{
	"id": "1c96f855-3586-4c09-831d-eac4f6cc1639",
	"created_at": "2026-04-06T01:30:21.406229Z",
	"updated_at": "2026-04-10T03:21:09.872781Z",
	"deleted_at": null,
	"sha1_hash": "839466efb4f1fb7e85681933fbcf29e8b13196ec",
	"title": "The FONIX RaaS | New Low-Key Threat with Unnecessary Complexities - SentinelLabs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1296431,
	"plain_text": "The FONIX RaaS | New Low-Key Threat with Unnecessary\r\nComplexities - SentinelLabs\r\nBy Jim Walter\r\nPublished: 2020-10-06 · Archived: 2026-04-06 01:19:10 UTC\r\nFONIX Raas (Ransomware as a Service) is an offering that first came to attention in July of this year. It did not\r\nmake much of a splash at the time, and even currently, we are only seeing small numbers of infections due to this\r\nransomware family. However, RaaS that at first fly under the radar can quickly become rampant if defenders and\r\nsecurity solutions remain unaware of them. Notably, FONIX varies somewhat from many other current RaaS\r\nofferings in that it employs four methods of encryption for each file and has an overly-complex post-infection\r\nengagement cycle. In this post, we dig a little deeper into these and other peculiarities of this new RaaS offering.\r\nFONIX Background: From Crypters to Encrypters\r\nThe actors behind FONIX appeared to be primarily focused on binary crypters/packers prior to the release of the\r\nRaaS. Their ‘products’ were advertised on various cybercrime forums, as well paste-based advertisements on the\r\nDark Web. Initial advertisement for the RaaS followed suit.\r\nFONIX RaaS: A Complex Victim-Affiliate-Author Triangle\r\nEngagement for this RaaS is handled purely via email, and directly with the author/advertiser. There is no web-based portal to register or manage infections or campaigns. The authors did appear to initially offer a FONIX-specific email service; however, at the time of writing, that service appears to be unavailable.\r\nUpon engaging with the FONIX advertiser, would-be buyers are required to supply the malware author with their\r\ndesired email address and password for the FONIX mail service. Since the FONIX mail service is currently\r\nhttps://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/\r\nPage 1 of 6\n\ninactive as noted, it appears that buyers are to supply the sellers with alternative email addresses (e.g.,\r\nprotonmail). Once the seller has received the email data, the buyer is sent copies of the ransomware payloads.\r\nThe received payloads are customized to display the email address of the new buyer upon infection, which in turn\r\ndirects the victims to reach out via said email in order to receive decryption instructions, or acquire proof of\r\ndecryption. Again, all transactions are handled via email, as opposed to a web-based portal.\r\nThere is no upfront cost for becoming a FONIX affiliate. Rather, when victims pay their ransom (which they\r\nshould ideally not do), the attacker (FONIX buyer) provides the FONIX authors with a 25% cut of the proceeds.\r\nThe actual process is a bit convoluted and far less user-friendly than most ransomware services. Based on current\r\nintelligence, we know that FONIX affiliates do not get provided with a decryptor utility or keys at first. Instead,\r\nvictims first contact the affiliate (buyer) via email as described above. The affiliate then requests a few files from\r\nthe victim. These include two small files for decryption: one is to provide proof to the victim, the other is the file\r\n“cpriv.key” from the infected host. The affiliate is then required to send those files to the FONIX authors, who\r\ndecrypt the files, after which they can be sent to the victims.\r\nPresumably, once the victim is satisfied that decryption is possible, the affiliate provides a payment address (BTC\r\nwallet). The victim then pays the affiliate, with the affiliate in turn supplying the FONIX authors with their 25%\r\ncut.\r\nOnce the FONIX authors have received their portion of the proceeds, they provide the affiliate with the decryptor\r\nutility and key (keys are unique to each campaign). At that point, it is between the affiliate and the victim in terms\r\nof how they provide the decryption capabilities.\r\nAll in all, this makes for a time-consuming process for any environment, especially large enterprises. Prevention\r\nof the infection, avoiding the whole rigmarole, is a far more attractive option!\r\nFONIX Ransomware: File Encryption and Execution\r\nThe FONIX samples we have observed come in 64 and 32-bit varieties, and are available for Windows only. By\r\ndefault, FONIX will encrypt all file types, excluding critical Windows OS files.\r\nFile encryption is handled via a mixture of Salsa20, Chacha, RSA and AES.\r\nhttps://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/\r\nPage 2 of 6\n\nThe FONIX authors advertise that this is to ensure “strong” and “unbeatable” encryption. However, this does add\r\nconsiderable time to the encryption process. Our analysis shows that FONIX is between 2 and 5 times slower than\r\nother well-known ransomware families (e.g., Ryuk, NetWalker).\r\nEncrypted files are all marked with the .XINOF extension (FONIX backwards). Depending on the context of the\r\nexecuted payload, numerous other malicious changes are made to the system. In all cases, once encryption is\r\ncomplete, the Desktop background is changed to the FONIX logo, and the .HTA -formatted ransomware note is\r\ndisplayed across the entire screen.