How to Remove XINOF Ransomware

If you’ve had the unfortunate pleasure of falling victim to XINOF ransomware, you’re probably desperately searching online for a guide on how to remove XINOF ransomware; This is that guide. In this guide, you’ll find a detailed description of XINOF ransomware, why you don’t need to panic if you fall victim to it, and — most importantly — how to remove it. It’s also critical that you don’t give in to the demands of whoever has infected your PC; read through this guide carefully and thoroughly before implementing the steps outlined below. 

What is XINOF Ransomware?

XINOF Ransomware is a type of Fonix Ransomware software first discovered by dnwls0719 — an anonymous self-proclaimed “ransomware hunter. ” They provide regular updates about how to decrypt ransomware from their Twitter account.

When a file on your PC becomes compromised using XINOF malware, the new file extension will look something like this: original file name + cyber attacker’s email address + unique ID + .XINOF file extension.

Any files on your device with a similar extension have been encrypted using XINOF, and you won’t be able to access the data or information in these files unless you follow through on the cyber attacker’s demands.

Typically, you’ll receive instructions on what to do next through a “howtodecryptfiles.hta” pop-up, or when clicking on the encrypted file, a help.txt document will appear.

The instructions usually include emailing the cyber attacker within 48 hours and paying an undisclosed amount through the typically untraceable cryptocurrency Bitcoin.

The exact ransom message may differ. You could be given up to 72 hours or a different price to decrypt your files.

But, as you’ve probably already assumed — if you’re thinking rationally — the ransomware criminals have no reason to decrypt your files after you’ve sent the ransom. So before you attempt to follow through on their demands, continue reading to learn how to remove XINOF ransomware from your PC.

How to Remove XINOF Ransomware

If you’ve fallen victim to XINOF ransomware, don’t panic. Many ransomware messages contain threats that you’d have to pay double if you don’t make contact or pay within the first few hours. Cybercriminals typically use a 24 or 48-hour countdown to prompt victims to act.

However, many have speculated that hackers using XINOF ransomware have no way of knowing when your PC was infected, making these countdowns redundant. The same applies to threats of paying more if you don’t act quickly.

Think about it. If there is a likelihood that your data will be destroyed after the time frame, paying the ransom doesn’t protect you from that possibility.

Instead, many hackers don’t send the encryption key in the hopes of getting victims to pay more money. Now that you’re aware, you should look into a ransomware decryption tool.

Ransomware Decryption Tool

When XINOF ransomware became active in June 2020, it became one of the most prevalent forms of ransomware. One reason it had become so prevalent was because of its efficacy in getting the creators of the ransomware money.

XINOF ransomware was built using C++ and used three encryption keys, making it challenging to decrypt, given it was essentially iron clad. 

But, in the eight months since XINOF launched and earned its developers lots of money, an admin for XINOF announced the team was shutting down the ransomware in February 2021.

As a result, the admin released a decryptor tool and master decryption key to helping victims decrypt their documents.

But the decryptor tool the admin released only works to decrypt one file at a time and is the tool used by admins when you’re prompted to send three files as a test. Because you can only decrypt one file at a time, this ransomware decryption tool is of little value. Thankfully, Avast has built a ransomware decryption tool you can use to decrypt your XINOF files for free. You can access this decryption tool by following the steps below: 

Visit Avast’s List of Ransomware Tools

To access the XINOF ransomware decryption tool, visit Avast’s ransomware list. 

Select Fonix.

On the list, scroll down to Fonix — the program XINOF uses to encrypt your files.

Download the Fonix Decryption Tool

Beneath Fonix, you can download the free ransomware decryption tool by clicking on the “Download Fonix Fix” button.

How to Get Rid of Ransomware Without Paying

The first two steps in this process are preventative and meant to stop ransomware from spreading. Typically, it takes ransomware five minutes to encrypt 100,000 files. Therefore, the quicker you implement the first two steps, the less effect ransomware will have on your device.

