Rewterz Threat Alert – The FONIX Ransomware-as-a-Service

Severity

Medium

Analysis Summary

FONIX Raas (Ransomware as a Service) is a new ransomware family that employs four methods of encryption for each file and has an overly-complex post-infection engagement cycle. The actors behind FONIX appeared to be primarily focused on binary crypters/packers prior to the release of the RaaS. Their ‘products’ were advertised on various cybercrime forums. Engagement for this RaaS is handled purely via email, and directly with the author/advertiser. There is no web-based portal to register or manage infections or campaigns. The authors did appear to initially offer a FONIX-specific email service; however, at the time of writing, that service appears to be unavailable. The FONIX samples we have observed come in 64 and 32-bit varieties, and are available for Windows only. By default, FONIX will encrypt all file types, excluding critical Windows OS files. Encrypted files are all marked with the .XINOF extension (FONIX backwards). Depending on the context of the executed payload, numerous other malicious changes are made to the system. In all cases, once encryption is complete, the Desktop background is changed to the FONIX logo, and the .HTA-formatted ransomware note is displayed across the entire screen. The FONIX infection is a long process in which the affiliates have to send sample files to authors for decryption. Once sample decrypted files are sent to victims for satisfaction, and they have paid a ransom amount, the authors charge a 25% of the profit from affiliates, before providing full decryption keys. 

As noted, instructions to contact the attacker are provided in the ransom note (How To Decrypt Files.hta). Several additional files are deposited on encrypted hosts. For example, the following can be found in %programdata% post-encryption: 
Cpriv.key 
Hello Michaele Gllips 
Help.txt 
How To Decrypt Files.hta 
SystemID

When executed with administrator privileges, the following additional system changes occur:

• Task Manager is disabled
• Persistence is achieved via scheduled task, Startup folder inclusion, and the registry (Run AND RunOnce)
• System file permissions are modified
• Persistent copies of the payload have their attributed set to hidden
• A hidden service is created for persistence (Windows 10)
• Drive / Volume labels are changed (to “XINOF”)
• Volume Shadow Copies are deleted (vssadmin, wmic)
• System recovery options are manipulated/disabled (bcdedit)
• Safeboot options are manipulated.

Impact

• Files Encryption
• Loss of Data

Indicators of Compromise

MD5

• 5c87f80824d6e3483a4b2a5c71463e69
• 71b664b09dd6463b23899855eb62681e
• 117a02e1513777085a5aafb07cbdb93b

SHA-256

• 5263c485f21886aad8737183a71ddc1dc77a92f64c58657c0628374e09bb6899
• e5324495a9328fe98187239565c05b077680b2ebc9183a6e3e2ccfbfa9f0295a
• 658ec5aac2290606dba741bce30853515795028322162167395cebc5d0bfccf4

SHA1

• 1f551246c5ed70e12371891f0fc6c2149d5fac6b
• a94f92f1e6e4fed57ecb2f4ad55e22809197ba2e
• 63cae6a594535e8821c160da4b9a58fc71e46eb2

Remediation

• Block the threat indicators at their respective controls.
• Do not download any untrusted files from unexpected emails or from any random sources on the internet