FonixCrypter Ransomware Group Throws in the Towel With MasterKey Release

• FonixCrypter gave up trying to compete with other RaaS platforms and released the master key.
• Security experts urge victims to wait for the release of a legitimate decrypter, which shouldn’t take long.
• Fonix launched in the summer of 2020 but never really got to reach high levels of success.

The FonixCrypter ransomware gang announced the end of its operations, claimed to have deleted the malware's source code, and released the master RSA key that should be good to decrypt all associated infections. The announcement came through Twitter a few hours ago, and the group promises to follow up with a detailed statement that may explain the exact reasons behind that decision. In summary, the team appears to have second thoughts about how they should use their abilities.

Not every team member agrees with this decision, though, and some, like the Telegram channel admin, for example, are actively trying to scam people and collect the last bits of money they can.

Although the decrypter that’s openly shared could be a trick to spread backdoors, security researchers from Recorded Future have tested it and confirmed that it’s indeed the master key, so you can use it to unlock your files. Of course, you can minimize the chances of finding additional trouble by waiting for a decryptor from a security firm to be released, possibly by Emsisoft or BitDefender, and this shouldn’t take more than a week.

Fonix was a group that came into existence in the summer of 2020, so the whole operation didn’t last long. Its operators previously specialized in developing binary crypters/packers, so they decided to leap to the ransomware space to pursue more money. To draw capable members in the new RaaS platform, Fonix didn’t require a cut. This helped them get some growth, but the project never really took off.

The ransomware itself uses a combination of AES, Chacha, RSA, and Salsa20 to encrypt the victim’s files. Because of this mix of multiple encryption protocols, the encryption process is significantly slower than other ransomware strains. The characteristic file extension appended by FonixCrypter is “.XINOF,” which is the name given to the drive/volume labels too.

It is likely that the Fonix team wasn’t making enough money to justify the risk of finding trouble, so they thought it’d be better to call it a day and launch a white-hat security service instead. Although there has been an explosion of ransomware infections in 2020, the space remained dominated by a handful of “big players.” Among the newcomers, the one that got to establish the strongest foothold was Egregor.