  • Turn Off Wifi and Put the Device on Airplane Mode

The moment you realize you’ve downloaded an infected file or your device has been compromised by some other means, you must disconnect from the internet as soon as possible. This means turning off your wifi, disconnecting any ethernet cables, turning off Bluetooth, and then turning on airplane mode.

This should stop the ransomware from spreading and may even help you further along as you may have time to save some of your files or — best case scenario — stop the ransomware from becoming effective.

The important thing here is speed. Ensure you’ve quickly disconnected from the internet and turned on airplane mode in under one minute, as ransomware can encrypt hundreds of thousands of files in as little as five minutes and typically targets the most important files first.

  • Disconnect all External Devices 

Now, unplug any external device: a phone, webcam, USB, or hard drive. Ransomware is fast acting, so you should ensure everything that could get infected isn’t connected to your device.

  • Run an Antivirus to Find and Remove the Ransomware

Once you are confident you’ve isolated your device, run your antivirus software — specifically a virus scan. Your antivirus software should be able to pinpoint the file containing the ransomware. Delete this file.

  • Use a Decryption Tool on Affected Files

With XINOF ransomware, thankfully, you have a ransomware decryption tool. If you haven’t already, download Fonix Fix from another PC and send it to your device. If you’re confident the ransomware has been removed from your PC, you can do it from there. Now, run the affected files through the ransomware decryption tool.

How to Remove Encryption Ransomware

If you don’t have an antivirus or your antivirus isn’t picking up the ransomware, you may be unable to carry out the above steps. This doesn’t mean you can’t remove the ransomware; rather, it means you’ll have to follow a different process to remove the ransomware and gain access to your files. The steps below will work on Windows devices.

Step 1: Disconnect from the Internet

Whenever you need to remove ransomware from a PC, your first step will always be to disconnect from the internet. Ransomware needs to communicate with its command and control servers to be effective. Disconnecting it from the internet stops the ransomware from spreading.

Step 2: Check Your Host File (on Windows)

Go to the start menu, find Notepad, and right-click it to run as administrator. When prompted about whether you are sure you want to run Notepad as an administrator, select “yes.”

In Notepad, navigate to “File” and then “Open.”

Select “This PC,” followed by your system drive “Windows (C:).” Now, navigate to a file titled “Windows,” click it, and navigate to a file titled “System 32.” Once in System 32, select “Drivers,” followed by “etc.”

Your screen may be blank at this point. If that’s the case, go to the drop-down menu next to “File name” and select “All Files.”

Select the “hosts” file to open it.

If there is any text beyond the system’s last line, which is: “# ::1 local host,” which you didn’t add, delete it and save the file.

Step 3: Reboot Your PC in Safe Mode

In safe mode, your PC only runs essential system programs, meaning the ransomware won’t run in safe mode.

To run your PC in safe mode, select the windows key on your keyboard and the letter “r” simultaneously. A window will appear, type in “MSConfig,” and then press “enter.” 

Select the boot tab at the top of the window, followed by “Safe boot” in the multiple-choice section. Then select “apply” and “restart.”

Your PC will restart, running in safe mode.

Step 4: Manually Remove the Ransomware

If you know the name of the ransomware, in this case, XINOF or Fonix, search for it in the search bar of your PC’s file explorer. Search XINOF.exe

Press the shift key followed by delete to permanently delete the files that appeared. Also, search and permanently delete the following files:

  • %User Temp%\IXP000.TMP\SystemScheduler.exe
  • %User Temp%\IXP000.TMP\Cpriv.key
  • %User Temp%\IXP000.TMP\Cpub.key
  • %User Temp%\IXP000.TMP\SystemID
  • %User Temp%\IXP000.TMP\Help.txt
  • %User Temp%\Cpriv.key
  • %User Temp%\Cpub.key
  • %ProgramData%\Cpriv.key
  • %ProgramData%\Cpub.key
  • %ProgramData%\CrptSrvcFLG
  • %ProgramData%\SystemID
  • %ProgramData%\Help.txt
  • %ProgramData%\Hello {Name}
  • %ProgramData%\How To Decrypt Files.hta
  • %User Startup%\XINOF.exe
  • {Encrypted Directory}\Cpriv.key
  • {Encrypted Directory}\Help.txt
  • {Encrypted Directory}\How To Decrypt Files.hta

These are other files the ransomware will drop into your system. 