\r\nhttps://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/\r\nPage 3 of 6\n\nAs noted, instructions to contact the attacker are provided in the ransom note ( How To Decrypt Files.hta ).\r\nSeveral additional files are deposited on encrypted hosts. For example, the following can be found in\r\n%programdata% post-encryption:\r\nCpriv.key\r\nHello Michaele Gllips\r\nHelp.txt\r\nHow To Decrypt Files.hta\r\nSystemID\r\nCpriv.key and SystemID are both required for decryption, as detailed in the decryption chain process described\r\nabove. How To Decrypt Files.hta is the primary ransom note, and this is the same HTA displayed prominently\r\n(covering up the FONIX logo wallpaper however). Help.txt is an additional plain text file containing the same\r\nattacker email address. The file simply contains a quick message, the attacker email address and the SystemID.\r\nThe remaining file Hello Michaele Gllips appears to be a message to @demonslay335 of the\r\nMalwareHunterTeam. This was also documented, via Twitter, by @bartblaze.\r\nWhen executed with administrator privileges, the following additional system changes occur:\r\nTask Manager is disabled\r\nPersistence is achieved via scheduled task, Startup folder inclusion, and the registry (Run AND RunOnce)\r\nSystem file permissions are modified\r\nPersistent copies of the payload have their attributed set to hidden\r\nA hidden service is created for persistence (Windows 10)\r\nDrive / Volume labels are changed (to “XINOF”)\r\nVolume Shadow Copies are deleted (vssadmin, wmic)\r\nSystem recovery options are manipulated/disabled (bcdedit)\r\nSafeboot options are manipulated\r\nhttps://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/\r\nPage 4 of 6\n\nThe FONIX malware executes numerous system-altering commands. This is just a small sample of the many we\r\nobserved:\r\nconhost.exe 0xffffffff -ForceV1\r\ncmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR C:ProgramDataXINOF.exe /RU SYSTEM /RL HIGHEST /F\r\nschtasks.exe /RU SYSTEM /RL HIGHEST /F\r\ncmd.exe /c copy XINOF.exe %appdata%MicrosoftWindowsStart MenuProgramsStartupXINOF.exe\r\ncmd.exe /c attrib +h +s C:Usersadmin1AppDataRoamingMicrosoftWindowsStart MenuProgramsStartupXINOF.exe\r\nattrib.exe\r\ncmd.exe /c reg add HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun /v \"PhoenixTechnology\" /t REG_SZ\r\nreg.exe /f\r\ncmd.exe /c reg add HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRun /v \"PhoenixTechnology\" /t REG_SZ /\r\ncmd.exe /c reg add HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunOnce /v \"PhoenixTechnology\" /t REG\r\ncmd.exe /c reg add HKEY_CURRENT_USERSOFTWAREMicrosoftWindowsCurrentVersionRunOnce /v \"PhoenixTechnology\" /t REG_\r\ncmd.exe /c reg add HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem  /v DisableTaskMgr /\r\nreg.exe add HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionPoliciesSystem  /v DisableTaskMgr /t REG_D\r\ncmd.exe /c reg add HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem  /v DisableTaskMgr /t\r\nConclusion\r\nFONIX is not at present a widespread threat; whether that is due to the complexity of its engagement model or\r\nother factors is difficult to say at this time. However, a FONIX infection is notably aggressive – encrypting\r\neverything other than system files – and can be difficult to recover from once a device has been fully encrypted.\r\nCurrently, FONIX does not appear to be threatening victims with additional consequences (such as public data\r\nexposure or DDoS attacks) for non-compliance. Even without those extra headaches, however, good user hygiene\r\nand strong, modern, endpoint security controls are critical in preventing this and similar infections. The\r\nSentinelOne platform is fully able to prevent all behaviors and artifacts associated with the FONIX ransomware\r\nfamily.\r\nIndicators of Compromise\r\nSHA1\r\na94f92f1e6e4fed57ecb2f4ad55e22809197ba2e\r\n1f551246c5ed70e12371891f0fc6c2149d5fac6b\r\n63cae6a594535e8821c160da4b9a58fc71e46eb2\r\nhttps://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/\r\nPage 5 of 6\n\nSHA256\r\ne5324495a9328fe98187239565c05b077680b2ebc9183a6e3e2ccfbfa9f0295a\r\n5263c485f21886aad8737183a71ddc1dc77a92f64c58657c0628374e09bb6899\r\n658ec5aac2290606dba741bce30853515795028322162167395cebc5d0bfccf4\r\nMITRE ATT\u0026CK\r\nData Encrypted for Impact T1486\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1547]Obfuscated Files or Information\r\nT1027\r\nInhibit System Recovery T1490\r\nScheduled Task/Job: Scheduled Task T1053.005\r\nBoot or Logon Autostart Execution T1547\r\nCommand and Scripting Interpreter T1059\r\nCommand and Scripting Interpreter: Windows Command Shell T1059.003\r\nObfuscated Files or Information: Software Packing T1027.002\r\nFile and Directory Permissions Modification T1222\r\nFile and Directory Permissions Modification: Windows File and Directory Permissions Modification T1222.001\r\nHide Artifacts T1564\r\nInhibit System Recovery T1490\r\nSource: https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/\r\nhttps://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/"
	],
	"report_names": [
		"the-fonix-raas-new-low-key-threat-with-unnecessary-complexities"
	],
	"threat_actors": [],
	"ts_created_at": 1775439021,
	"ts_updated_at": 1775791269,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/839466efb4f1fb7e85681933fbcf29e8b13196ec.pdf",
		"text": "https://archive.orkl.eu/839466efb4f1fb7e85681933fbcf29e8b13196ec.txt",
		"img": "https://archive.orkl.eu/839466efb4f1fb7e85681933fbcf29e8b13196ec.jpg"
	}
}