FONIX Raas (Ransomware as a Service) is a new ransomware family that employs four methods of encryption for each file and has an overly-complex post-infection engagement cycle. The actors behind FONIX appeared to be primarily focused on binary crypters/packers prior to the release of the RaaS. Their ‘products’ were advertised on various cybercrime forums. Engagement for this RaaS is handled purely via email, and directly with the author/advertiser. There is no web-based portal to register or manage infections or campaigns. The authors did appear to initially offer a FONIX-specific email service; however, at the time of writing, that service appears to be unavailable. The FONIX samples we have observed come in 64 and 32-bit varieties, and are available for Windows only. By default, FONIX will encrypt all file types, excluding critical Windows OS files. Encrypted files are all marked with the .XINOF extension (FONIX backwards). Depending on the context of the executed payload, numerous other malicious changes are made to the system. In all cases, once encryption is complete, the Desktop background is changed to the FONIX logo, and the .HTA-formatted ransomware note is displayed across the entire screen. The FONIX infection is a long process in which the affiliates have to send sample files to authors for decryption. Once sample decrypted files are sent to victims for satisfaction, and they have paid a ransom amount, the authors charge a 25% of the profit from affiliates, before providing full decryption keys.
As noted, instructions to contact the attacker are provided in the ransom note (How To Decrypt Files.hta). Several additional files are deposited on encrypted hosts. For example, the following can be found in %programdata% post-encryption:
Hello Michaele Gllips
How To Decrypt Files.hta
When executed with administrator privileges, the following additional system changes occur: