The cybercriminals behind the Fonix ransomware have announced plans to shut down their operations and the master decryption key for the malware has already been released.
The malware has been in service since June 2020, also known as FonixCrypter and Xonif, with several versions observed since. The ransomware will apply to the infected files the extensions .FONIX, .XINOF, .Fonix, or .repter.
You know the Fonix squad, but we’ve drawn a decision. In constructive ways, we should use our expertise to support others. […] Anyway, the main administrator has now agreed to set aside all previous work and decrypt all infected systems at no cost. And the decryption key will be open to the public,’ declared the cyber-group on Twitter.
End of FonixCrypter Project :#Fonix #ransomware #XINOF #FonixCrypter #close_project #hack #Malware #raas #ransomware_as_a_service pic.twitter.com/wQdmp61juX
— fnx (@fnx67482837) January 29, 2021
The operators also said in the shutdown announcement that the source code of the ransomware was removed, but warned that some people involved in the project might try to cheat others by selling fake code to them.
The group shared a connection to the master RSA key needed to retrieve encrypted files in a separate post on the social network, as well as to a sample decrypter, which victims can use to reclaim their files without having to pay a ransom.
Fonix Ransomware Master RSA Key (Spub.key & Spriv.key) and Sample Decryptor : #Fonix #ransomware #XINOF #FonixCrypter #close_project #hack #Malware #raas #ransomware_as_a_servicehttps://t.co/JcijzvOKvf
— fnx (@fnx67482837) January 29, 2021
They have confirmed that to get their files decrypted for free, victims should send emails to XINOF[@] cock.li. In addition, the Fonix operators promised to assist security researchers in developing ransomware decryption tools.
Because of their weak financial condition, the Fonix project was released, according to its operators, and the shutdown will make the developers from feeling guilty.
Although the community did not make it clear what prompted the decision to close the operation, it should be remembered that other operators of ransomware, including those behind GandCrab, Shade, and TeslaCrypt, have taken similar moves in the past.
The closure announcement by Fonix was made the same week as law enforcement announced that the technology behind the huge Emotet botnet was interrupted and taken over by officials, with a cleanup operation expected to begin in the next few months.
