NW-CERT: A closer look at the FONIX Ransomware

On July 10, 2020 the user “FoNixCrYptEr” posted an advertisement on dark web cybercrime forums for a new Ransomware-as-a-Service (RaaS) called Fonix (Phoenix). In this blogpost Incident Responder Frank de Korte takes a closer look at the actors behind the malware and the evolution of the service.

Ransomware-as-a-Service supply chain

First off, let’s take a look at the supply chain for Ransomware-as-a-Service as it has been developing over the past couple of years.

Typically, there are several groups of actors involved in the attack on an organization. It all starts with a team attempting to gain access to a system. These actors will attempt to sell their access, e.g. Remote Desktop access or VPN credentials, to an initial access broker. This broker will attempt to convert their access to a more meaningful hold on the victim, for instance installing Cobalt Strike with high-level access. They then sell their high-level access to the Ransomware Affiliates. They are the people who ‘franchise’ the ransomware, infecting systems and collecting the ransom from their victims, often in combination with data exfiltration for extortion purposes. They will be in close contact with the operators and developers of the ransomware, who get a share of the proceeds once a victim has paid the ransom.

The ransomware operators often provide the infrastructure for dealing with the victims, as well as handling the payment of the ransom and publishing data leaks. The streamlining of the different roles within an attack and the technical support from the developers of the malware makes it a lucrative business for the affiliates as well as everyone involved in the supply chain. According to Emsisoft[1], ransom payments in 2019 were costing companies a lot of money: “With the average ransom demand around $84,000 and roughly a third of firms paying up, Emsisoft estimated minimum global costs at $6.3bn and a higher figure at $25bn.”

Looking at the past analysis of ransomware from Coveware[2], who publish a quarterly report on the ransomware ‘market’, 2020 could be a record year for ransomware as average ransom payout soar to $233,000 on average.

The actors behind Fonix RaaS are no doubt looking to get their hands on a slice of that big pie.

Fonix Ransomware-as-a-Service

Actors behind the Ransomware claim Fonix to be a unique development, written in C++ and designed from scratch. However, looking at the source code of the executable performing the encryption, distinct signatures relate it to the Aphrodite ransomware, a split from the LockerGoGa malware that evolved into Lockbit[3]. It is not uncommon for developers of ransomware to split off from their former projects and create a new strain of malware.

Their logo is that of a phoenix and, for some reason, the name of the ransomware in reverse (Xinof). The actors themselves call it FonixCrypter (XINOF R2) ransomware.

Looking at the initial advertisement from the attackers, some key features stand out that are not seen in other families of ransomware.

The ransomware does not use a single algorithm to encrypt files. It uses 3 symmetric (Salsa20, AES and ChaCha) and 1 asymmetric encryption (RSA) algorithms simultaneously. This makes it very slow however, and it is unclear why they decided to do this.

The initial version offered a private mail server to the affiliates at fonix[.]email to communicate with their victims. This no longer seems to be operational. Instead, protonmail accounts are provided by the operators when an affiliate joins the operations.

Most RaaS operators demand a down payment from their affiliates to even begin spreading the malware. Fonix does not do this. Anyone can send them an email to their account and receive a copy of the cryptor. Once a victim has been encrypted the affiliates need to pay the Fonix operators their share (somewhere between 10 and 25 percent) to receive the decryption key.

Furthermore, the encryption deletes and alters some functions from the Windows environment as mentioned in their advertisement:

*deleting the “hibernate” , “shutdown” and “sleep” icons from the start menu
*deleting the “log off” icon from the start menu
*deleting and disabling the “contex menu” in the start menu
*disabling the file search ability
*disabling the programs or setting search
*renaming all drives to “XINOF”
*deleting the “more programs” icon from the start menu
*deleting the “program access and defaults” icon from the start menu
*deleting “my documents” from the explorer and start menu
*deleting “my pictures” icon from the explorer and start menu
*deleting the “network connection” icon from start menu and the right side of the taskbar
*deleting the pinned programs in the taskbar
*deleting the “pinned list” from the start menu
*diabling “RUN”
*deleting the icons related to the user from the start menu
*deleting the “action center” icon from the taskbar
*any external system including : flashes , external hards , tapes e.x wont be allowed to connect
*deleting the “chang password” “log off” and “lock” from Ctrl+Alt+Del menu
*disabling the task manager
*deleting the “recyclebin” icon from desktop
*disabling the “Recovery system state” option
*disabling and compeletly deleting the “windows backup” option
*disabling the “system backup” option
*disabling the permission to back up in “disk network” , “optical storages” “client” and “server backup”
*disabling the “auto loger” option and deleting all the system logs ( in order to keep your privecy )

Lastly, the rules for using the ransomware are a bit different than what is demanded from affiliates by other cybercrime groups. Most groups (and their malware) actively prevent the infection of CIS countries and systems, for instance to prevent law enforcement from the countries they live in to crack down on their operations. The actors behind Fonix did not build in a failsafe that shuts down the malware if it detects the wrong type of system language. Their advertisement for affiliates is clear enough though:

*do not infect any persian systems, in case of violation the violator will be fired

Following the trend of ransomware operators to avoid their country of origin, this seems to indicate that they most likely live in Iran or related countries.

The group has of yet not made much of an impact. According to various reports, the malware is cumbersome to use, encryption is slow, and the decryption process is convoluted.  Affiliates are required to spend a lot of time mailing back and forth between their victims and the ransomware operators to get decryption keys for each infected system, as the decryption key is unique per machine. Especially in large corporate environments this can become a hassle very quickly for everyone involved.

These downsides could be a reason for affiliates of RaaS programs to look elsewhere. Looking at the public submissions on Any.run[4], a single instance of the Fonix ransomware can be found, indicating that it is not very prevalent at the time of writing.

The ransomware developers seem to be familiar with ransomware research and development as during the encrytion process a text file gets dropped with a wink at id-ransomware [5] creator Michael Gillespie.

Since July 2020, the actors behind the malware have updated and released several versions of the Ransomware and the infrastructure supporting their operations. As of October 2020, the ransomware is at version 4.4.1. The latest version is where things get interesting.

The next evolution

On 13 October 2020 a screenshot was posted on a cybercrime forum with a note from the group behind Fonix that version 4.4.1 was released. The screenshot showed the existence of a dashboard where the affiliates could log in to see their infected systems and earnings from their campaigns.

Furthermore, a list of infected systems is provided to the users with details from the infected hosts.

What is also interesting to note is that an example screenshot indicates two active infections in Russia and Iran, seemingly breaking their own rules.

The panel is in version 1.0, according to the screenshots. The group is announcing new features in the coming months, indicating active development is to be continued.

This release also included a built-in network scanner as well as ‘improved’ encryption speed.

As of yet, no public submissions of the latest versions are available to verify the claims of the authors.

At the time of writing it is unclear if the ransomware strain will take off in the same way that other strains did in the last couple of months. The trend for RaaS is very much going towards larger corporations (called ‘big game hunting’) with larger ransom demands and payouts. Seeing as the support for such operations is limited under Fonix ransomware, it remains to be seen if affiliates will flock to the new strain like they did with Egregor or Conti.

References

  1. https://www.infosecurity-magazine.com/news/ransomware-costs-may-have-hit-170/
  2. https://www.coveware.com/blog/q3-2020-ransomware-marketplace-report
  3. https://northwave-security.com/wp-content/uploads/2020/05/NW_CERT_Lockbit_whitepaper_1.0.pdf
  4. https://any.run/
  5. https://id-ransomware.malwarehunterteam.com/