Fonix Ransomware Removal Guide

Windows systems that are protected should not face Fonix Ransomware, but, unfortunately, not all systems are protected. Even if you think that you have nothing to worry about, a cleverly worded email or an attractive downloader could be used to infiltrate malware stealthily. If the security tools and systems you are using are not able to identify and remove the infection immediately, it can go on to encrypt your most sensitive personal files. What happens once that is done? Well, the truth is that there aren’t many options. You could try using a legitimate decryptor, but we could not find a working one at the time or research. You could forget about the decryption altogether and replace the corrupted files with copies. Or you could follow the demands of cybercriminals. Of course, we do not recommend doing that. Continue reading to learn why, as well as how to delete Fonix Ransomware from Windows.

Perhaps you know exactly how cybercriminals managed to infiltrate Fonix Ransomware, or perhaps you have no clue how or when this malware slithered in. In either case, this malware is all about encrypting files, and it does not wait to do that. After encryption, the “.EMAIL=[fonix@tuta.io]ID=[unique ID number].Fonix” extension should be appended to the original names of the corrupted files. It is notable that the threat purposefully avoids files with .MSI, .REG, and .SYS extensions. The rest are encrypted using Salsa20 and RSA-4098 algorithms. Although Fonix Ransomware appears to be all about destruction, it drops a few additional files. On the Desktop, you might find “Cpriv.key,” “Cpub.key,” and “SystemID,” and everywhere where encrypted files are, you should find “# How To Decrypt Files #.hta.” This is what we recognize as the ransom note, and most ransomware – including CLUB Ransomware, Iiss Ransomware, or Efji Ransomware – present a note like that in one way or another. Generally, ransom note files can be opened without trouble, but they should be removed along with other ransomware components.

The ransom note introduced by Fonix Ransomware is meant to convince its victims that they can obtain a file decryptor from the attackers. Victims can even send one file to have decrypted for free. This is a tactic used to ensure people that they would be sent a decryptor as soon as the instructions were complete. That said, the initial ransom note does not provide these instructions. You are simply told to send an email to fonix@tuta.io and/or fonix@mailfence.com, and once you did that, the attackers should send you the missing information. Even if the ransom is not that big, we do not recommend paying it because there is no proof that a decryptor would be sent to you if you followed the instructions. Without a doubt, it is in the nature of cybercriminals to promise something and then fail to deliver on those promises. So, if you do not want to be duped out of your money, we suggest that you do not even contact the attackers behind Fonix Ransomware. If you have emailed them already, please watch out for extortion and spam emails.

The guide below demonstrates how to remove Fonix Ransomware components. As you can see, there are quite a few of them. Unfortunately, we cannot tell you how to find the main file, which is the launcher of the infection. This .exe file could have been dropped to the Desktop, in the %TEMP% directory, or somewhere else completely. Its name also should be random. If you can locate and remove this file, eliminating the remaining components should not be difficult. And what about your system’s protection? If you cannot secure your system yourself, this is the time you install anti-malware software that will take care of things automatically. It also can delete Fonix Ransomware and other active threats, some of which you might know nothing about. To add protection to your files, always create their copies. Also, store them outside the original location. If you have copies of the corrupted files stored safely, you can use them as replacements after the removal of the infection.

Delete Fonix Ransomware

1. Go to the Desktop and Delete the files named Cpriv.key, Cpub.key, and SystemID.
2. Delete the {unknown name}.exe file that launched the threat (location unknown).
3. Open File Explorer by tapping Windows and E keys on the keyboard together.
4. Enter %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ into the field at the top.
5. Delete the file named # How To Decrypt Files #.hta. Also, Delete all copies of this file.
6. Open Run by tapping Windows and R keys and then enter regedit into the dialog box.
7. In Registry Editor, move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
8. Delete the value named PhoenixTechnology.
9. Move to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce.
10. Delete the value named PhoenixTechnology.
11. Exit Registry Editor and File Explorer and then Empty Recycle Bin.
12. Install a trusted malware scanner to check if you need to delete anything else.