Researchers from Sentinel Labs have analyzed a relatively new Ransomware as a Service (RaaS), FOXIN, whose operators used to specialize in the development of binary crypters/packers. FOXIN RaaS has been advertised on several cybercrime forums by the creators.
Though the initial appearances were in July 2020, the good news is that the number of cases or infections is not widespread. According to experts, the ransomware authors do not sell their software for money. Rather, to become an affiliate of the service, the operators only keep a part of the collected ransom from their affiliate network. They believe that FOXIN RaaS can quickly become very rampant if it is underestimated by security firms and the authorities.
The analysis by Sentinel Labs reads as follows: “Notably, FONIX varies somewhat from many other current RaaS offerings in that it employs four methods of encryption for each file and has an overly-complex post-infection engagement cycle.” Every communication with the FOXIN operators is carried out via email. The affiliates need to provide operator files from the victim system to get hold of the decryptor and key for the victim. The operator retains about a fourth of the ransom to itself, as its fee.
The analysis by Sentinel Labs continues: “Based on current intelligence, we know that FONIX affiliates do not get provided with a decryptor utility or keys at first. Instead, victims first contact the affiliate (buyer) via email as described above. The affiliate then requests a few files from the victim. These include two small files for decryption: one is to provide proof to the victim, the other is the file “cpriv.key” from the infected host. The affiliate is then required to send those files to the FONIX authors, who decrypt the files, after which they can be sent to the victims.” continues the
“Presumably, once the victim is satisfied that decryption is possible, the affiliate provides a payment address (BTC wallet). The victim then pays the affiliate, with the affiliate, in turn, supplying the FONIX authors with their 25% cut.”
It is, without a doubt, a complex and way less user-friendly process, as compared to other RaaS service providers. Foxin ransomware has been currently found effective only on Windows systems. It decrypts every available file, except the ones required by the operating system. The FOXIN ransomware is pretty slow, as compared to other ransomware available in the market. It is because of the complex and the series of encryption protocols it follows to affect the system. It applies a combination of AES, Chacha, RSA, and Salsa20 for the encryption process while adding a.XINOF extension to the files.
These changes were observed on a system after FOXIN had been executed on it with administrator privileges:
● Task Manager is disabled
● Persistence is achieved via a scheduled task, Startup folder inclusion, and the registry
(Run AND RunOnce)
● System file permissions are modified
● Persistent copies of the payload have their attributed set to hidden
● A hidden service is created for persistence (Windows 10)
● Drive / Volume labels are changed (to “XINOF”)
● Volume Shadow Copies are deleted (vssadmin, wmic)
● System recovery options are manipulated/disabled (bcdedit)
● Safeboot options are manipulated
In the conclusion to their analysis, Sentinel Labs adds, “a FONIX infection is notably aggressive encrypting everything other than system files – and can be difficult to recover from once a device has been fully encrypted. Currently, FONIX does not appear to be threatening victims with additional consequences (such as public data exposure or DDoS attacks) for non-compliance.”