Note: When searching for these files, be sure you’ve also selected hidden files.

Step 5: Prevent Ransomware from Running at Start-Up

If any ransomware remains, this step will be essential. 

Navigate to the start menu and type in “startup apps.” Click on the app that appears to get a list of startup apps that run when you turn on your PC. Turn off startup for all non-essential apps, including foreign apps.

Step 6: Remove Suspicious Apps

Ransomware typically enters your device through a vulnerability — in this case, a suspicious/malicious app.

Once again, navigate to your start menu and search for “control panel,” click on it to open, and then navigate to “uninstall a program” beneath “Programs.”

A list of programs installed on your PC will appear. Navigate to the date programs were installed to sort by most recent. Select suspicious or potentially malicious programs, followed by uninstall.

Step 7: Clear Your PC’s Temporary Files

Despite completing all these steps, ransomware can linger in one additional space: your temporary files.

Navigate to the start menu, enter “disk cleanup,” and click on it. After the program’s run, it should list all the documents you can clear. Only select “Internet Files” and “Temporary Files” followed by OK and delete files.

Step 8: Clean Your PC’s Registry

To resurface, ransomware may infect your device’s registry. But cleaning your registry requires care and attention, as one wrong move could break your PC.

If you’re uncomfortable with that possibility, contact a professional or use a registry cleaning tool; otherwise, follow the steps below.

First, navigate to the start menu, search “registry editor,” and open it.

Back up the registry by selecting the file menu and export; follow this up by choosing a location for the file and naming the backup.

In the registry, go to:

HKEY_LOCAL_MACHINE —> SOFTWARE —> Microsoft —> Windows —> Current Version —> Run

Now delete any files titled “Fonix” or “XINOF.”

Beneath the “Run” folder should be the “Run Once” folder. Select it and delete files titled Fonix or XINOF.

Then complete a similar process but using HKEY_CURRENT_USER.

HKEY_LOCAL_MACHINE —> SOFTWARE —> Microsoft —> Windows —> Current Version —> Run

Now delete any files titled “Fonix” or “XINOF.”

Beneath the “Run” folder should be the “Run Once” folder. Select it and delete files titled Fonix or XINOF.

Step 9: Restart Your PC

Select the windows key and “r” letter on your keyboard. Enter “MSConfig” and navigate to the “Boot” tab on the pop-up and deselect “Safe boot.” Now restart your PC.

If you can, download and run a reputable anti-malware software to double-check that all malware is removed from your PC.

How to Encrypt Ransomware

Don’t think you’re safe from ransomware attacks because you’ve already encrypted your files. If your files are encrypted, it provides an additional layer of security by preventing cyber criminals from obtaining pertinent information. But it doesn’t stop them from blocking your access to these documents.

Can You Delete Ransomware Encrypted Files?

In short, you can delete ransomware encrypted files, but that doesn’t mean you’ve rid your device of ransomware.

Ransomware often exploits the system’s software to embed itself onto your device and spread even if you think you’ve rid yourself of the problem. It does that by adding itself to your operating system’s software code, running at startup, and exploiting your web browser.

Therefore, before deleting the files, be sure you’ve removed the ransomware.

Is There Any Way to Decrypt Ransomware?

Yes. You can decrypt most ransomware without spending money on a ransom. But, it’s important that you research the type of ransomware that’s infected your device.

