The authors of the ransomware abandoned malicious activities and published the master key. And we made a decoder out of it.
The authors of the Fonix ransomware suddenly announced the end its activities and published the master key, which can be used to decode affected files. Our experts immediately updated the Rakhni Decryptor utility to automate this process. She is available, For example, right here.
The Fonix example once again confirms, that even if you don't plan to pay extortionists, it makes sense to save encrypted data until better times. Yes, not all attackers repent and publish keys, but this also happens - and in this case, encrypted files can be returned. Moreover, do not forget, that sometimes law enforcement agencies manage to obtain keys directly from the servers of cybercriminals.
Why was Fonix dangerous?
Fonix is also known under the name Xinof - at least the attackers themselves called themselves that way, and so on, and the encrypted files received both .fonix and .xinof extensions. Analysts described this ransomware is quite aggressive. At least because, that he was engaged not only in encryption itself, but also made a number of changes to the operating system configuration, to make it more difficult to remove. Besides, it encrypted almost all files on the computer, excluding those critical to the operation of the operating system.
The creators of Fonix provided access to it under the Ransomware-as-a-Service scheme (RaaS), so it was the buyers who were directly involved in the attacks. Starting around summer 2020 year, Fonix was actively advertised on hacker forums. As a “competitive advantage” of this encryptor, the authors relied on its initial free nature - they did not require anything for use and only took a percentage of the ransoms paid.
As a result, the malware was spread by various groups, as a rule, via spam mailings. Therefore, among the victims of Fonix there were also private individuals, and organizations. Fortunately, This ransomware did not gain mass popularity and there were relatively few victims.
Cybercrime within cybercrime
In the same statement from the authors of Fonix about the termination of work it is said, that not all group members agree with the decision to give up criminal activity. In particular, the administrator of their Telegram channel is trying to sell the ransomware source code and some data. However, the code is not real, so this is, in fact, fraud under the guise of selling malware (at least that's what the band says on Twitter). It's clear, that only other cybercriminals could become victims here, however, fraud does not cease to be fraud.
Authors' motivation
The administrator of FonixCrypter Project admitted, that he did not plan to engage in criminal activity, and he was pushed to create a cryptographer by “difficult economic situation«. But his conscience tormented him, resulting in him deleting the source code, apologized to the victims and published the master key. In the future, he plans to use his accumulated experience in the field of malware analysis and hopes, that the rest of his “colleagues” will join him in this endeavor.