FONIX: The New RaaS (Ransomware-as-a-Service)

FONIX is the new Ransomware now being used as a service. Its services and products are being actively advertised on various underground and hacking forums.

FONIX Ransomware first appeared in July 2020. Since then, the threat is actively being distributed by various methods. The crypto-malware specifically targets the Windows users both 64-bit and 32-bit OS.

The threat uses Salsa20 and RSA 4098 encryption algorithm to encrypt the files on the target system and appends “.fonix” extension to them.

The FONIX ransom note is named as “# How To Decrypt Files #.hta“. And the email address associated is

FONIX_ The New RaaS

FONIX_ The New RaaS

FONIX is Being Advertised as a Ransomware Service

Now, the FONIX is being advertised as a Ransomware service and is reaching out to affiliates and partners. However, initially, experts believed that the new FONIX RaaS could fall down gradually, if underestimated. The experts at Sentinel Labs analyzed it as a low-key threat with unnecessary complexities.

The analysis by Sentinel Labs reads:

“Notably, FONIX varies somewhat from many other current RaaS offerings in that it employs four methods of encryption for each file and has an overly-complex post-infection engagement cycle.”

  • The FONIX RaaS service does not require any payment to join its affiliate service, however, they will keep 25% of any ransom they get from the victims.
  • The affiliates need to provide the encrypted files of the victims, which the RaaS operators will decrypt them and provide to the victims. For which, actors behind the FONIX RaaS will keep 25% of the ransom fee with them.
  • This entire communication is carried out via an email.

“Based on current intelligence, we know that FONIX affiliates do not get provided with a decryptor utility or keys at first. Instead, victims first contact the affiliate (buyer) via email as described above. The affiliate then requests a few files from the victim. These include two small files for decryption: one is to provide proof to the victim, the other is the file “cpriv.key” from the infected host. The affiliate is then required to send those files to the FONIX authors, who decrypt the files, after which they can be sent to the victims.” further adds to the analysis.

The Distribution Tactics: 

 FONIX Ransomware mainly spreads via spam email attachments. However, like any other malware, other possible vectors are fake software updates/downloads, torrents, malicious scripts laden to ads, cracks of software and many such. 

Upon successful infiltration, it attempts to gain administrative privileges, after which it makes various changes to the system:

  • Disabling the Task Manager
  • Manages scheduled task, edits Registry keys and Startups
  • Modifies System file permissions
  • To gain the persistence, it hides the copies of its payload
  • Creates a hidden service or process to remain undetected 
  • Changes the Drive / Volume labels to “XINOF”
  • Deletes the Shadow Volume Copies 
  • Disables the System recovery and Safe Boot options 

The Ransomware uses four encryption keys AES, Chacha, RSA, and Salsa20 to encode the files on the victim’s system. Excluding the critical Windows OS files. However, the encryption process of the FONIX is relatively slower than other ransomware. Reason behind this is the complexity of the encryption. 

“a FONIX infection is notably aggressive – encrypting everything other than system files – and can be difficult to recover from once a device has been fully encrypted. Currently, FONIX does not appear to be threatening victims with additional consequences (such as public data exposure or DDoS attacks) for non-compliance.” 

What should You do? 

If you are a victim of FONIX Ransomware, then you should run an anti-malware program to detect and remove the threat. After which, you can try recovering your data from backups. 

Security experts never recommend paying to the threat actors, as this may have no guarantee that they will provide the decryption key. Other than that, paying them will only encourage them to act more.

  • So, it is better to take regular backup of your important data. 
  • Keep updating the software and applications regularly;
  • Do not open and download email that appear suspicious to you; 
  • Install a real-time protection like software to safeguard your system. 

The best anti-ransomware we recommend: HitmanPro.Alert, Avira, ESET and Ransomware defender. you can choose as per your choice.

Another most important step is to take regular backup of your data. We recommend- EaseUS Todo Backup is a leading backup solution offering various options. It protects your system and data from ransomware and makes file recovery easy in case of ransomware attack.

EaseUS Todo backup

EaseUS Todo backup


  • Uses automatic and custom backup options. You can either select specific files, folders, directories and even create a clone of entire Drive.
  • It compresses file images to save space, and encrypt the files to prevent it from Ransomware/malware attacks.
  • Uses smart backup, which keeps on checking for any updates every half an hour. And does a full-backup of every 7 day.
  • For instant backup of any file, just select files/folders–> right-click in Window Explorer and add to Smart Backup .
  • Allows access of data anytime, anywhere.

Its a worth trying product, when it comes to protecting the privacy.

More From Unboxhow