Fonix Ransomware as a Service Threat Intel Advisory

Published on November 11th, 2020 | 18:30 IST

Share this Advisory:

Fonix is a RaaS (Ransomware-as-a-Service) platform that first appeared in July 2020. In October 2020, Fonix ransomware, dubbed FonixCrypter, spread rapidly, focusing on binary crypters and packers prior to the release of the RaaS model.

Fonix is distributed via malvertising campaigns, fake software updates or spam emails. It comes in both variants i.e. 64-bit and 32-bit to target Windows systems. This ransomware is a low-key threat and employs four types of encryption algorithms, such as Salsa20, Chacha, RSA, and AES. The operators of this ransomware withhold 25% of the ransom amount from its affiliate network without charging a joining fee. However, this doesn’t assure instant access to the decryptor utility or keys, instead, the victim has to contact the actors when the RaaS operators return the decrypted files to the victims, making the process much slower.

FonixCrypter - Ransomware
FonixCrypter – Ransomware

 

Key features of the RaaS, after the execution of the payload:

  1. It disables Task Manager
  2. Persistence is achieved via the scheduled task, startup folder inclusion, and the registry (Run AND RunOnce)
  3. It modifies system file permissions
  4. It sets the attribution of the persistent copies of the payload to hidden 
  5. A hidden service is created for persistence (Windows 10)
  6. It changes the drive/ volume labels to “XINOF”
  7. It deletes Volume Shadow Copies (vssadmin, wmic)
  8. It manipulates/ disables system recovery options (bcdedit)
  9. It manipulates safeboot options

Impact

Business Impact
  1. Financial loss to the organization as the operations might be shut down
  2. Loss of Brand reputation
  3. Compromise of PII information leading to social engineering attacks
Technical Impact
  1. Creates a backdoor which helps to keep the access of the user’s device. Through which attacker might modify files or launch the malicious software.

Indicators of Compromise

   SHA1
  1. //(a94f92f1e6e4fed57ecb2f4ad55e22809197ba2e)
  2. //(1f551246c5ed70e12371891f0fc6c2149d5fac6b)
  3. //(63cae6a594535e8821c160da4b9a58fc71e46eb2)
    SHA256
  1. //(e5324495a9328fe98187239565c05b077680b2ebc9183a6e3e2ccfbfa9f0295a)
  2. //(5263c485f21886aad8737183a71ddc1dc77a92f64c58657c0628374e09bb6899)
  3. //(658ec5aac2290606dba741bce30853515795028322162167395cebc5d0bfccf4)
    File Extension
  1. .XINOF

Mitigation

  1. Use updated antivirus software that detects and stops malware infections. 
  2. Apply critical patches to the system and application
  3. Use strong passwords
  4. Check the privileges and permission allotted to the user
  5. Make it easy for users to report suspicious behavior
  6. Back-up data regularly  

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.