignore scam sites that say otherwise.
  • Patch nothing exploitable was used (no eternal-blue) so harden RDP & e-mail, not SMB here.
  • Validate your backups by actually restoring at least one random server a month;
    anything you can reach with a drive-letter from the production machine is NOT a safe backup.

Stay safe, patch smart, keep an offline copy, and you’ll shrug off forasom — or any copy-cat fork — in minutes instead of days.