Is it possible to decrypt files for modified FONIX/RYUK?

[safety 8]

Is it possible to decrypt files for modified FONIX/RYUK?

https://www.virustotal.com/gui/file/ee864a8610aea416b02ae7959606775444af70f3e424315edf3463c87e66f4c3/details

Crypted+.rar efsw_logs.zip ESVC_SARABI_20230613153602.zip

Filecoder.zip

Edited June 13, 2023 by safety

[Marcos 5,085]

Unfortunately files encrypted by Filecoder.RYUK cannot be decrypted. I've checked your logs and my findings are below:

- ESET Server Security was installed today
- LiveGrid Feedback system is disabled
- detection of potentially unsafe applications is disabled

Network Level Authentication is disabled.

Recommended action: Enable (Right click This PC (or Computer) -> Properties -> Remote settings, and check "Allow connections only from computers running Remote Desktop with Network Level Authentication".)

The Security Event Logs cover only a small period of time (less than a day). The logs were either cleared by an attacker or the event log size is too small.
Consider increasing the event log size (eventvwr.msc -> Windows Logs (left panel) -> Security -> Properties (right panel) -> Maximum log size (enter new value)). We recommend to at least triple your current Maximum log size.

A brute-force attack from remote machine(s) was performed:
- ARISTANGROUP\arez had 105 failed login attempts
- Гость had 27 failed login attempts

Detected unsuccessful logon attempts from 7 blacklisted IP addresses.

- back up crucial data on a regular basis to prevent data loss
- disable or secure RDP (use VPN and block RDP from outside, restrict access to specific IP addresses, etc.)
- use a stronger password by users with RDP allowed
- set a password to protect ESET settings and to prevent it from being disabled or uninstalled by unauthorized persons

 

 

[safety 8]

Thanks for the answer! but judging by the detection of ESET, it is still FONIX (modified for RYUK),

A Variant Of Win64/Filecoder.FONIX.A

the previous versions of FONIX were deciphered.

Is it possible to transfer these files to the laboratory for research?

 

[Marcos 5,085]

You are right, Filecoder.FONIX can be decrypted. Please email the above logs and files to samples[at]eset.com.

[itman 1,667]

BitDefender has a decrypter for select FONIX ransomware versions here: https://www.bitdefender.com/blog/labs/fonix-ransomware-decryptor/ . Use instructions here: https://www.nomoreransom.org/uploads/FONIX RANSOMWARE DECRYPTION TOOL.pdf . 

Kaspersky also has a decrypter here: https://support.kaspersky.com/common/disinfection/10556#block1 .

Other AV's might also have a FONIX decrypter.

The point to note is if this is a new FONIX variant, these existing decrypters probably will not work.

[safety 8]

@itman,

My guess is that Bitdefender hasn't updated the decryptor since April 2021 when the FONIX/XINOF master key was released. (date of signing the decoder 27 April 2021 16:09:21). After repter/FONIX/XINOF, new variants of FONIX were released disguised as Crysis, Phobos, RYUK.

Avast, LK, possibly Emsisoft have a decoder for them. The current version of FONIX/RYUK is different from the previous version RYK.

[itman 1,667]

You're best bet for finding a decrypter for this ransomware is to use the NoMoreRansomware tool here: https://www.nomoreransom.org/crypto-sheriff.php?lang=en to properly ID the ransomware. The tool run results will inform you if a current decrypter exists.

The main requirement for these decrypter's to work is highlighted in the BitDefender FONIX write up:

Quote

Note: The tool requires that affected users must have at least 1 cpriv.key file present on their PCs, either in the target folder to decrypt, or anywhere else on disk(s).

If the decryption key doesn't exist on the targeted device, you're SOL.

Based on this article: https://www.pcrisk.com/removal-guides/26235-ryuk-fonix-ransomware , the Avast decrypter might work. However, only if the decyption key exist on the targeted device. Also, the article specifically mentions files encrypted with the .RKY extension.

