Fonix ransomware shuts down, the operators announced decryption key
The main operators of the ransomware Fonix (also known as Xinof or Fonixcrypter, etc.) recently announced the end of the ransomware activity and announced the decryption master key.
The popularity of ransomware is not high, but the infection volume has been increasing since the end of last year. Recently, the ransomware team seems to have internal disturbances and disputes.
It is said that the operators have decided to publish the encryption key and no longer engage in the business, but some members do not agree to disband and prepare to continue engaging in ransomware.
After the analysis, the main operators will still publish the encryption key, and the members who do not agree to the dissolution may use the source code to continue to fork and develop new software.
— fnx (@fnx67482837) January 29, 2021
The compressed file released by the administrator contained a decryptor and key, but after testing, the BleepingComputer found that the decryptor was very confusing and very complicated to use.
The reason is that this tool is not provided for victims, but a management tool used internally by the ransomware team to test the validity of the decryption certificate.
And the tool also has the problem of frequent crashes, which makes security practitioners very annoyed when testing, but the good news is that at least the key has been proven to be valid.
In view of the fact that this tool can only decrypt one file at a time and is very easy to crash, BleepingComputer does not recommend that victims download the decryption tool by themselves to decrypt it.
The security company Emisosft will update its decryption library, and its decryption tools will cover the .Fonix, .FONIX, .repter and .XINOF extensions in the future.
But the tool has not been updated yet. Maybe this security company is still developing and testing, so the victim needs to wait for the time being and don’t operate it directly.