Ransom.Win64.FONIX.B

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It adds certain registry entries to disable the Task Manager. This action prevents users from terminating the malware process, which can usually be done via the Task Manager.

It drops files as ransom note.

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware adds the following folders:

• %User Temp%\IXP000.TMP

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It drops the following files:

• %User Temp%\IXP000.TMP\XINOF.exe
• %User Temp%\IXP000.TMP\SystemScheduler.exe
• %User Temp%\IXP000.TMP\Cpriv.key
• %User Temp%\IXP000.TMP\Cpub.key
• %User Temp%\IXP000.TMP\SystemID
• %User Temp%\IXP000.TMP\Help.txt
• %User Temp%\Cpriv.key
• %User Temp%\Cpub.key
• %ProgramData%\Cpriv.key
• %ProgramData%\Cpub.key
• %ProgramData%\CrptSrvcFLG
• %ProgramData%\SystemID
• %ProgramData%\Help.txt
• %ProgramData%\Hello {Name}
• {Encrypted Directory}\Cpriv.key

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local\Temp on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).. %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

It adds the following processes:

• %System%\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN fonix /TR %ProgramData%\XINOF.exe /RU SYSTEM /RL HIGHEST /F
• %System%\cmd.exe /c copy XINOF.exe %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\XINOF.exe
• %System%\cmd.exe /c attrib +h +s %User Startup%\XINOF.exe
• %System%\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %ProgramData%\XINOF.exe /f
• %System%\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "PhoenixTechnology" /t REG_SZ /d %ProgramData%\XINOF.exe /f
• %System%\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %ProgramData%\XINOF.exe /f
• %System%\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "PhoenixTechnology" /t REG_SZ /d %ProgramData%\XINOF.exe /f
• %System%\cmd.exe /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
• %System%\cmd.exe /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
• %System%\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
• %System%\cmd.exe /c reg delete HKEY_CURRENT_USER\System\CurrentControlSet\Control\SafeBoot /va /F
• %System%\cmd.exe /c reg delete HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SafeBoot /va /F
• %System%\cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System" /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f
• %System%\cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoClose /t REG_DWORD /d 1 /f
• %System%\cmd.exe /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v StartMenuLogOff /t REG_DWORD /d 1 /f
• %System%\cmd.exe /c icacls * /grant Everyone:(OI)(CI)F /T /C /Q
• %System%\cmd.exe /c Copy Cpriv.key %ProgramData%\Cpriv.key
• %System%\cmd.exe /c Copy Cpub.key %ProgramData%\Cpub.key
• %System%\cmd.exe /c Copy SystemID %ProgramData%\SystemID

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.. %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• FakeMutex
• FonixCryptServiceMUTEX

Autostart Technique

This Ransomware adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
PhoenixTechnology = %ProgramData%\XINOF.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
PhoenixTechnology = %ProgramData%\XINOF.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
PhoenixTechnology = %ProgramData%\XINOF.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\RunOnce
PhoenixTechnology = %ProgramData%\XINOF.exe

It drops the following file(s) in the Windows User Startup folder to enable its automatic execution at every system startup:

• %User Startup%\XINOF.exe

(Note: %User Startup% is the current user's Startup folder, which is usually C:\Windows\Profiles\{user name}\Start Menu\Programs\Startup on Windows 98 and ME, C:\WINNT\Profiles\{user name}\Start Menu\Programs\Startup on Windows NT, C:\Documents and Settings\{User name}\Start Menu\Programs\Startup on Windows 2003(32-bit), XP and 2000(32-bit), or C:\Users\{user name}\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit), 10(64-bit).)

Other System Modifications

This Ransomware adds the following registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows\System
AllowBlockingAppsAtShutdown = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
NoClose = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
Explorer
StartMenuLogOff = 1

It adds the following registry entries to disable the Task Manager:

HKEY_LOCAL_MACHINE\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Policies\
System
DisableTaskMgr = 1

It creates the following registry entry(ies) to bypass Windows Firewall:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
Microsoft\Windows Defender
DisableAntiSpyware = 1

It deletes the following registry keys:

HKEY_CURRENT_USER\System\CurrentControlSet\
Control\SafeBoot

HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\SafeBoot

File Infection

This Ransomware avoids infecting files that contain the following strings in their names:

• SystemScheduler.exe
• Hello {Name}
• Cpub.key
• Cpriv.ket
• FonixDecrypter.exe
• CrptSrvcFLG
• How To Decrypt.hta
• Help.txt

Process Termination

This Ransomware terminates the following processes if found running in the affected system's memory:

• agntsvc.exe
• dbeng50.exe
• dbsnmp.exe
• encsvc.exe
• endnote.exe
• excel.exe
• filemon.exe
• firefoxconfig.exe
• infopath.exe
• isqlpplussvc.exe
• isqlpussvc.exe
• msaccess.exe
• msftesql.exe
• mspub.exe
• mydesktopqos.exe
• mydesktopservice.exe
• mysqld-nt.exe
• mysqld-opt.exe
• mysqld.exe
• netmon.exe
• notepad++.exe
• notepad.exe
• ntoskrnl.exe
• ocautoupds.exe
• ocomm.exe
• ocssd.exe
• onenote.exe
• oracle.exe
• outlook.exe
• paint.exe
• powerpnt.exe
• procmon.exe
• regmon.exe
• Sandboxiedcomlaunch.exe
• sqbcoreservice.exe
• sqlagent.exe
• sqlbrowser.exe
• sqlservr.exe
• sqlwriter.exe
• Ssms.exe
• stream.exe
• synctime.exe
• taskmgr.exe
• tbirdconfig.exe
• thebat.exe
• thebat64.exe
• Thunderbird.exe.visio.exe
• vboxservice.exe
• vboxtray.exe
• vmtoolsd.exe
• vmwareservice.exe
• vmwareuser.exe
• winword.exe
• wireshark.exe
• wordpad.exe
• xfssvccon.exe

Other Details

This Ransomware adds the following scheduled tasks:

• Task Name: fonix
  Trigger: At logon of any user
  Action: %ProgramData%\XINOF.exe

(Note: %ProgramData% is a version of the Program Files folder where any user on a multi-user computer can make changes to programs. This contains application data for all users. This is usually C:\ProgramData on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit), or C:\Documents and Settings\All Users on Windows Server 2003(32-bit), 2000(32-bit) and XP.)

Ransomware Routine

This Ransomware appends the following extension to the file name of the encrypted files:

• {Original Filename}.{Original File Extension}.Email=[rg780@fonix.email]ID=[{ID}].XINOF

It drops the following file(s) as ransom note:

• %ProgramData%\How To Decrypt Files.hta
• {Encrypted Directory}\How To Decrypt Files.hta
  

It leaves text files that serve as ransom notes containing the following text:

• {Encrypted Directory}\Help.txt