Edited June 14, 2023 by itman

[safety 8]

@itman,

The key file cpriv.key was in Fonix/XINOF variants, for Fonix/RYUK this file is called hrmlog1. Unfortunately, according to the current version of FONIX / RYK, the previous known decoders do not work. Alas.

 

[itman 1,667]

14 hours ago, safety said:

Unfortunately, according to the current version of FONIX / RYK, the previous known decoders do not work. Alas.

BTW -was Eset installed on the device affected by this ransomware?

Or, the did the attacker gain access to device via via brute force attack and uninstall Eset? If so, how did the attacker get past Eset brute force protection?

[Marcos 5,085]

According to the logs ESET was installed on June 13 but the encryption occurred on June 10.

[safety 8]

This is a fresh wave of FONIX, somewhere from the beginning of June. The previous wave was in January-March of this year.

Most likely hacked by RDP

Quote

sep=,
Name,Group,Direction,Profiles,Enabled,Action,Local IP,Remote IP,Protocol,Local port,Remote port
Open Port 3389,,Вход,"Домен,Частный,Публичный",Yes,Разрешить,Любой,Любой,TCP,3389,Любой

The antivirus was installed after encryption.
 

Quote

 

sep=,
Name,Publisher,Install datetime,Version
Dr.Web Anti-virus for Windows Servers,"Doctor Web, Ltd.",12.06.2023 23:50:15,12.0

sep=,
Name,Publisher,Install datetime,Version
ESET Server Security,"ESET, spol. s r.o.",13.06.2023 15:26:51,10.0.12010.0

 

 

 

[itman 1,667]

10 hours ago, safety said:

Name,Publisher,Install datetime,Version
Dr.Web Anti-virus for Windows Servers,"Doctor Web, Ltd.",12.06.2023 23:50:15,12.0

I know a number of AV vendors have stopped selling their products in Russia including Eset. However, I assume Kaspersky is not one of them. Would not Kaspersky server protection be a better choice than Dr. Web's?

Also, Kaspersky offers free highly rated anti-ransomware protection here: https://www.kaspersky.com/anti-ransomware-tool .

Edited June 16, 2023 by itman

[safety 8]

14 hours ago, itman said:

I know a number of AV vendors have stopped selling their products in Russia including Eset.

This user is not under sanctions:

WebClientComputerName, *.almaty.*.kz

LicensePartnerCountry, KZ

--------

I don't think it would be convenient to say in this thread why Kaspersky is stronger than DrWeb or vice versa.

Edited June 17, 2023 by safety

[itman 1,667]

I appears Dr. Web offers free ransomware data recovery services for it commercial customers: https://antifraud.drweb.com/encryption_trojs/?lng=en. Support request procedure here: https://support.drweb.com/new/free_unlocker/for_decode/?lng=en.

Note its disclaimer: https://products.drweb-av.pl/decryption_from_ransomware/disclaimer/ . You might be SOL on this one;

Quote

After the incident, the user re-installed Dr.Web or the operating system. Such actions make it impossible for the incident to be analysed.

Edited June 17, 2023 by itman

[safety 8]

Reinstalling the system may affect the investigation of the incident, but in order to analyze "whether or not decryption of files is possible", the user transferred everything that was needed: encrypted files, the body of the encryptor, a ransom note, additional files, from which it was previously possible to restore the key.

DrWeb requirements are quite strict: free decryption is possible if the user has a license for the DrWeb product, if the product has been installed, updated and skipped the encryptor file.

Nothing is known about the presence of FONIX decryption in DrWeb, Bitdef used cpriv.key (i.e. key file) previously, Gillespie (Emsisoft) also wrote about the need for a key file to decrypt FONIX, Avast uses a key file (cpriv.key, hrmlog1 ) to restore the session private key and then decrypt the files, Kaspersky receives the session key and adds it to the Rakhni public decryptor.

 

Edited June 18, 2023 by safety