Fonix ransomware is a new RaaS which has been observed actively spreading. Read on to know more about it…
Fonix is a new RaaS (Ransomware-as-a-Service) being offered at several underground cybercriminals forums. Recently, the ransomware has been observed actively spreading and targeting Windows-based system users.
First observed in July 2020, FONIX is a RaaS tool created by an unnamed threat actor. Despite being advertised on a number of popular dark web sites for several months, it has only begun to appear in significant numbers since the beginning of October.
Working Mechanism
The ransomware can spread by general infection vectors such as malvertising campaigns, torrent trackers, fake software updates or downloads, and spam emails. It comes in 64-bit and 32-bit variants to target Windows systems.
On the delivery mechanism, as with most RaaS tools, FONIX can be delivered in any manner affiliates choose. In the initial phase, it has only been observed being distributed in small-scale spam campaigns.
Once delivered, FONIX will attempt to encrypt all non-system files using a combination of AES, Salsa20, ChaCha, and RSA algorithms. As a result, this unusual implementation appears to function far slower than equivalent RaaS tools. Encrypted files are appended with the XONIF extension, and a ransom note is then displayed as the desktop background.
After being executed with administrative privileges, the malicious payload performs multiple changes to systems. For example, disabling the task manager, creating a hidden service, and a few other operations. The author of this ransomware keeps 25% of any ransom amount from its affiliate network instead of charging a joining fee.
The affiliates do not get instant access to decryptor utility or keys; instead, they must provide files from a victim system. Consequently, RaaS operators decrypt the files and then send them back to the victims.
If a device on your network becomes infected with ransomware it will begin encrypting files, which may also include remote files on network locations.
Mitigation
The only guaranteed way to recover from a ransomware infection is to restore all affected files from their most recent backup. To limit the impact of a ransomware infection.
* Critical data should be frequently saved in multiple backup locations.
* At least one backup is kept offline at any time (separated from live systems).
* Backups and incident recovery plans should be tested to ensure that data can be restored when needed.
* User account permissions for modifying data should be regularly reviewed and restricted to the minimum necessary.
* Block the threat indicators at their respective controls.
* Remote administration services should use strongly encrypted protocols and only accept connections from authorised users or locations.
Concluding Words
Ransomware is now one of the most prominent cyber threats, and the situation has worsened after the coronavirus pandemic. Experts suggest taking regular backup of important data, along with patching and updating the system regularly. Finally, refrain from downloading anything from untrustworthy sources.