Do you know what Fonix Ransomware is?
Fonix Ransomware is like an avalanche that takes down everything that comes in its way. It encrypts basically all files with a few exceptions, including files with .reg, .msi, .sys, and a few other rare extensions. Once files are encrypted, their user/owner cannot access them anymore, and it should take no time at all to see which files were corrupted because the additional “.EMAIL=[fonix@tuta.io]ID=[*].Fonix” extension should be added to their names. It is possible to delete the extension and rename the file, but if you think that that is what will help you restore the files, you are mistaken. To restore the files, you need to decrypt them, and that is easier said than done. It can only be done with a decryption key and a tool, and when we tested the removal of Fonix Ransomware, neither existed publicly.
According to our team, Fonix Ransomware encrypts files using Salsa20 and RSA 4098 encryption keys, and both can ensure that victims are unable to recover their files manually. That is exactly what the attackers behind this malware want because if there is no solution, the one they are prepared to offer might sound real. When files are encrypted, you should find Cpriv.key, Cpub.key, and SystemID files dropped on the Desktop. The most important file, however, is the “# How To Decrypt Files #.hta” file, copies of which should be dropped in every affected folder. When you open this file, you can find a message that was created by the attackers. It greets you with this statement: “ALL YOUR FILES HAS BEEN ENCRYPTED!!!” and then it proceeds to inform that you need to send bitcoins (cryptocurrency) to the attackers in exchange for a decryptor. The ransom note declares that you have 48 hours to pay before the sum increases.
You cannot pay the ransom requested by Fonix Ransomware immediately. First, you are instructed to email fonix@tuta.io or fonix@mailfence.com. It is suggested that you can send “1 free small file” to the attackers so that they could decrypt it for free, but do not take this as a sign that all files would be decrypted. We cannot know what kind of a sum the attackers might request from you in return for a decryptor, but we can assure you that your chances of obtaining an actual decryptor are very slim. Fonix Ransomware was created to extort money, and anything beyond that is of no interest to the attackers. Most likely, you would be left empty-handed. In fact, the only thing you are likely to receive are more malicious emails, which is why we do not recommend giving your email address up by contacting the attackers. Did you know that the ransomware is usually spread with the help of misleading emails? Downloaders and RDP vulnerabilities can be used too. Keep this in mind for the future.Fonix Ransomware screenshot
Scroll down for full removal instructions
Backups can save the day, if you have them. Copies stored online or on external drives can easily replace the corrupted files, but you must delete Fonix Ransomware first. What if backups do not exist? If that is the case, not much can be done at this point. You can move your encrypted files into one folder, and maybe a free decryptor will be built one day, but we would not bet on that. Thousands of file-encrypting threats exist, and it would be impossible to create free decryptors for all of them. In any case, removing Fonix Ransomware is a must. You can install anti-malware software, and it will erase this malware automatically. It will also secure your system, which you need if you want to avoid new attacks. Alternatively, you can try erasing this threat yourself, but you should do that only if you know what you are doing.
Remove Fonix Ransomware
- Delete recently downloaded files. The goal is to delete the {random name}.exe launcher file.
- Simultaneously tap Windows+E keys to open the File Explorer window.
- Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ into the quick access field.
- Delete the ransom note file named # How To Decrypt Files #.hta.
- Delete every copy of the # How To Decrypt Files #.hta file (in all affected folders).
- Simultaneously tap Windows+R keys to open the Run dialog box.
- Type regedit into the dialog box and click OK to open the Registry Editor window.
- Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
- Delete the value named PhoenixTechnology.
- Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce and repeat step 9.
- Empty Recycle Bin and then immediately run a full system scan.
In non-techie terms:
Fonix Ransomware can slither into your operating system via security backdoors and vulnerabilities that you yourself might leave open. Therefore, the first thing you need to worry about is your system’s security. Installing anti-malware software is the best move you can make because besides ensuring full protection, this software also can automatically delete Fonix Ransomware. Can you remove this threat manually? Perhaps you can, but you must locate the launcher first, and we cannot tell its location. Hopefully, after you are done with the threat, you can replace the corrupted files with copies stored outside the infected computer.