Safe-to-Use Decryptors for the Fonix Ransomware Are Now Available

Written by Bill Toulas
Last updated June 23, 2021

A week ago, the FonixCrypter ransomware group released the master RSA key and declared the end of its malicious operations. Security researchers immediately confirmed that the key was valid, but we cautioned you not to use it for decryption as a subsequent malware infection remained a possibility.

Instead, we advised you to wait for a security firm to release an official and safe-to-use decryptor for the particular ransomware family and estimated that this shouldn’t take long. Indeed, Bitdefender and Kaspersky, two reputable security software vendors, have already released Fonix decryptors for free, so a week after, you even have a choice.

Starting with Bitdefender’s solution, the requirements for it to work properly and decrypt the files is to have an active internet connection on the infected PC and to have at least one cpriv.key file on the system. The tool can decrypt either individual files or entire locations, and it can also scan the entire system to search for all encrypted files. Also, it has a safety precaution in the form of a backup system, so if the decryption fails for any reason, the files in their still-locked form remain retrievable.

Kaspersky followed a different approach, that of adding the Fonix key on an omni-decryptor that can deal with Rakhni, Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Cryptokluchen, Lortok, Democry, Bitman (TeslaCrypt) version 3 and 4, Chimera, Crysis (versions 2 and 3), Jaff, Dharma, new versions of the Cryakl, Yatron, and FortuneCrypt infections.

We wouldn’t suggest that you prefer either solution, as we have no way to tell which one is more reliable or faster in the decryption process, so the choice is yours to make. Both are completely free to download and use without any limitations or licensing requirements, and both should work perfectly fine for the purpose.

As for Fonix, subsequent tweets from the ransomware gang explained that the project was only started because of the bad economic situation and that the operators never really found comfort in the cyber-crime space. Closing down their operation allegedly brought exultation for the actors, who claim to have had ethical moils. The actors are now planning to launch a malware analysis website to make up for their previous activities.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: