Also known as: No known aliases
Category: Malware
Type: Ransomware, trojan, fileless malware
Platform: Windows
Variants: No known variants exist, but it is closely related to other Phobos variants, such as EKING, 8Base, and Devos.
Damage potential: Encryption and loss of important files, data leak, ransom demands, operational disruption, damage to reputation
Overview
Faust ransomware is a relatively recent strain of the Phobos ransomware family, first observed in 2024. It encrypts files across the system and attaches a custom extension to them, rendering data inaccessible. A ransom note is dropped on the system, instructing victims to contact the attackers through email or a Tor site to negotiate payment for the decryption key, typically in cryptocurrency.
In line with modern ransomware trends, Faust is known to use double extortion tactics — not only encrypting files but also exfiltrating sensitive data, which the attackers threaten to publish if the ransom isn't paid. Unlike other generic ransomware variants, Faust appears to be used in targeted attacks, which means that its operators likely study their victims first before launching the attack.
Possible symptoms
The main sign of a Faust ransomware infection is that your files become encrypted and inaccessible. You’ll likely see a new “.faust” extension added to each file, along with a ransom note named “info.hta” or “info.txt” in the affected folders. In some cases, you might also notice slower system performance or unusual network activity during or after the attack.
Sources of the infection
Faust ransomware may spread to the system in many ways, mainly by disguising itself as Microsoft Office files:
- Phishing emails with malicious attachments or links.
- Exploit kits targeting unpatched vulnerabilities in outdated software or operating systems.
- Open RDP ports on a computer or server.
- Malicious downloads from compromised websites.
Protection
Phishing awareness is necessary for protecting yourself from ransomware or other cyber threats. Here’s what you can do to protect yourself:
- Keep operating systems and all software applications updated to patch known vulnerabilities.
- Do not click on suspicious links or attachments in emails, especially from unfamiliar senders.
- Enable multi-factor authentication (MFA) for an extra layer of protection.
- Back up important data.
- Block malware-hosting websites and harmful ads using NordVPN’s Threat Protection Pro™.
Faust ransomware removal
In the early stages of infection, Faust ransomware may be detected and removed using reputable antivirus software. If the ransom note has already appeared, attempting to remove the ransomware could risk losing access to encrypted files. At that point, the best action is to isolate the infected system and perform a factory reset to stop Faust from reappearing.
Paying the ransom is not recommended because it does not guarantee the return of your files and encourages the attackers to continue their malicious work. If you’re not confident handling the removal yourself, get help from cybersecurity professionals.
