Draft:XFUN

Our researchers found The XFUN ransomware while investigating new submissions to the VirusTotal site. This malware is designed to encrypt data and demand payment for the decryption early 2024.

On our test machine, XFUN encrypted files and added a ".XFUN" extension to their filenames. To elaborate, a file initially named "1.jpg" appeared as "1.jpg.XFUN", "2.png" as "2.png.XFUN", and so on for all of the locked files.

Afterward, the ransomware dropped a ransom note named "!!== ReadMe ==!!.txt". Upon inspection, we learned that this message lacks critical information, thus leading us to speculate that XFUN is still in development or has been released for testing purposes. However, this could be rectified in potential future releases of the malware.


 * Internet Crime Complaint Centre IC3

Screenshot of files encrypted by XFUN ransomware:

Ransom note overview
XFUN's message states that the victim's files have been encrypted. The sole method of recovering the data necessitates a decryption key, which is in the attackers' possession. The victim must pay a ransom to obtain it. However, as previously mentioned, the note does not include crucial information. The message is formatted in a way that was evidently intended to include the key details – ransom amount, Bitcoin wallet address, and contact information.

The victim is given 72 hours to pay and after this deadline – the affected data will be permanently lost. Before meeting the cyber criminals' demands, the victim can test decryption on a single file for free. Additionally, the victim is warned against attempting manual decryption since that will render the files undecryptable.

Due to the lack of information in this note, it is impossible for victims to meet the demands. This could have been an error, or XFUN might have been released for testing purposes only. It is noteworthy that this issue could be addressed in possible future variants of ransomware.

XFUN ransomware overview
We have analyzed and researched thousands of ransomware infections, and this experience allows us to conclude that decryption is usually impossible without the attackers' involvement.

Furthermore, victims often do not receive the promised decryption keys/software despite meeting the ransom demands. Therefore, even if it is possible to pay, we strongly advise against it. Complying with the cyber criminals' demands does not guarantee data recovery, and it supports this illegal activity.

Removing XFUN ransomware from the operating system will prevent it from further encryptions. Unfortunately, removal will not restore already compromised files. The sole solution is to recover them from a backup (if one was created prior and stored elsewhere).

The general advice for ensuring data safety is to keep backups in multiple different locations, such as unplugged storage devices, remote servers, and others.