Phobos

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Type
Ransomware
Origin
Unknown
First seen
1 October, 2017
Last seen
17 September, 2021
Global rank
39
Week rank
27
Month rank
22
IOCs
184

What is Phobos Ransomware?

Phobos Ransomware encrypts data until a ransom is paid. 77% of Phobos attacks are successful according to the latest research. This malicious program was recorded in the wild for the first time in October 2017.

General description of Phobos Ransomware

Phobos ransomware appeared in 2017 in Dharma, also known as the CrySIS, family. A year later Phobos developed and spread rapidly. In 2019, it accounted for 8.9% of the submitted ransomware attacks. The First-quarter of 2020 showed that the Phobos strain was noted as one of the most common ransomware with 9.70% of submissions. It constantly gets updates and new versions.

The ransomware targets organizations all over the world. Phobos compromises RDP servers that are open or have weak security. Then cyber criminals send ransom notes, where the victim is asked to contact one of the emails to get the decryption key.

Phobos attackers exactly like Dharma ones can discuss ransom amounts depending on the company. The Ransom amount can reach 20,000 USD in Bitcoin. It is lower than usual ransomware demands because Phobos chooses small companies as victims. And sometimes cybercriminals don’t give up the decryption key even after the payment.

The malicious program uses encrypt data using AES and adds extensions to infected files such as .phobos, .phoenix, .actin, .help, .mamba and others. These files can be fully or partially encrypted.

Phobos is named after the Greek god of fear, but there is nothing divine about it. Criminals buy this malware in RaaS packages, so even without deep technical knowledge, they have an opportunity to design their own strain and organize an attack on the chosen victim.

Phobos malware analysis

The ANY.RUN malware hunting service features a video that displays the complete execution process of Phobos.

phobos ransomware process graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

phobos ransom note

Figure 2: Phobos ransom note

Phobos Ransomware execution process

The execution process of the Phobos ransomware is relatively typical for this type of malware. The executable file makes its way into an infected system and runs, then the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. Interestingly though, as soon as it encrypts all targeted files, Phobos pops up a ransom note on the desktop, which is the ransomware executable file itself.

Phobos Ransomware distribution

Phobos has several ways to end up on your machine:

  • phishing emails with attachments
  • poorly secured RDP ports
  • fake updates
  • exploits
  • deceptive downloads
  • web injectors
  • repacked and infected installers

These distribution methods help attackers to steal victim’s information and encrypt the data by running Trojan or other malware. And a variety of the infected files is huge: documents, PDF and text files, databases, photos and videos, archives, etc. They can be located both in internal and external folders. Phobos gets rid of files’ shadow copies and backups.

Conclusion

Phobos is not a new type of ransomware, moreover, it has some similarities to Dharma. There is no need for criminals who use Phobos to be qualified specialists. Nevertheless, this ransomware always evolves, and its attacks are effective. It has a lot of ways to get into your device to get a ransom. That is why Phobos can be a serious threat to organizations.

IOCs

IP addresses

No IP adresses found

Hashes
e5f87d0d632c9d9e5891397d35b0b412e6c52b1469a0bceebd5399fd112bafd3
a4c7517fe4548f71f2f2e6848100d638c3bd7d03fa225ca598a03824b7575fd1
fa2067931c6ab5b373813865d4882a69f9a7a7f1e095e5595f4a9debc632f1dd
6e050326ba0ab9b7fa43935843a68d5474f7627bf968773f9ebe5f1fe0d84892
0572a3c0e86109bab8a29809971973c4617f039c636cc42c719507f487935e36
a45cb14bc1a3c2e00a9d52fe2e12d28bb49ee8e7d5790134e429188cc894c0b7
43e33028a0a27a61ba859b06b3dc3b4415a484b143e8c3989cbc299774e4d3b2
dce79399a715f77b8963a549b88ed1d92929b6876cf31b373c24177720f134ba
25e3689f86ed1836778f07977f0d4b491b8d6976218a4d9c3f4c45257d8a7004
7266f39f5755bf3838cfc77e40af1b3ff1a963e95ec6b5bea35e7ddb7202697b
85b38382088fc0e405b985f48e6b86d63db4f6b72efcef954714691ad75b5224
3554bca8180defc839520e761bd0f76164a5723b22327624cfe5ad2cb1eb31af
a99cde4467e750e6d5f95b8395f18f5fdc308cff2b120563cb822aec488891d8
9eee735d0356a4d8263b9e2408e8028d6266151f5b07ac3432fb66abb43cf3fa
a9f4b3276b860a2cbe00ad01f9de8d480fae9201ad95ff9fa4570836d8d244d8
0967716381ee2475bdc1259ce9c61c04017a2decaaa009558907c89d82920f4c
054b0098560bb32c3644d3bc428458e6ccf7b2fc5828819ea05443ea5acb68ac
4c83502255414200d5b0d285ab63573e6f3a4b9046372dbdacf39a9d9105ef3f
583b282e1beab23f824dd2a90767af71c7cbd60c27644efd7d0457ada842bd00
a1b00525fdc41d17881e73d02a8725a9a59d5551518f40344634a8a1143751fd
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More