Fonix Ransomware as a Service Threat Intel Advisory
November 12, 2020
Fonix is a RaaS (Ransomware-as-a-Service) platform that first appeared in July 2020. In October 2020, Fonix ransomware, dubbed FonixCrypter, spread rapidly, focusing on binary crypters and packers prior to the release of the RaaS model.
Fonix is distributed via malvertising campaigns, fake software updates or spam emails. It comes in both variants i.e. 64-bit and 32-bit to target Windows systems. This ransomware is a low-key threat and employs four types of encryption algorithms, such as Salsa20, Chacha, RSA, and AES. The operators of this ransomware withhold 25% of the ransom amount from its affiliate network without charging a joining fee. However, this doesn’t assure instant access to the decryptor utility or keys, instead, the victim has to contact the actors when the RaaS operators return the decrypted files to the victims, making the process much slower.
Key features of the RaaS, after the execution of the payload:
It disables Task Manager
Persistence is achieved via the scheduled task, startup folder inclusion, and the registry (Run AND RunOnce)
It modifies system file permissions
It sets the attribution of the persistent copies of the payload to hidden
A hidden service is created for persistence (Windows 10)
It changes the drive/ volume labels to “XINOF”
It deletes Volume Shadow Copies (vssadmin, wmic)
It manipulates/ disables system recovery options (bcdedit)
It manipulates safeboot options
Financial loss to the organization as the operations might be shut down
Loss of Brand reputation
Compromise of PII information leading to social engineering attacks
Creates a backdoor which helps to keep the access of the user’s device. Through which attacker might modify files or launch the malicious software.