Image: ZDNet
The cybercrime group behind the FonixCrypter ransomware announced on Twitter today that they have removed the source code of the ransomware and intend to discontinue its operation.
As a gesture of goodwill towards the victims in the past, the FonixCrypter gang did the same a package released which contains a decryption tool, instructions for instructions and the master decryption key of the ransomware.
These files can be used by former infected users to decrypt and recover their files for free, without having to pay a decryption key.
Allan Liska, a security researcher for the threat intelligence firm Recorded Future, tested the decoder at ZDNet‘s request earlier today and confirmed that the FonixCrypter app, instructions, and master key are working as advertised.
“The decryption key provided by the actors behind the Fonix ransomware appears to be legal and was thought to require each file to be decrypted separately,” Liska said. ZDNet.
“The most important thing is that they included the master key, which would enable someone to build a much better decryption tool,” he added.
Michael Gillespie, a security researcher from Emsisoft who specializes in breaking ransomware coding, has Michael Gillespie, a better decipherer, currently working at Emsisoft. ZDNet earlier today in an online chat. Users are advised to wait for the Emsisoft decoder rather than using the one provided by the FonixCrypter gang, which can easily contain other malware, such as backdoors, that the victims may eventually install on their systems.
The decryption tool released today by the FonixCrypter gang
Image: ZDNet
Before today’s strike, the FonixCrypter ransomware gang has been active since at least June 2020, according to Andrew Ivanov, a Russian security researcher who has been tracking ransomware strains on his personal blog for the past four years.
Ivanov’s FonixCrypter blog entry shows a history of constant updates to the FonixCrypt code, with at least seven different FonixCrypt variants released last year.
Although the ransomware’s source code may not have been top notch, the ransomware worked and was used in the wild last year, making victims around the world.
Currently, all indications are that the FonixCrypter gang is serious about their plans to close. Liska said the FonixCrypter gang today removed its Telegram channel, where they usually advertised the ransom to other criminal groups, but the Recorded Future analyst also pointed out that the group also plans to launch a new channel soon to open.
However, the FonixCrypter gang did not specify whether this new Telegram channel is focused on offering a new and improved ransomware strain. According to a message posted on Twitter, the group claims that they intend to move away from ransomware and use their capabilities in ‘positive ways’. Whatever that means.
Image: ZDNet