Phobos

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Type
Ransomware
Origin
Unknown
First seen
1 October, 2017
Last seen
27 November, 2020
Global rank
41
Week rank
18
Month rank
26
IOCs
85

What is Phobos Ransomware?

Phobos Ransomware encrypts data until a ransom is paid. 77% of Phobos attacks are successful according to the latest research. This malicious program was recorded in the wild for the first time in October 2017.

General description of Phobos Ransomware

Phobos ransomware appeared in 2017 in Dharma, also known as the CrySIS, family. A year later Phobos developed and spread rapidly. In 2019, it accounted for 8.9% of the submitted ransomware attacks. First-quarter of 2020 showed that the Phobos strain was noted as one of the most common ransomware with 9.70% of submissions. It constantly gets updates and new versions.

The ransomware targets organizations all over the world. Phobos compromises RDP servers that are open or have weak security. Then cybercriminals send ransom notes, where the victim is asked to contact one of the emails to get the decryption key.

Phobos attackers exactly like Dharma ones can discuss ransom amounts depending on the company. The Ransom amount can reach 20,000 USD in Bitcoin. It is lower than usual ransomware demands because Phobos chooses small companies as victims. And sometimes cybercriminals don’t give up the decryption key even after the payment.

The malicious program uses encrypt data using AES and adds extensions to infected files such as .phobos, .phoenix, .actin, .help, .mamba and others. These files can be fully or partially encrypted.

Phobos is named after the Greek god of fear, but there is nothing divine about it. Criminals buy this malware in RaaS packages, so even without deep technical knowledge, they have an opportunity to design their own strain and organize an attack on the chosen victim.

Phobos malware analysis

The ANY.RUN malware hunting service features a video that displays the complete execution process of Phobos.

phobos ransomware process graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

phobos ransom note

Figure 2: Phobos ransom note

Phobos Ransomware execution process

The execution process of the Phobos ransomware is relatively typical for this type of malware. The executable file makes its way into an infected system and runs, then the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. Interestingly though, as soon as it encrypts all targeted files, Phobos pops up a ransom note on the desktop, which is the ransomware executable file itself.

Phobos Ransomware distribution

Phobos has several ways to end up on your machine:

  • phishing emails with attachments
  • poorly secured RDP ports
  • fake updates
  • exploits
  • deceptive downloads
  • web injectors
  • repacked and infected installers

These distribution methods help attackers to steal victim’s information and encrypt the data by running Trojan or other malware. And a variety of the infected files is huge: documents, PDF and text files, databases, photos and videos, archives, etc. They can be located both in internal and external folders. Phobos gets rid of files’ shadow copies and backups.

Conclusion

Phobos is not a new type of ransomware, moreover, it has some similarities to Dharma. There is no need for criminals who use Phobos to be qualified specialists. Nevertheless, this ransomware always evolves, and its attacks are effective. It has a lot of ways to get into your device to get a ransom. That is why Phobos can be a serious threat to organizations.

IOCs

IP addresses

No IP adresses found

Hashes
06172506457e0c54f0d9eb68ee768451d0b828f1785db4f4488847a834cf729a
9725b34b99997b55e20eb8fbe3728a97b89dc1070b9451def6b5c504b7aab11b
158611643fc23e9c58af7b59879d69ef8c6b52a4c5b9c20cec16d0de9a294c7b
5933d5497c7a0763a2834ee4daee941a93eef195bb5487fe68c77746aecacc93
d37d55fb5f45f792a035d806524a8b91f467615fe438d51c0b53e26b6c6cc17e
ed1ba10f3d89139251e3531f1b36e145ccd62e4706677e8540aa21312bf0fb1b
afcf5537d35d35fbb8f0a2abd53245dacb7657ffbed1c7b8738e3c2be1cf86a5
86d70b5e2be7a4e0b530db58a44759b4b357c80cfdbc272202d4787edeeb527a
de40b805d4cb4a5bed7c41db399c23e05bc72018df34a8e2fbe2bc65b5ca4c98
a19c72981cc7c6f71debaa7227304cbfafdc7961e7071079c83eecfa74bc1a77
79f8a5fe25ac616d54472a8ecee5ea35fbc15f05c2fe0d573ab9dff66b0b2105
2eb825716d88f9a2258ce2d4cccf63a1b08361bd1bf09558d86fe6ccbedff123
7826533bafe38a7d4dbce26190fa8f05f4127456145b59e153f4302a01ba1f5e
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2
b25587ffe305c8f1374213d7cdf586ad8e0f8d9cf1cd49b3ce0c1b34ba8fa5b3
c45423227f6ac48006fa01c0527be15aa8d6f64fbb812e1d4218c13e7574c617
6040690d4a93599a2d6408673973ae0e13b06fc8235902de2bbe543f7a1654f6
aecc776b295d1e5d895dea6ae8f1e99122140cc3d5e12366b00fb418b83cfe8f
3d4a18a66658bdae299d2334de4043b54cb6ae06f776362831eba6669e9a962b
0b997e8b0d0ff6cc4e6f1919c6c0f3080eaa0d08c8fccdf50f7648bf05cca446
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More