Fonix Ransomware as a Service Threat Intel Advisory

CloudSEK Threat Intelligence Advisory on Fonix Ransomware as a Service, distributed via malvertising campaign, software updates, spam emails.
Updated on
April 19, 2023
Published on
November 11, 2020
Subscribe to the latest industry news, threats and resources.
Fonix is a RaaS (Ransomware-as-a-Service) platform that first appeared in July 2020. In October 2020, Fonix ransomware, dubbed FonixCrypter, spread rapidly, focusing on binary crypters and packers prior to the release of the RaaS model. Fonix is distributed via malvertising campaigns, fake software updates or spam emails. It comes in both variants i.e. 64-bit and 32-bit to target Windows systems. This ransomware is a low-key threat and employs four types of encryption algorithms, such as Salsa20, Chacha, RSA, and AES. The operators of this ransomware withhold 25% of the ransom amount from its affiliate network without charging a joining fee. However, this doesn't assure instant access to the decryptor utility or keys, instead, the victim has to contact the actors when the RaaS operators return the decrypted files to the victims, making the process much slower. [caption id="attachment_8567" align="aligncenter" width="760"]FonixCrypter - Ransomware FonixCrypter - Ransomware[/caption]   Key features of the RaaS, after the execution of the payload:
  1. It disables Task Manager
  2. Persistence is achieved via the scheduled task, startup folder inclusion, and the registry (Run AND RunOnce)
  3. It modifies system file permissions
  4. It sets the attribution of the persistent copies of the payload to hidden 
  5. A hidden service is created for persistence (Windows 10)
  6. It changes the drive/ volume labels to “XINOF”
  7. It deletes Volume Shadow Copies (vssadmin, wmic)
  8. It manipulates/ disables system recovery options (bcdedit)
  9. It manipulates safeboot options


Business Impact
  1. Financial loss to the organization as the operations might be shut down
  2. Loss of Brand reputation
  3. Compromise of PII information leading to social engineering attacks
Technical Impact
  1. Creates a backdoor which helps to keep the access of the user’s device. Through which attacker might modify files or launch the malicious software.

Indicators of Compromise

  1. //(a94f92f1e6e4fed57ecb2f4ad55e22809197ba2e)
  2. //(1f551246c5ed70e12371891f0fc6c2149d5fac6b)
  3. //(63cae6a594535e8821c160da4b9a58fc71e46eb2)
  1. //(e5324495a9328fe98187239565c05b077680b2ebc9183a6e3e2ccfbfa9f0295a)
  2. //(5263c485f21886aad8737183a71ddc1dc77a92f64c58657c0628374e09bb6899)
  3. //(658ec5aac2290606dba741bce30853515795028322162167395cebc5d0bfccf4)
    File Extension
  1. .XINOF


  1. Use updated antivirus software that detects and stops malware infections. 
  2. Apply critical patches to the system and application
  3. Use strong passwords
  4. Check the privileges and permission allotted to the user
  5. Make it easy for users to report suspicious behavior
  6. Back-up data regularly  

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations