FONIX Ransomware: New Bad Boy in Town Looking for Partners

Fonix is a new RaaS (Ransomware-as-a-Service) being offered at several underground cybercriminals forums. Recently, the ransomware has been observed actively spreading and targeting Windows-based system users.

Modus operandi

The ransomware can spread by general infection vectors such as malvertising campaigns, torrent trackers, fake software updates or downloads, and spam emails. It comes in 64-bit and 32-bit variants to target Windows systems.
  • The ransomware is a low-key threat that uses four types of encryption algorithms, such as Salsa20, Chacha, RSA, and AES.
  • After being executed with administrative privileges, the malicious payload performs multiple changes to systems. For example, disabling the task manager, creating a hidden service, and a few other operations.
  • The author of this ransomware keeps 25% of any ransom amount from its affiliate network instead of charging a joining fee.
  • The affiliates do not get instant access to decryptor utility or keys; instead, they must provide files from a victim system. 
  • Consequently, RaaS operators decrypt the files and then send them back to the victims.

Recent association

In addition to Fonix, other ransomware programs are actively spreading and targeting various organizations around the world.
  • Recently, Egregor, a newly discovered ransomware family, has been found targeting corporations located in France, Germany, Italy, Japan, Mexico, Saudi Arabia, and the U.S.
  • Last month, Mount Locker ransomware was found to be stealing victims' files before encrypting. Furthermore, the ransomware demanded multi-million dollar ransoms.
  • In July, A new RaaS, called Thanos, was found being advertised on an underground market.

Conclusion

Ransomware is now one of the most prominent cyber threats, and the situation has worsened after the coronavirus pandemic. Experts suggest taking regular backup of important data, along with patching and updating the system regularly. Finally, refrain from downloading anything from untrustworthy sources.