What is Fonix Ransomware

Also known as FonixCrypter, Fonix Ransomware is an infection, that uses Salsa20 and RSA 4098 algorithms to restrict data accessibility. It encrypts the stored files of various formats – photos, videos, documents, audios, and others that seem to be valuable around regular users. Along the encryption process, the virus assigns compound extensions including e-mail of cybercriminals, personal ID, and .fonix extension at the end. Some versions of Fonix exploit other extensions like .repter and .XINOF. For example, a file like 1.mp4 will be transformed into 1.mp4.EMAIL=[fonix@tuta.io]ID=[1E857D00].Fonix and reset its shortcut as well. Once the encryption gets to a finish, it creates a special note # How To Decrypt Files #.hta to illustrate ransom details.

Fonix Ransomware (.fonix)Repter Ransomware (.repter)
All your important files like photoes, documents, audios and etc
has been encrypted by FonixCrypter using strong cryptography algorithms Salsa20and RSA 4098
Decryption key is hold in our server
!!Recovery tools and other software will not help you !!
The only way to receive your key and decrypt your files is the payment with bitcoin
You have to 48 hours(2 Day) To contact or paying us
After that, you have to Pay Double!!
Our Email = fonix@tuta.io
in case of no answer in 24 hours write us to this Email = fonix@mailfence.com
if you don't know how to buy bitcoin you can use this link
https://www.coindesk.com information/how-can-i-buv-bitcoins
the easiest way to buy bitcoin is localBitcoins
https://localbitcoins.com/
Note: Before payment, you can contact with us and send 1 free small file (size less 2Mb) as decryption test
The test files shouldn't contain valuable data like large SQL or Backup files.
ATTENTIONS :
- Don't delete any files or rename encrypted files
- If you using other applications to decrypt, it may damage your files
- Don't find your backups? they have been Successfully encrypted too or securly wiped.
Regards-FonixTeam

-------ALL YOUR FILES HAS BEEN ENCRYPTED-------
Don't worry about anything, you can return all your files!
All your files documents, photos, databases and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
Our Email = repter@tuta.io
Your Personal ID = -
What guarantees do we give to you?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 3 file for free. File must not contain valuable information
Don't try to use third-party decrypt tools because it will destroy your files.
!! we 100% able to restore your files !!
Discount 50% available if you contact us first 48 hours
after 48 hours you should pay Double (Include this id in your message or email)
in case of no answer in 2 hours write us to this Email = Repter@elude.in
if you don't know how to buy bitcoin you can use this link
hxxps://www.coindesk.com/information/how-can-i-buy-bitcoins
the easiest way to buy bitcoin is localBitcoins
hxxps://localbitcoins.com/
Attention:
Don’t delete any files or rename encrypted files
If you using other applications to decrypt, it may damage your files
Don’t find your backups? they have been Successfully encrypted too or securly wiped.

It is said that no third-parties tools will be able to decrypt your files because their key is stored on cybercriminal’s servers. Instead, developers propose you to buy their decryption key in Bitcoin. If you fail to do this within 2 days, your fee will be doubled immediately. Also, they offer detailed info on how to convert money to BTC in case you have never done it before. As a consolation bonus, extortionists provide decryption of 1 small file for free. Despite this, it is dangerous to pay for the key, because they tend to dumb gullible users, as statistics say. Unfortunately, it is true that there are no feasible methods to unlock files encrypted by Fonix Ransomware. The best way to restore it is by using an external backup of lost files, if possible. If not, we recommend you to delete Fonix Ransomware and start making scheduled backups of valuable data at least once a month.

How Fonix Ransomware infected your computer

This ransomware:

– Deletes shadow copies of files, manipulates shadow storage size, disables Windows repair and repair functions at boot time with commands:
C:\Windows\system32\cmd.exe /c cmd.exe /c vssadmin Delete Shadows /All /Quiet & wmic shadowcopy delete & bcdedit /set {default} boostatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet/ & icacls * /grant Everyone:(OI)(CI)F /T /C /Q
– Disables Windows Defender and TaskManager in the registry with the commands:
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
– Adds itself to Windows Startup by registering the “PhoenixTechnology” section:
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d C:\Users\Admin\AppData\Local\TempFonixCrypter.exe /f

No secret that malware lurks behind multiple holes of the Internet. Fonix is not an exception. It can attack your system via e-mail spam, trojans, fake software cracking tools, backdoors, keyloggers, and other atrocious ways. E-mail spam is a great zone to bundle malicious attachments and send them all over the web. It has become quite a staple when you receive a message from an unknown address because advertising companies make everything possible to impose subscribing to daily newsletters and other content. If you see somebody asking to open or download suspicious links/files (MS Office documents, PDFs, executables, and JavaScript files), we recommend you against it because that could be used for distributing malware. If you are wondering how to keep your mailbox protected and clean, we have gathered a couple of programs that will help you fulfill it below.

