How to decrypt files encrypted by Fonix | Kaspersky official blog

When the Fonix ransomware group suddenly announced the end of its activities and published a master key for decoding encrypted files, our experts immediately updated the Rakhni Decryptor tool to automate the process. You can download the tool right here.

The Fonix example illustrates yet again why even if you don’t plan to pay the ransom (a smart choice), you should hold on to encrypted data. Not all cybercriminals repent and publish their keys (or get caught and their servers confiscated) but if the keys do become available at some point, you can use them to restore access to your information — but only if you keep it.

Why Fonix was dangerous

Fonix ransomware was also known as Xinof. Cybercriminals used both names, and encrypted files were renamed with either extension, .xinof or .fonix. Analysts described the ransomware as fairly aggressive: In addition to encrypting files on target systems, the malware tinkered with the operating system to hinder efforts to remove it. It also encrypted practically all files on the target computer, leaving only those critical to the operating system.

The malware authors leased Fonix under a ransomware-as-a-service (RaaS) model, leaving clients to perform the actual attacks. Starting around summer 2020, hacker forums saw heavy advertising for the malware. Operators were initially granted free use of the tool, giving Fonix a competitive edge; the authors took only a percentage of any ransom collected.

As a result, various unconnected campaigns helped the malware spread, usually through spam mailings. Therefore, Fonix hit both individual users and companies. Fortunately, the ransomware did not gain widespread popularity, so victims were relatively few.

Cybercrime within cybercrime

In its announcement, the Fonix group said that not all members agreed with the decision to terminate the operation. The administrator of its Telegram channel, for example, is trying to sell the ransomware source code and other data. However, that code is not real (at least, according to the Fonix group’s Twitter account), so it’s essentially a scam aimed at malware buyers. Although the only potential victims here are other cybercriminals, fraud is still fraud.

Motivation

The administrator of the FonixCrypter project said he had never intended to engage in criminal activity, but the economic downturn had а led him to create the ransomware. He later deleted the source code and, citing a guilty conscience, apologized to victims and published the master key. Going forward, he said, he plans to put his knowledge of malware analysis to better use and hopes his colleagues will join him in this undertaking.

How to guard against ransomware

Fonix is no longer a problem; however, other ransomware strains are more active than ever in 2021. Our advice for staying safe is still much the same:

  • Be wary of e-mails with attachments;
  • Do not run files obtained from unverified sources;
  • Use security solutions on all home and work devices that have Internet access;
  • Make backup copies of all critical data and store it on devices not connected to your network.

Our products for home users and businesses detect Fonix (and other ransomware) proactively. Moreover, our file scanners identify Fonix before it has a chance to run.

To reiterate: If you fall victim to Fonix ransomware, you can recover your data using our RakhniDecryptor 1.27.0.0 tool, which you can download from noransom.kaspersky.com.