Then, you can decide whether to manually decrypt the ransomware or use anti-malware.

How Do You Remove Encryption?

Technically, there are only two ways to remove decryption, they are:

  • Using a decryption key 
  • Exploiting cracks in the program 

When an anti-malware or antivirus removes encryption, it is either doing one of these two.

In the case of XINOF ransomware, the program’s admin released a master decryption key that would decrypt every file that was encrypted by XINOF. However, in cases where the program’s developers haven’t released a decryption key, like any other program, there are often “bugs” or exploits that — if you have the skill and knowledge — you can use to create a ransomware decryption tool. Alternatively, you can use a free ransomware decryption tool to decrypt the ransomware you have.

Can Ransomware Be Removed by Resetting?

To a degree, yes. Ransomware can be removed by resetting your device — to its factory settings — if the ransomware attack is limited to files. However, if the ransomware has affected your operating system, you can attempt a factory reset, which doesn’t guarantee the ransomware will be removed.

Furthermore, if it has affected your operating system, you must recover your files from the cloud rather than a USB connection. The latter can be compromised and infected by ransomware.

Can You Decrypt a Ransomware Attack?

Yes, you can decrypt a ransomware attack. The best method would be to use a reputable anti-malware or antivirus program to identify and clear your device. However, if you know what type of anti-malware has infected your device — and you don’t mind the possibility of losing your files — you can decrypt your files manually. In this aspect, you will use a complex list of steps that includes identifying the ransomware, checking your system’s host files, booting your PC in safe mode, and updating your system’s registry, among other things.

Is it Possible to Unlock Ransomware?

Yes. In 2021, one admin account for the XINOF ransomware announced the cybercriminals were ending the operation and released the master decryption key. Now, using a free ransomware decryption tool, you can remove the encryption from affected files and restore them to normal.

Can I Decrypt Online ID Ransomware?

You cannot decrypt your files using an online ID ransomware tool. Instead, an online ID ransomware tool’s sole purpose is to help you identify the ransomware that has infected your device.

Part of the identification process is uploading a ransom note, a file that has been encrypted by the ransomware, and the email address of the cyber attackers. Once you upload this information, the online ID will scan the 1078 ransomware programs on its database.

If it doesn’t detect any matches, that doesn’t mean it’s not ransomware that’s infected your device; rather, it means they haven’t cataloged the ransomware that’s affected your device.

But, you may be wondering why online ID ransomware is necessary if it doesn’t decrypt your files. Well, the purpose is to help you isolate the ransomware attack you’re experiencing so you can remove it from your device.

Is Lorenz Ransom a Free Ransomware Decryption Tool?

No. Lorenz Ransom is a type of ransomware much like XINOF. However, Lorenz primarily targets enterprises, downloading unencrypted files and selling or distributing those to threat attackers on the internet. But, before Lorenz sells a company’s data, it releases the company’s information to blackmail the organization to get them to pay the ransom to ensure files are returned and not sold online.

If the company doesn’t pay the ransom on time, Lorenz publishes RAR archives, which hackers could attempt to decrypt. When final ransom demands aren’t met, the Lorenz team publishes the password for the leaked data so anyone can find and access the data stolen.

Despite it being ransomware, Lorenz Ransom doesn’t leave documents on your device. Instead, as a human-operated ransomware attack, its operators remove unencrypted files from your servers and transfer them to their servers.

Getting rid of Lorenz Ransom isn’t as clear-cut as XINOF because of the threat that sensitive may be sold to threats or — even more sinister — access to the infiltrated network may be sold.

Furthermore, Lorenz Ransom is more sophisticated than XINOF because its developers customize each attack for its target company or organization.

To avoid ransomware’s devastating effects, your best choice is to be safe rather than sorry. Encrypt your files and save them to the cloud. Use several secure cloud services to back up your backups. That way, you can’t be held hostage if your files are encrypted using ransomware.

Recommended Reading