NatSpecs

Lessons from the Ashes: Interview and Analysis of the FonixCrypter Closure

By Joe Lucas on February 2, 2021

On January 29, 2021, the Twitter account @fnx67482837 announced the end of the FonixCrypter Project. FonixCrypter is a ransomware service that first became available in July 2020. @fnx67482837’s involvement in FonixCrypter was verified with offers on Twitter to provide a master key, sample decryptor, and assist in decryption for any remaining victims. The account reveals a potential motivation in subsequent tweets.

Prior reporting shows that procedural friction ultimately limited the pervasiveness of this specific Ransomware-as-a-Service (RaaS) platform — a business model where malicious developers sell their ransomware to affiliates who perform the attack. The FonixCrypter project and subsequent closure offers useful insights into the creation and operation of these services. 

@fnx67482837, who identified themself as “Xinof”,  claimed to be the creator of FonixCrypter. This interview was initiated when I introduced myself over Twitter and expressed my desire to learn more about their motivations and operations. They agreed to answer some of my questions over Telegram chat. 

Full disclosure: I made no effort to confirm Xinof’s identity or independently verify their involvement with FonixCrypter. English is not Xinof’s first language. I have paraphrased, consolidated, and made grammatical corrections to their replies while trying to maintain the meaning and tone. The information shared here does not represent the opinions of IST or the Ransomware Task Force, but as we all grapple with the scourge of ransomware, interviews with malicious actors could potentially provide useful avenues of investigation.


Q: Can you explain your initial decision to start the FonixCrypter project?
A: Money problems. We didn’t want to hurt anyone. We just wanted money. But you know, think about that. People make money with their computers for their family, for their children. We destroy their work. This wasn’t a thing I wanted. Wasn’t a thing my heart wanted. I can’t live with feeling guilty.

Q: But when you started FonixCrypter, you knew you’d be hurting people, right? What made the guilt “worth it” back then?
A: I didn’t think it would be this bad. I didn’t think I’d feel this guilty.

Q: Was there one specific place FonixCrypter was used that made the guilt too much?
A: No, this decision has been slowly building.

Q: When you started, how were you financially? Rich, middle class, poor?
A: My family was middle class, but in our country my father would work about 10 months to buy an RTX2060 laptop.

Q: What was your technical background when you started FonixCrypter? Did you learn these skills in school or professionally?
A: We learned it ourselves. We weren’t professionals at the start of the project.

Q: Was it easy to find materials to learn?
A: Google helped so much.

Q: What kind of code had you written before FonixCrypter? How long had you been programming?
A: Some small projects. About five months.

Q: How did you form your team? Were they people you knew in-person or met online?
A: We met online.

Q: What kind of services or websites do you use to find people for these kinds of projects?
A: Telegram and a bit in the deep web. We have many groups and channels in Telegram. We know all ransomware services in our country.

Q: How many people were on the FonixCrypter team?
A: I can’t say, but three to five.

Q: How were the roles divided on your team? Did everyone do the same thing or were they specialized?
A: We were specialized with one main programmer.

Q: What were the other roles?
A: Web, operator, and tester.

Q: Were you ever worried about getting caught? Legal trouble?
A: Yes, all the time.

Q: How much did FonixCrypter earn over the course of the project?
A: I know, but won’t say exactly. Not much, very little compared to other ransomware services.

Q: Did the amount of money change your life? Will you need to find a job?
A: No, the amount of money did not change our lives. We’re finding other jobs. Good jobs that don’t hurt people.

Q: If there were no cryptocurrency, how would that have impacted FonixCrypter? Would it have made it harder to do business?
A: Sure. I don’t know any other way than cryptocurrency.

Q: How long was the time from having the idea to create a ransomware service to completing your first iteration of FonixCrypter?
A: Five or six months.

Q: How did you advertise?
A: People found us through Telegram ads.

Q: You paid for ads in Telegram or just posted in other groups and channels?
A: Both, sometimes free and sometimes paid.

Q: How long did it take from advertising to getting your first customer?
A: Customer in two or three days, but payment took another two weeks.

Q: You mentioned finding partners in RaaS Telegram Channels. What was your relationship with the other ransomware services? Did they help you or were they competitors?
A: All were competitors. One helped just a little.

Q: Why did you decide to help victims decrypt?
A: Anytime you stop doing bad things is better than continuing that. I want to help people.

Q: After ending FonixCrypter, how are you planning on making money without harming people?
A: Maybe we will launch a malware analysis website or do website design. We weren’t bad men before FonixCrypter.

Q: Any last thoughts?
A: Please mention this quote that I found on Google: “We cannot despair of humanity, since we ourselves are human beings.”


Ultimately, I think that a combination of a growing conscience, concern for legal investigations, and relative lack of financial success all contributed to the end of the project. While this apology does nothing to absolve Xinof and the rest of the FonixCrypter team from the damage they caused or potential legal consequences, having offered decryption assistance to their victims before closing their doors perhaps seems to be an indicator that they actually did come to understand the repercussions of their actions.

Since the motivations for ransomware operations are often financial and largely individualized, we must be careful not to generalize from Xinof’s ransomware journey. However, several larger lessons are clear:

  1. Cryptocurrency is a critical enabler for these operations. That will surprise no one operating in this space. Xinof couldn’t think of a way for a ransomware service to operate without cryptocurrency. Whether it can or should be regulated demands further discussion, but the often anonymous transactions do offer the most efficient way for criminals to exchange and collect money around the globe.
  2. Almost all recruiting, coordination, and advertising were done through Telegram, a freeware communication platform with end-to-end encryption and group chat functionality. Telegram is not the only service to offer these functions, but was the only one referenced by Xinof. While globalized platforms for information sharing have enabled citizen communication in many authoritarian regimes,we must also be honest about their role in criminal networking. This issue has come to the forefront with the massive recent uptick in users of these platforms as millions left WhatsApp after a privacy policy update.
  3. The technical barrier to entry for ransomware is low. It took five months for a relatively new programmer to learn how to bootstrap a ransomware service from internet research. With sufficient permissions, it is trivial to encrypt files across an operating system. So if we assume a ransomware actor has access to a computer, what is the next step in reducing their ability to execute the attack? With “defense in depth” as the mantra for good security, what controls can we implement to reduce the ease or rate at which authorized accounts can encrypt files?
  4. At least with this actor, law enforcement and intelligence agencies hold remarkable credibility. Despite their consistent use of anonymous handles and encrypted chat applications, Xinof was very afraid of monitoring and subsequent prosecution.

My conversation with Xinof affirmed that ransomware operations are a fundamentally human exchange often realized with physical world consequences — as Xinof now realizes, human lives are impacted by the encryption and ransom of machines. While greed for financial gain motivated Xinof to create FonixCrypter, my perception is that their guilt was, at least in part, cause for them to shutter the project. We cannot rely on similar changes in conscience to combat ransomware operations writ large, but it is an important reminder that these financially-motivated crimes are inherently different from more traditional malign cyber operations for intelligence gathering, espionage, or attack.