Cybercrime , Fraud Management & Cybercrime , Ransomware

Fonix Ransomware Gang Shuts Down Operations

Hackers Release Master Decryptor Key
Fonix Ransomware Gang Shuts Down Operations
A Fonix ransomware note displayed to victims (Source: Malwarebytes)

The Fonix ransomware gang has closed down its operations, according to Malwarebytes and Kaspersky. But security researchers warn the gang, like others, might re-emerge with new tactics.

See Also: Top 50 Security Threats

The Fonix group released what it claims is a master decryptor key that victims of their ransomware attacks can use. Plus, Kaspersky has also released a free decryption tool that's part of the its RakhniDecryptor offering.

"The Fonix example illustrates yet again why even if you don't plan to pay the ransom (a smart choice), you should hold on to encrypted data," according to the Kaspersky report. "Not all cybercriminals repent and publish their keys (or get caught and their servers confiscated), but if the keys do become available at some point, you can use them to restore access to your information - but only if you keep it."

Bleeping Computer first reported that the operators of the Fonix ransomware were stopping their attacks. One of the gang's administrators told the publication that they had targeted more than 5,000 systems with crypto-locking malware.

Will Fonix Make a Comeback?

Claims from hacker groups that they're shutting down operations should be viewed with some skepticism, says Fedor Sinitsyn, a security expert at Kaspersky. That's because some gangs have made such announcements only to move on to other schemes in the following weeks and months.

"The alleged Fonix developers stated that they had initially started this [ransomware-as-a-service] 'because of the bad economic situation' and now they are quitting out of guilt, but it could easily be a trick just to temporarily lay low and minimize the attention of the police. The truth remains unknown," Sinitsyn says.

In October 2020, the now-defunct Maze cybercriminal gang announced it would cease operations. A few weeks later, a ransomware variant called Egregor appeared, and many security analysts believe there are direct links between Maze and this new operation, (see: FBI Issues Alert on Growing Egregor Ransomware Threat).

Impact of Fonix

Fonix ransomware first appeared in June 2020, but it became more active in November 2020. The gang's notice that it would shut down operations appeared in late January on Twitter.

Sinitsyn notes that even during its most active period, the Fonix campaigns were more opportunistic than focused, using spam emails to infect devices with malware. Also, the group didn't attempt to exfiltrate data and hold it for ransom as other cybercriminals group have done over the last year (see: Ransomware: Average Ransom Payment Declines to $154,108).

"This malware wasn't particularly prevalent, but we would say it was noticeable among other modern ransomware threats," Sinitsyn says.

The Fonix gang claims to have targeted thousands of victims over a short time. But Jovi Umawing, a malware intelligence analyst at Malwarebytes, notes: "If Fonix has ever victimized a major brand or a company, with a lot of clients and endpoints, they have yet to reveal that information."

Other Ransomware Threats

While ransomware operations such as Maze and Fonix have ceased, security researchers note that many other gangs are stepping in to take their place. Newer operations include Pay2Key, RansomEXX and Everest.

One piece of good news is the average ransomware payment declined 30% in the fourth quarter, compared with the third quarter, while the median ransom payment dropped 55%, according to incident response firm Coveware.

In January, the U.S. Justice Department and Bulgarian authorities seized the servers and disrupted the infrastructure and darknet websites of the NetWalker ransomware gang, which had been more of the most prolific cybercriminal operations in 2020 (see: Another Takedown: NetWalker Ransomware Gang Disrupted).


About the Author

Prajeet Nair

Prajeet Nair

Principal Correspondent

Nair is principal correspondent for Information Security Media Group's global news desk. He has previously worked at TechCircle, IDG, Times Group and other publications where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.