So, a small business I work for was hit with a variant of FenixLocker. RDP was bruteforced and the attacker copied a payload "svchost.exe" to a folder, executed it and left. It found our fileshares and went to town. As soon as we realized the culprit, we shut down the server in question and are in the process of rebuilding it. RDP has been disabled and we're working on scanning the network. Don't really need help there, more interested in the encrypted files at this point.
So, here's the thing: we don't want to pay the ransom, so I've been doing some research. It appears that this variant isn't capable of being decrypted with the decryption tool provided. Observed differences:
1) Appended email address is [email protected]
instead of [email protected]
2) Help to decrypt.txt email address changed.
Aside from that, the "observable" behavior is the same as reported for FenixLocker.
I can provide sample encrypted files and the executable upon request.