Fonix Ransomware as a Service Threat Intel Advisory

Summary

CloudSEK Threat Intelligence Advisory on Fonix Ransomware as a Service, distributed via malvertising campaign, software updates, spam emails.
Fonix is a RaaS (Ransomware-as-a-Service) platform that first appeared in July 2020. In October 2020, Fonix ransomware, dubbed FonixCrypter, spread rapidly, focusing on binary crypters and packers prior to the release of the RaaS model. Fonix is distributed via malvertising campaigns, fake software updates or spam emails. It comes in both variants i.e. 64-bit and 32-bit to target Windows systems. This ransomware is a low-key threat and employs four types of encryption algorithms, such as Salsa20, Chacha, RSA, and AES. The operators of this ransomware withhold 25% of the ransom amount from its affiliate network without charging a joining fee. However, this doesn't assure instant access to the decryptor utility or keys, instead, the victim has to contact the actors when the RaaS operators return the decrypted files to the victims, making the process much slower.
FonixCrypter - Ransomware
FonixCrypter - Ransomware
  Key features of the RaaS, after the execution of the payload:
  1. It disables Task Manager
  2. Persistence is achieved via the scheduled task, startup folder inclusion, and the registry (Run AND RunOnce)
  3. It modifies system file permissions
  4. It sets the attribution of the persistent copies of the payload to hidden 
  5. A hidden service is created for persistence (Windows 10)
  6. It changes the drive/ volume labels to “XINOF”
  7. It deletes Volume Shadow Copies (vssadmin, wmic)
  8. It manipulates/ disables system recovery options (bcdedit)
  9. It manipulates safeboot options
[/vc_wp_text][vc_wp_text]

Impact

Business Impact
  1. Financial loss to the organization as the operations might be shut down
  2. Loss of Brand reputation
  3. Compromise of PII information leading to social engineering attacks
Technical Impact
  1. Creates a backdoor which helps to keep the access of the user’s device. Through which attacker might modify files or launch the malicious software.
[/vc_wp_text][vc_wp_text]

Indicators of Compromise

   SHA1
  1. //(a94f92f1e6e4fed57ecb2f4ad55e22809197ba2e)
  2. //(1f551246c5ed70e12371891f0fc6c2149d5fac6b)
  3. //(63cae6a594535e8821c160da4b9a58fc71e46eb2)
    SHA256
  1. //(e5324495a9328fe98187239565c05b077680b2ebc9183a6e3e2ccfbfa9f0295a)
  2. //(5263c485f21886aad8737183a71ddc1dc77a92f64c58657c0628374e09bb6899)
  3. //(658ec5aac2290606dba741bce30853515795028322162167395cebc5d0bfccf4)
    File Extension
  1. .XINOF
[/vc_wp_text][vc_wp_text]

Mitigation

  1. Use updated antivirus software that detects and stops malware infections. 
  2. Apply critical patches to the system and application
  3. Use strong passwords
  4. Check the privileges and permission allotted to the user
  5. Make it easy for users to report suspicious behavior
  6. Back-up data regularly  

Table of Contents

Request an easy and customized demo for free