Underestimating the FONIX – Ransomware as a Service could be an error

Pierluigi Paganini October 11, 2020

FONIX is a new Ransomware as a Service available in the threat landscape that was analyzed by SentinelLabs researchers.

FONIX is a relatively new Ransomware as a Service (RaaS) analyzed by researchers from Sentinel Labs, its operators were previously specialized in the developers of binary crypters/packers.

The actors behind FONIX RaaS advertised several products on various cybercrime forums.

FONIX first appeared in the threat landscape in July 2020, fortunately, the number of infections associated with this threat is still small.

Experts pointed out that the ransomware authors don’t require the payment of a fee to become an affiliate of the service, the operators only keep a percentage of any ransoms from their affiliate network.

Experts believe that However the FONIX RaaS can quickly become rampant if security firms and authorities underestimate it.

“Notably, FONIX varies somewhat from many other current RaaS offerings in that it employs four methods of encryption for each file and has an overly-complex post-infection engagement cycle.” reads the analysis published by Sentinel Labs.

Fonix RaaS

The communications with the RaaS operators are carried out via email. Any affiliate has to provide the operators files from a victim system to obtain the decryptor and key for the victim, in turn the operators keep for them 25% of the ransom.

“Based on current intelligence, we know that FONIX affiliates do not get provided with a decryptor utility or keys at first. Instead, victims first contact the affiliate (buyer) via email as described above. The affiliate then requests a few files from the victim. These include two small files for decryption: one is to provide proof to the victim, the other is the file “cpriv.key” from the infected host. The affiliate is then required to send those files to the FONIX authors, who decrypt the files, after which they can be sent to the victims.” continues the analysis.

“Presumably, once the victim is satisfied that decryption is possible, the affiliate provides a payment address (BTC wallet). The victim then pays the affiliate, with the affiliate in turn supplying the FONIX authors with their 25% cut.”

Obviously, the above process is a bit convoluted and far less user-friendly than most RaaS services.

The FONIX ransomware only targets Windows systems, by default it encrypts all file types, excluding critical Windows OS files.

The ransomware uses a combination of AES, Chacha, RSA, and Salsa20 to encrypt a victim’s files, it adds a .XINOF extension. Experts pointed out that the use of multiple encryption protocols makes the encryption process significantly slower than that of other ransomware.

Upon executing the payload with administrative privileges, the following system changes are made:

  • Task Manager is disabled
  • Persistence is achieved via scheduled task, Startup folder inclusion, and the registry (Run AND RunOnce)
  • System file permissions are modified
  • Persistent copies of the payload have their attributed set to hidden
  • A hidden service is created for persistence (Windows 10)
  • Drive / Volume labels are changed (to “XINOF”)
  • Volume Shadow Copies are deleted (vssadmin, wmic)
  • System recovery options are manipulated/disabled (bcdedit)
  • Safeboot options are manipulated

“a FONIX infection is notably aggressive – encrypting everything other than system files – and can be difficult to recover from once a device has been fully encrypted. Currently, FONIX does not appear to be threatening victims with additional consequences (such as public data exposure or DDoS attacks) for non-compliance.” concludes the report.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, FONIX RaaS)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment