June 5, 2023

FONIX is a relatively new Ransomware as a Service (RaaS) developed by crypters. The victims associated with this threat actor is small

The ransomware authors don’t require the payment of a fee to become an affiliate of the service, the operators only keep a percentage of any ransoms from their affiliate network. Belived to be quickly rampant when time passes

Fonix RaaS

The communications with the RaaS operators are carried out via email.

“Based on current intelligence, we know that FONIX affiliates do not get provided with a decryptor utility or keys at first. Instead, victims first contact the affiliate (buyer) via email as described above. The affiliate then requests a few files from the victim. These include two small files for decryption: one is to provide proof to the victim, the other is the file “cpriv.key” from the infected host. The affiliate is then required to send those files to the FONIX authors, who decrypt the files, after which they can be sent to the victims.” continues the analysis.

“Presumably, once the victim is satisfied that decryption is possible, the affiliate provides a payment address (BTC wallet). The victim then pays the affiliate, with the affiliate in turn supplying the FONIX authors with their 25% cut.”

The ransomware uses a combination of AES, Chacha, RSA, and Salsa20 to encrypt a victim’s files, it adds a .XINOF extension. Encrypting only Windows platform excluding windows OS file system

Upon executing the payload with administrative privileges, the following system changes are made:

  • Task Manager is disabled
  • Persistence is achieved via scheduled task, Startup folder inclusion, and the registry (Run AND RunOnce)
  • System file permissions are modified
  • Persistent copies of the payload have their attributed set to hidden
  • A hidden service is created for persistence (Windows 10)
  • Drive / Volume labels are changed (to “XINOF”)
  • Volume Shadow Copies are deleted (vssadmin, wmic)
  • System recovery options are manipulated/disabled (bcdedit)
  • Safeboot options are manipulated

It’s quite aggressive and low key affair. But Ransomware is a deadly threat that need to counter attacked with BCP measures and decent security hygiene

Leave a Reply

%d bloggers like this: