The Fonix Ransomware operators have shut down their operation and released the master decryption for their victims to recover their files for free.
Fonix Ransomware, also known as Xinof and FonixCrypter, that started its operations in June 2020 has been steadily encrypting victims. The ransomware operation was not as widely active as other ransomwares like REvil or Netwalker, but they picked up a bit from November 2020.
A Twitter user claiming to be a Fonix ransomware admin announced that the ransomware had shut down. According to the message, some of the ‘members’ of the ransomware operation were not happy with the shutting down.
This shutdown could cause members to join other ransomware affiliate programs and create a new operation.
The user tweeted again sharing a link to a RAR archive named ‘Fonix_decrypter.rar’ containing both a decryptor and the master private decryption key.
However, this decryption tool is not a decryptor which could be used by a victim to decrypt their files easily. It is actually an admin tool used internally by the ransomware gang.
Usually, ransomware operators decrypt few of the victim’s encrypted files for free in order to prove that they can do so.
The decryption key provided by the Fonix ransomware actors appears to be legitimate, but it requires each file to be decrypted individually.
The important thing is that the master key was included and so it is possible for someone to build a much better decryption tool.
Michael Gillespie, an Emsisoft security researcher specialized in breaking ransomware encryption said that a better decrypter is currently in the works at Emsisoft and is expected to be released next week.
The users are advised to wait for the Emsisoft decrypter instead of using the one provided by the FonixCrypter gang, as it may contain other malware, such as backdoors, that victims might end up installing on their systems.