Phobos

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Type
Ransomware
Origin
Unknown
First seen
1 October, 2017
Last seen
1 October, 2022
Global rank
38
Week rank
21
Month rank
24
IOCs
348

What is Phobos Ransomware?

Phobos Ransomware encrypts data until a ransom is paid. 77% of Phobos attacks are successful according to the latest research. This malicious program was recorded in the wild for the first time in October 2017.

General description of Phobos Ransomware

Phobos ransomware appeared in 2017 in Dharma, also known as the CrySIS, family. A year later Phobos developed and spread rapidly. In 2019, it accounted for 8.9% of the submitted ransomware attacks. The First-quarter of 2020 showed that the Phobos strain was noted as one of the most common ransomware with 9.70% of submissions. It constantly gets updates and new versions.

The ransomware targets organizations all over the world. Phobos compromises RDP servers that are open or have weak security. Then cyber criminals send ransom notes, where the victim is asked to contact one of the emails to get the decryption key.

Phobos attackers exactly like Dharma ones can discuss ransom amounts depending on the company. The Ransom amount can reach 20,000 USD in Bitcoin. It is lower than usual ransomware demands because Phobos chooses small companies as victims. And sometimes cybercriminals don’t give up the decryption key even after the payment.

The malicious program uses encrypt data using AES and adds extensions to infected files such as .phobos, .phoenix, .actin, .help, .mamba and others. These files can be fully or partially encrypted.

Phobos is named after the Greek god of fear, but there is nothing divine about it. Criminals buy this malware in RaaS packages, so even without deep technical knowledge, they have an opportunity to design their own strain and organize an attack on the chosen victim.

Phobos malware analysis

The ANY.RUN malware hunting service features a video that displays the complete execution process of Phobos.

phobos ransomware process graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

phobos ransom note

Figure 2: Phobos ransom note

Phobos Ransomware execution process

The execution process of the Phobos ransomware is relatively typical for this type of malware such as Troldesh. The executable file makes its way into an infected system and runs, then the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. Interestingly though, as soon as it encrypts all targeted files, Phobos pops up a ransom note on the desktop, which is the ransomware executable file itself.

Phobos Ransomware distribution

Phobos has several ways to end up on your machine:

  • phishing emails with attachments
  • poorly secured RDP ports
  • fake updates
  • exploits
  • deceptive downloads
  • web injectors
  • repacked and infected installers

These distribution methods help attackers to steal victims’ information and encrypt the data by running Trojan or other malware. And a variety of the infected files is huge: documents, PDF and text files, databases, photos and videos, archives, etc. They can be located both in internal and external folders. Phobos gets rid of files’ shadow copies and backups.

Conclusion

Phobos is not a new type of ransomware, moreover, it has some similarities to Dharma. There is no need for criminals who use Phobos to be qualified specialists. Nevertheless, this ransomware always evolves, and its attacks are effective. It has a lot of ways to get into your device to get a ransom. That is why Phobos can be a serious threat to organizations.

IOCs

IP addresses

No IP adresses found

Hashes
38c47ad9fdb1ca30b15b2692431171b568556cbff7dfb17ba16c37d7daae9a05
21afe9cfe38792b14e0fe1ae616a3dd352f108ba5a670b2f25beae5899bbe4f5
9969e4c5b2496651be60078e79551a2f8a4440c3d150fac77a7e29621a766924
992dad791a523f2c0a0b5a74c08e5573905f301d8891db0ed6e885face9ef0e2
25dce15057f3e9f904ea28e039fe0d2945308d7f41ea5386e99af4840c2e6762
ed42bb9e3f5959e3d58872874381d92e50c601cd1be46effeb3724ff19eeef71
56bd92cb5c9800338f01a5c8d6fdda4d602717d7a279ec499d15b8a2df36ec92
0a03332f47831f7ba1a67df3ba0d65df9dfc4f233fd845d798a1f4f728965364
1f2c57feb6fcb80fe02d53778fa7c6b3bcba0319229fe9b9ff725a24d939c2b6
34e1a82f7334c825aab19a21d94361c3225ee8ad9a2027830aeea7d82f59ca15
a394878332e9c10950a04d9d735d23dc65e8d102fbfd04b790af7db40b60c5d5
15a127e07fefb2dd5b96fa1bc4d34cc281a5dd504062692ab359547f5edb2691
0e82db485f3e272b47ea1f058a16bdff5eb2f504e1262a2a40abe0f1827082c8
305433e3b14f864ef9cb91ac082726c5d4b98d0da4a75c880e501516dc54ff68
33d32078ebe0c9429e405fdeb347dfb1ba5543e61d1179d13edffc7943b57640
ee70aa43b12005bbcb5ae983780fa777889ef7e0d11fa971bc6d1e27bd6d0b32
0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2
64ae9a93872bf6cf3338887483568d17676bc2b1a449903fc0f681e975086cd8
edd4985c193e215fed6dd76de884812348c345ad5a112f26d135bf4ad41da3a4
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More