Fonix ransomware shuts down and releases master decryption key

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,982
The Fonix Ransomware operators have shut down their operation and released the master decryption allowing victims to recover their files for free.

Fonix Ransomware, also known as Xinof and FonixCrypter, began operating in June 2020 and has been steadily encrypting victims since. The ransomware operation was not as widely active as others, such as REvil, Netwalker, or STOP, but starting in November 2020, it picked up a bit.

This afternoon, a Twitter user claiming to be a Fonix ransomware admin announced that the ransomware had shut down.

The message shared in the image reads:
I'm one fonix team admins.
you know about fonix team but we have come to the conclusion.
we should use our abilities in positive ways and help others.
Also rans0mware source is completely deleted, but some of team members are disagree with closure of the project, like telegram channel admin who trying to scam people in telegram channel by selling fake source and data.
Anyway now main admin has decided to put all previous work aside and decrypt all infected systems at no cost.
And the decryption key will be available to the public.
The final statement of the team will be announced soon.
Regards-FonixTeam
According to the message, some of the 'members' of the ransomware operation were not happy that it was shutting down. This shutdown could cause members to join other ransomware affiliate programs or splinter off and create a new operation.

Master keys work, decryptor is a mess

In a different tweet, the Fonix admin shared a link to a RAR archive named 'Fonix_decrypter.rar' containing both a decryptor and the master private decryption key. This decryption tool is not a decryptor that can be used by a victim to decrypt their files easily but is instead an admin tool used internally by the ransomware gang. Most ransomware operations allow victims to send a few encrypted files that they will decrypt for free to prove that they can do so. The decryptor released tonight is the Fonix Ransomware operators' tool when performing these free test decryption and does not allow a victim to decrypt an entire computer. Even considering that it can only decrypt one file simultaneously, from our tests of the decryptor, it has very confusing instructions and is prone to crashing.

The good news is that Michael Gillespie has told BleepingComputer that the master keys work but only on some Fonix ransomware versions.
However, Emisosft's decryptor will decrypt all versions of the ransomware, which include the .Fonix, .FONIX, .repter, .XINOF encrypted file extensions. There is no ETA as to when the decryptor will be released, but if you are a victim of this ransomware, a solution will be available soon.
 
Last edited by a moderator:

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,982
The good news is that if you have been infected with the FonixRansomware, you can now decrypt your files for free using an updated version of Kaspersky's RakhniDecryptor.
From Kaspersky:
 

Gandalf_The_Grey

Level 50
Verified
Trusted
Content Creator
Apr 24, 2016
3,982
Fonix Ransomware Decryptor by Bitdefender:
A decryptor for Fonix Ransowmare is now available for download. Also known as FonixCrypter or Xinof, this family of malware was initially spotted in June 2020 and went out of business in late January this year. The news, broken by one of the project’s administrators, also includes master keys and a bare-bones decryptor that can potentially be used to recover one file at a time.

Bitdefender researchers have been working on a free decryptor that can safely help victims get back their ransomed information for free.

The tool works on an infected PC with an active internet connection.
 
Top