Kaspersky has released a decryptor for the Fonix Ransomware (XONIF) that allows victims to recover their encrypted files for free.
Fonix Ransomware, also known as Xinof and FonixCrypter, launched in June 2020 but increased its number of victims significantly starting in November 2020.
Last Friday, one of the Fonix ransomware admins tweeted that they have shut down the ransomware operation and released the master decryption key.
“I’m one fonix team admins.
you know about fonix team but we have come to the conclusion.
we should use our abilities in positive ways and help others.
Also rans0mware source is completely deleted, but some of team members are disagree with closure of the project, like telegram channel admin who trying to scam people in telegram channel by selling fake source and data.
Anyway now main admin has decided to put all previous work aside and decrypt all infected systems at no cost.” – FonixTeam
The Fonix ransomware admin told BleepingComputer that they had encrypted approximately 5,000 to 6,000 systems throughout its operation.
Soon after they shared the decryption, Michael Gillespie confirmed with BleepingComputer that the key was valid and could be used to decrypt a victim’s files.
Decrypting the FonixRansomware
The good news is that if you have been infected with the FonixRansomware, you can now decrypt your files for free using an updated version of Kaspersky’s RakhniDecryptor.
Download the decryptor to a device with encrypted files and start the program. You will be asked to agree to a license agreement, and the main interface will appear, as shown below.
When you are ready to decrypt your files, click on the Start Scan button, and the decryptor will ask you to select an encrypted file.
Once selected, the decryptor will look for your decryption key, and when found, begin to decrypt your files. BleepingComputer has tested the decryptor on an encrypted computer, and as you can see below, was able to decrypt the files.
After you have decrypted your files and determined that they are opening correctly, you can delete the leftover encrypted files.
For those who need help getting started using the decryptor, please read this…