FONIX Ransomware as a Service Detection

Another Ransomware as a Service platform is preparing to play a high-stakes game with organizations. Researchers at Sentinel Labs discovered the first attacks using the FONIX platform about three months ago. Now, this RaaS platform is still under active development, but their first customers are already trying their capabilities. So far, FONIX is quite inconvenient to use, its encryption process is rather slow, but the ransomware is poorly detected by most security solutions. And the last quality may outweigh the main disadvantages. In addition, getting a malicious sample and using it during an attack is completely free: FONIX authors will receive 25% of the ransom payment amount later.

FONIX ransomware slow but efficient

The slowness of encryption is due to the fact that during an attack it encrypts not certain types of files, but in general everything except critical system files. Another factor slowing down the attack is leveraging a mix of encryption protocols (Chacha, AES, Salsa20, and AES) during the encryption process. Perhaps this approach shows the inexperience of the authors in this area, who sacrifice speed for the sake of the guaranteed impossibility of victims to decrypt data on their own. The researchers assume that adversaries were involved in developing binary crypters.

Email communications and file exfiltration

Unlike most RaaS platforms, FONIX doesn’t have a dashboard to track and manage malicious campaigns. Instead, its authors are working on email services to anonymize communications with victims (possibly also to track affiliate activity). But for now, affiliates are forced to use third-party email services for communications, putting themselves at risk. To test file decryption and obtain a decryptor after receiving a ransom, cybercriminals are forced to turn to ransomware authors, which also carries additional risks.
It is notable that during the detected attacks, the affiliates did not steal the data so that the threat of disclosure would force the victim to pay a ransom. But this rather indicates the inexperience of the attackers, and seasoned cybercriminals may well exfiltrate sensitive information prior to encrypting the systems. 

So far, there have been no high-profile attacks using this ransomware, and so that they never happened, Osman Demir developed the community threat hunting rule to detect it: https://tdm.socprime.com/tdm/info/YYuWsuf9iDSA/CEPBDHUBR-lx4sDxrTcs/

The rule has translations for the following platforms:

SIEM: ArcSight, QRadar, Splunk, Graylog, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Elastic Endpoint

MITRE ATT&CK: 

Tactics: Impact, Persistence

Techniques: Data Encrypted for Impact (T1486), Registry Run Keys / Startup Folder (T1060)

Ready to try out SOC Prime Threat Detection Marketplace? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the Threat Detection Marketplace community.