Please ensure Javascript is enabled for purposes of website accessibility
+30 2106897383 info@tictaclabs.com

No more Fonix Crypter?

Who is Fonix Crypter?

Fonix Crypter, like STOP, was discovered by Michael Gillespie. Its first appearance took place in 2020, but  it began to retire at the end of the same year. It is believed to be of Iranian origin and even its advertising on the dark Internet is clear: “*do not infect any persian systems, in case of violation the violator will be fired”.

In particular, on 10 July 2020, “FoNixCrYpTer” published an advertisement in dark internet forums for a new Ransomware-as-a-Service (RaaS) with the name Fonix (Phoenix). It uses four encryption methods (AES, Salsa20, ChaCha and RSA) and it is a slower process than other ransomware RaaS as it encrypts all files and also non-important systems. It had seven variants during his course and the last was 4.4.1.

Like other ransomware, it invades the system and encrypts the files. In particular, it changes names by adding extensions and then displays a ransom note through a pop-up window. It renames files by adding the email address fonix@tuta.io, victim’s ID and the extension “Fonix” in file names.

Public announcement of Fonix Crypter managers

One of the Fonix Crypter ransomware developers made a public announcement in early 2021 that the entire operation was closing. The programmer has also released a public decryption key that can be used to restore data for each victim. Although the decryption key is provided,  it is not user-friendly. In other words, it’s not designed to simply decrypt all data. In particular, the statement was as following:

“I’m one of the managers of the Fonix team. You know about our group, but we have come to a conclusion. We should use our skills in positive ways and to help others.

The source code has been completely deleted, but some members of the team disagree with the closure of the project… Anyway, the main administration decided to leave all the previous work behind and decrypt all the contaminated systems free of charge. The decryption key will be publicly available. The team’s final announcement will be announced shortly.”

Indeed, this is not the first time a cybercrime group has decided to withdraw. In 2018, GandCrab ransomware developers, another RaaS announced the closure of its activities in mid-2019 and released decryption keys for all its victims in Syria. Also, in 2016, when TeslaCrypt left, his developers released the main key that helps decrypt the infected systems free of charge. In particular, Allan Liska, a security investigator said in an interview that Fonix decryption key seems to be legal and that it is very important that they included the main key, which will allow someone to build a much better decryption tool.

So it remains to see whether Fonix Crypter cyber crime team will keep its word. However, even if they do leave, the difference will be subtle, as they are just one small player in a huge cyber criminal system.

Fonix Profile

In summary, ransomware encrypts data and creates/displays ransom messages with instructions on how to communicate with cyber criminals, ransom size and other information. Typically, the cost of a decryption/key tool and encryption algorithm (symmetrical or asymmetric) used by ransomware to encrypt data are the two main differences.

FonixCryptor Profile
Name – Team name Fonix (FonixCrypter) virus, Xinof
Type of threat Ransomware, Crypto Virus, Files locker.
Encrypted Files Extension .Fonix
Ransom Demand Note # How To Decrypt Files #.hta
Cyber Criminal Contact (email) fonix@tuta.io
Detection Names Avast (Win32:Malware-gen), BitDefender (Trojan.GenericKD.43207004), ESET-NOD32 (A Variant Of Generik.IZSVMDG), Kaspersky (Trojan.Win32.Diss.suvbu)
Symptoms
  • Cannot open files stored on your computer
  • Files now have a different extension
  • A ransom demand note is displayed on your desktop
  • Cyber criminals demand payment in bitcoins to unlock your files
Invasion methods Infected email attachments, torrent websites, malicious ads.
Danger All files are encrypted and cannot be opened without paying a ransom.

Content of ransom note

Fonix ransom note appears through an emerging window with the file “# How To Decrypt Files # .hta” providing the relevant instructions. Essentially, there is an information note informing the victim that all his files have been encrypted.

The ransom message states that this ransomware encrypts files using the encryption algorithm Salsa20 and the RSA 4098 key. In particular, the victim must contact or pay ransom within 48 hours in order not to pay twice. Attackers give the contact email for the first 24 hours and a second for subsequent communication. The attacker informs both how to buy BTC and how to send an encrypted file smaller than 2Mb to make the free decryption test. Victims are warned not to delete or rename any encrypted files, or try to decrypt them with other software, as this will permanently damage the data.

How does Fonix work?

Inside like RaaS

Fonix group advertised its “products” in various cybercrime forums, as well as on the Dark Internet. Initially, its authors offered their product by contact via an e-mail address. Once the seller received the necessary data, at that time copies of the payload ransomware were sent to the buyer.

In addition, the payloads received were adjusted to show the e-mail address of the new buyer during the contamination. Victims were going to contact through this e-mail address of the buyer in order to obtain further information and instructions on the payment of ransom or to obtain or to receive free decrypted files.

Accordingly, decryption keys remain in the hands of administrators rather than intermediaries. In particular, even the files the victim sends as a sample, the Fonix buyer sends them to Fonix administrators for decryption. Obviously, once the victim is convinced that decryption is possible, the subsidiary provides a payment address (BTC wallet). The victim then pays the subsidiary, and it in turn settles the financial agreement with Fonix team. Once FONIX managers receive the part of their revenues, they provide the subsidiary with the necessary decryption tools and the key.

How it infects the system?

Fonix Crypter has an excessively complex engagement cycle after invading the system.File encryption is done via a mixture of Salsa20, Chacha, RSA and AES. Indeed, FONIX managers choose this method to make encryption of files very powerful. However, this adds a lot of time to the encryption process, as it makes 2 to 5 times slower the process than, for example, Ryuk.

Encrypted files usually carry file extensions .FONIX and .XINOF (Fonix is written upside down). However, the extension of .repter. was also used. Also, FONIX will encrypt all types of files, excluding critical Windows OS files. In addition, depending on the context of the payload performed, many other malicious changes are made to the system. In all cases, once encryption is completed, the desktop background changes to the FONIX logo, and the .HTA ransomware note appears throughout the screen.

How to deal with Fonix?

There is always the possibility of manual removal of a threat, but it requires advanced IT skills.

If you are infected with either Fonix Crypter or any other ransomware, there are some specific advice you should follow. These are the following:

  • Report to the competent authorities. In this way, you could help identify and possibly prosecute cybercrime attackers.
  • Isolate the contaminated device. Because ransomware can contaminate a whole network, it is very important to isolate an infected device to prevent the spread. So you have to disconnect from the Internet. Similarly, all storage devices such as flash drives, portable hard drives, etc. should be disconnected, but you should also disconnect from the cloud.
  • You should identify the attacker. This is usually easily visible through ransom note, email communication and file extensions. One of the easiest and fastest ways to detect ransomware infection is to use the ID Ransomware website.
  • Furthermore, proper file management and backup for data security are particularly important.
  • We recommend that you store your data in multiple partitions and avoid storing important files within the partition containing the entire operating system.

What if I pay the ransom?

Finally, if the only solution to retrieve your files and decrypt them is to pay the ransom, you should know two things:

  1. That you should contact qualified personnel to manage the post-attack situation and negotiate with the attackers; and
  2. That even if you pay the ransom, no one can guarantee you that the criminals will eventually give you the necessary tools to decrypt your files.

In any case, proper and regular cyber-threat training of a company’s staff is particularly important. Only in this way you can prevent cyber attacks, as many criminals are looking for the human error to invade a system and a corporate network.

Contact Tictac in order to obtain information on the response to ransomware attacks and on the cyber security training programmes.