Like the Maze group last year, the FonixCrypter ransomware group announced over the weekend that it’s shutting down operations. However, unlike Maze, the gang has released the master decryption key. This allows the gang’s victims to decrypt their files for free.
FonixCrypter Serious About Shutting Down
The FonixCrypter ransomware group has been active since at least June 2020. The gang, which also went by the name Xonif, was not as active as other groups like REvil or Ruyk. However, it still had victims all over the world.
Nonetheless, like the Maze ransomware group early last year, FonixCrypter announced on the weekend it was shutting down operations. The gang seems serious about closing down, although by all accounts, not all gang members are pleased. A twitter user, claiming to be a FonixCrypter admin, tweeted on Saturday that the group’s “ransomware source is completely deleted”.
Furthermore, Allan Liska, a security researcher for Recorded Future, said the group’s Telegram channel had been removed. The gang used this channel to advertise their ransomware to other cybercriminal groups. However, as happened when the Maze group shutdown, experts warn that FonixCrypter members are likely to just move to another affiliate ransomware group. Or those members who are unhappy with the shutdown could join forces and create a new operation.
Decryption Key Released for Free
As pre-empted by the FonixCrypter admin in his tweet, the ransomware group made their decryption key available to the public. This is quite unlike Maze, who just shutdown leaving their victims stranded. The Fonix ransomware master decryption key was released on Saturday via the group’s Telegram channel. The key came in an app, along with how-to instructions, which victims could use to recover their files for free.
However, although the decrypter app works, it isn’t exactly user friendly. The app only allows the victim to decrypt files one at a time. According to experts, the decrypter app is most likely an admin tool the gang utilised internally. They most likely used it to prove to victims that they could decrypt files before victims sent their ransom.
Nevertheless, since the app includes the master decryption key, this is being used by cybersecurity firm Emsisoft to create a better decrypter. According to Michael Gillespie, an Emsisoft security researcher, their decrypter app will be available sometime this week. Victims are advised to wait for Emsisoft decrypter as the gang’s app could contain malware, such as a backdoor. The Emsisoft decrypter is expected to work on all versions of the Fonix ransomware. That is Fonix ransomware with .FONIX, .Fonix, .XINOF, and .repter encrypted file extensions.
Ransomware Gang Opening New Channel
Although the gang removed its Telegram channel, the group also announced plans to open a new channel in the future. However, it is not clear what this new channel would hold. The FonixCrypter admin stated in his tweet “we should use our abilities in positive ways and help others.” Will this happen or will the new channel provide a new improved ransomware strain for cybercriminals to use?