Cyber criminals behind the Fonix ransomware have announced they shut down their operation and released the master decryption key to allow victims to recover their encrypted files.
Fonix Ransomware (aks Xinof and FonixCrypter) has been in operation since June 2020, and while not extremely active as other ransomware families like REvil or NetWalker, it picked more speed in November last year.
However, last week someone claiming to be a Fonix ransomware admin posted on Twitter that the ransomware had shut down.
“I'm one fonix team admins. You know about fonix team but we have come to the conclusion. We should use our abilities in positive ways and help others. Also rans0mware source is completely deleted, but some of team members are disagree with closure of the project, like telegram channel admin who trying to scam people in telegram channel by selling fake source and data. Anyway now main admin has decided to put all previous work aside and decrypt all infected systems at no cost. And the decryption key will be available to the public. The final statement of the team will be announced soon,” the message said.
In a separate message the Fonix admin published a link to a RAR archive named 'Fonix_decrypter.rar' containing both a decryptor and the master private decryption key. This tool is an admin tool used internally by the ransomware operators to decrypt some victim’s encrypted files for free to show that it is possible to recover the files.
According to Bleeping Computer, the decryptor released by the alleged Fonix admin does not allow a victim to decrypt an entire computer. “Even considering that it can only decrypt one file simultaneously, from our tests of the decryptor, it has very confusing instructions and is prone to crashing,” Bleeping Computer wrote.
According to the Emsisoft security researcher Michael Gillespie, his company is currently working on a better decryption tool, which is expected to be released in the near future.