Fonix Ransomware
The Fonix Ransomware is a file-locking Trojan that uses a secure version of the Salsa20 encryption for stopping documents and other media from opening. The Trojan also extorts ransoms through an advanced HTML file and pressures victims with a short deadline with financial penalties for missing it. Users should recover from a backup, if available, and let their preferred anti-malware solution delete the Fonix Ransomware or quarantine samples for analysis.
A Dip that's Too Spicy for Your Computer's Media
The long-established standard of AES algorithms with RSA key-based security is the favored attack of file-locking Trojans globally, starting with freeware like Hidden Tear and ending with the Ransomware-as-a-Service industry. Some exceptions are active and still-threatening, such as the AlphaBetaCrypt Ransomware, the GetCrypt Ransomware or the newest the Fonix Ransomware. All three threats are examples of Trojans leveraging Salsa20 encryption for blocking valuable files.
The Fonix Ransomware (referencing itself as 'FonixCrypter' in its ransom note) is an independent but mostly-traditional Trojan of the file-locking sub-class. It searches for media on Windows computers, such as documents, pictures, music, or databases and locks them with Salsa20 encryption. The encryption routine includes RSA protection for keeping users from recovering their work through free decryptors, as is the case with less-secure Trojans like Hidden Tear.
The Fonix Ransomware also adds e-mails and extensions into filenames for what it locks and uses a unique ransom note in HTA format. Although the Trojan doesn't specify a cost, it does demand Bitcoin currency and provides a minimal deadline before the price doubles. This method of psychologically pressuring victims is one that malware experts see in similar campaigns. It has the benefit of convincing users to pay before realizing that criminals don't always give unlocked media back to the customer.
Crushing an Illicit Business While it's a Young Upstart
Up-and-coming Trojan businesses like the Fonix Ransomware's campaign rarely make surprising waves in their distribution strategies. Most threat actors will go after the low-hanging fruit of brute-forcing passwords on vulnerable servers, or send crafted e-mail messages to employees to convince them to open a corrupted attachment. Responsible password management, scanning downloads, and turning off features like macros and JavaScript take most of these vulnerabilities out of the equation.
The Fonix Ransomware is noticeably larger than most file-locking Trojans, which tend towards sub-megabyte filesizes. Samples of the Fonix Ransomware hover in the six-megabyte range, which may give victims additional time to notice a threatening download. The file-locking routine, however, has no unusual symptoms, as is par for course.
Since removing the Fonix Ransomware doesn't remedy any locked files, users should prepare their backups with appropriate updates and security for a comprehensive recovery. Anti-malware tools also are dependable means of removing the Fonix Ransomware and similar Trojans on sight.
The Fonix Ransomware is dipping into a congested environment for trading files for ransoms. Despite the competition, as long as there are unprotected users (and their data), Trojans like the Fonix Ransomware will find a way to make cryptocurrency without working for it – in the conventional sense.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.