Back in the 1960’s, our educational systems began teaching a concept called, Phonics. Phonics is a method for teaching people how to read and write an alphabetic language. It is done by demonstrating the relationship between the sounds of the spoken language, and the letters or groups of letters or syllables of the written language. Enter FonixCrypter, not the mobile app but the criminal hacking gang - which is far from the innocent way of teaching language.
It is being reported that the FonixCrypter ransomware gang has closed down its operations. Good news, huh? Security researchers are now warning FonixCrypter, like others hacking groups, may just be re-tooling and will re-emerge with new hacking tactics. The FonixCrypter ransomware group has been active since at least June 2020. This criminal gang, which also uses the name Xonif, was not as active as other groups like REvil or Ruyk, yet still accounted for cyber-attacks all over the world. FonixCrypter released what it claims is a master decryptor key that ‘victims’ of their ransomware attacks can use. Security researchers Kaspersky, also released a free decryption tool that is part of the RakhniDecryptor offering.
"The FonixCrypter example illustrates yet again why even if you don't plan to pay the ransom (a smart choice), you should hold on to encrypted data," reports Kaspersky. "Not all cybercriminals repent and publish their keys (or get caught and their servers confiscated), but if the keys do become available at some point, you can use them to restore access to your information, but only if you keep it."
The gang's first notice that it would shut down operations appeared in late January of this year on Twitter. Investigators reported that the operators of the FonixCrypter ransomware were stopping their attacks around 07 February 2021. One of the gang's administrators stated that they had targeted more than 5,000 systems with crypto-locking malware. A bold claim indeed. Although the gang removed its Telegram channel, the group also announced plans to open a new channel in the future. It is not clear what this new channel would present, but FonixCrypter posted in its Tweet “we should use our abilities in positive ways and help others.” Researchers wonder if this will occur or will the new channel provide a new improved ransomware strain for cybercriminals to use?[1] Time and FonixCrypter money will tell.
Claims from hacker groups of shutting down operations should be viewed with some skepticism, says analysts. Other gangs have made such announcements only to move on to other schemes in the following weeks and months. "The alleged FonixCrypter developers stated that they had initially started this [ransomware-as-a-service] 'because of the bad economic situation' and now they are quitting out of guilt, but it could easily be a trick just to temporarily lay low and minimize the attention of the police. The truth remains unknown," says a researcher.
In October 2020, the now-defunct Maze cybercriminal gang announced it would cease operations. A few weeks later, a ransomware variant called Egregor appeared, and many security analysts believe there are direct links between Maze and this new operation.
Even during FonixCrypter’s most active period, their cyber campaigns were more opportunistic than focused, using spam emails to infect devices with malware. Also, the group did not attempt to exfiltrate data and hold it for ransom as other cybercriminals group have done over the last year.
FonixCrypter claims to have targeted thousands of victims over a short time. Often, malware gangs brag of its successes. If FonixCrypter had ever victimized a major brand or a company, with a lot of clients and endpoints, they have yet to reveal that information.
While ransomware operations such as Maze and FonixCrypter have ceased, cyber security researchers emphasize many other gangs are stepping in to take their place. Newer operations include Pay2Key, RansomEXX and Everest. One piece of good news is the average ransomware payment declined 30% in the fourth quarter, compared with the third quarter, while the median ransom payment dropped 55%.[2]
In January 2021, the US Justice Department and Bulgarian authorities seized the servers and disrupted the infrastructure and darknet websites of the NetWalker ransomware gang, which had been more of the most prolific cybercriminal operations in 2020.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/3702558539639477516
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
[1] https://blog.malwarebytes.com/ransomware/2021/02/FonixCrypterCrypter-ransomware-gives-up-life-of-crime-apologises/
Comments