  1. Download Fonix Ransomware Removal Tool
  2. Get decryption tool for .fonix, .repter or .XINOF files
  3. Recover encrypted files with Stellar Data Recovery Professional
  4. Restore encrypted files with Windows Previous Versions
  5. Restore files with Shadow Explorer
  6. How to protect from threats like Fonix Ransomware

Download Removal Tool

Download Removal Tool

To remove Fonix Ransomware completely, we recommend you to use WiperSoft AntiSpyware from WiperSoft. It detects and removes all files, folders and registry keys of Fonix Ransomware and prevents future infections by similar viruses.

Alternative Removal Tool

Download SpyHunter 5

To remove Fonix Ransomware completely, we recommend you to use SpyHunter 5 from EnigmaSoft Limited. It detects and removes all files, folders and registry keys of Fonix Ransomware. The trial version of SpyHunter 5 offers virus scan and 1-time removal for FREE.

Fonix Ransomware files:


# How To Decrypt Files #.hta
TempFonixCrypter.exe
cpub.key
cpriv.key
{randomfilename}.exe

Fonix Ransomware registry keys:

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"
HKLM\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"
HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"
HKLM\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology = "C:\\Users\\Admin\\AppData\\Local\\TempFonixCrypter.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\PhoenixTechnology
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\repter\Index
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\repter\Id
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PhoenixTechnology

How to decrypt and restore .fonix, .repter or .XINOF files

Use automated decryptors

Download Kaspersky RakhniDecryptor

kaspersky dharma ransomware decryptor

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .fonix, .repter or .XINOF files. Download it here:

Download RakhniDecryptor

There is no purpose to pay the ransom because there is no guarantee you will receive the key, but you will put your bank credentials at risk.

Dr.Web Rescue Pack

Famous antivirus vendor Dr. Web provides free decryption service for the owners of its products: Dr.Web Security Space or Dr.Web Enterprise Security Suite. Other users can ask for help in the decryption of .fonix, .repter or .XINOF files by uploading samples to Dr. Web Ransomware Decryption Service. Analyzing of files will be performed free of charge and if files are decryptable, all you need to do is purchase a 2-year license of Dr.Web Security Space worth $120 or less. Otherwise, you don’t have to pay.

If you are infected with Fonix Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:

Use Stellar Data Recovery Professional to restore .fonix, .repter or .XINOF files

stellar data recovery professional

  1. Download Stellar Data Recovery Professional.
  2. Click Recover Data button.
  3. Select type of files you want to restore and click Next button.
  4. Choose location where you would like to restore files from and click Scan button.
  5. Preview found files, choose ones you will restore and click Recover.
Download Stellar Data Recovery Professional

Using Windows Previous Versions option:

  1. Right-click on infected file and choose Properties.
  2. Select Previous Versions tab.
  3. Choose particular version of the file and click Copy.
  4. To restore the selected file and replace the existing one, click on the Restore button.
  5. In case there is no items in the list choose alternative method.

Using Shadow Explorer:

  1. Download Shadow Explorer program.
  2. Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
  3. Select the drive and date that you want to restore from.
  4. Right-click on a folder name and select Export.
  5. In case there are no other dates in the list, choose alternative method.

If you are using Dropbox:

  1. Login to the DropBox website and go to the folder that contains encrypted files.
  2. Right-click on the encrypted file and select Previous Versions.
  3. Select the version of the file you wish to restore and click on the Restore button.

How to protect computer from viruses, like Fonix Ransomware, in future

1. Get special anti-ransomware software

Use BitDefender Anti-Ransomware

bitdefender anti-ransomware

Famous antivirus vendor BitDefender released free tool, that will help you with active anti-ransomware protection, as additional shield to your current protection. It will not conflict with bigger security applications. If you are searching complete internet security solution consider upgrading to full version of BitDefender Internet Security 2018.

Download BitDefender Anti-Ransomware

2. Back up your files

idrive backup

As an additional way to save your files, we recommend online backup. Local storages, such as hard drives, SSDs, flash drives or remote network storages can be instantly infected by the virus once plugged in or connected to. Fonix Ransomware uses some techniques to exploit this. One of the best services and programs for easy automatic online backup is iDrive. It has the most profitable terms and simple interface. You can read more about iDrive cloud backup and storage here.

3. Do not open spam e-mails and protect your mailbox

mailwasher pro

Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.

Download MailWasher Pro