Remove Fadesoft Ransomware

I wrote this article to help you remove Fadesoft Ransomware. This Fadesoft Ransomware removal guide works for all Windows versions.

Fadesoft ransomware is a win-locker virus which was first spotted last month. Two versions of the infection exist. There are a couple of differences between them. The first build of the win-locker provided a contact form. Victims could get in touch with the creators of Fadesoft ransomware by writing to their email address cryptx.support@yandex.com. The renegade developers have since removed the contact form and replaced it with a logo. Rather than designing a custom graphic, the cyber crooks have stolen the logo of Umbrella Corporation, a fictional entity from the video game Resident Evil.

The second build of Fadesoft ransomware asks for a higher ransom. The clandestine program now demands 0.33 BTC. This is over than three times more than the previous amount of 0.1 BTC. The increased ransom converts to $417.75 USD, according to the current exchange rate. Victims have 4 days or 96 hours to pay. Fadesoft ransomware warns people that the unique decryption key will be deleted after this point. The cyber criminals store the key on a command and control (C&C) server, hosted on the Tor network. There is a countdown clock in the ransom note, measuring the remaining time before the scheduled deletion.

Fadesoft ransomware uses a strong encryption scheme. The hackers have applied a combination of AES-256 and RSA-2048 cryptography algorithms. This allows the malevolent program to encrypt a total of 323 file types. The win-locker exempts the system directories from encryption because they contain files the OS needs in order to run properly. The ransom note provides a list of the encrypted objects. You will be able to see the damage first hand.

The creators of Fadesoft ransomware have taken the necessary measures to hide their identity. The bitcoin cryptocurrency is the default choice for most cyber criminals because bitcoin platforms are remarkably secure. They do not require people to provide any personal details when registering. The transaction cannot be traced, even by the owners of the platform. The Tor web browser hides the IP address and the geographic coordinates of the computer.

Although the authors of most win-lockers cannot be identified, there can be signs to suggest certain details about them. There are a few clues around Fadesoft ransomware which users and experts can both look into. To begin with, we have the email address of the cyber criminals. Yandex is a Russian mailing client, hinting that they are from Russia. Security experts have made an intriguing discovery upon analyzing the code of the sinister program. Fadesoft ransomware is almost identical to Erebus ransomware. To top it off, both viruses belong to the category of Trojan win-lockers. Of course, there are many other ransomware programs with similar characteristics. We can only make assumptions.

The final aspect we need to address thoroughly is distribution. Being a Trojan win-locker, Fadesoft ransomware gets spread through Trojan horses. The question we need an answer for is how does the host for the ransomware get distributed. The answer is spam emails. The secluded program conceals behind attachments to fake email notifications. The sender will list the file as an important piece of documentation, like a recommended letter, a receipt, an invoice, a bank statement, a contract, or a subpoena.

To convince the recipient that the message is legitimate, the spammer can misrepresent a reputable entity, like the national post, a courier firm, a bank, a government branch, the local police department, or the district court. To check whether an electronic letter is genuine, proof the contacts. The email address is the best piece of evidence. You can refer to the official website of the entity in question.

Fadesoft Ransomware Removal

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Fadesoft Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

  1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
  2. Install ShadowExplorer
  3. Open ShadowExplorer and select C: drive on the left panelshadowexplorer
  4. Choose at least a month ago date from the date field
  5. Navigate to the folder with encrypted files
  6. Right-click on the encrypted file
  7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

  1. Go to Start –> All programs –> Accessories –> System tools –> System restore
  2. Click “Nextsystem restore
  3. Choose a restore point, at least a month ago
  4. Click “Next
  5. Choose Disk C: (should be selected by default)
  6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Fadesoft Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

  1. Recuva
  2. Puran File Recovery
  3. Disk Drill
  4. Glary Undelete

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.