Phobos

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Type
Ransomware
Origin
Unknown
First seen
1 October, 2017
Last seen
26 January, 2022
Global rank
37
Week rank
26
Month rank
31
IOCs
219

What is Phobos Ransomware?

Phobos Ransomware encrypts data until a ransom is paid. 77% of Phobos attacks are successful according to the latest research. This malicious program was recorded in the wild for the first time in October 2017.

General description of Phobos Ransomware

Phobos ransomware appeared in 2017 in Dharma, also known as the CrySIS, family. A year later Phobos developed and spread rapidly. In 2019, it accounted for 8.9% of the submitted ransomware attacks. The First-quarter of 2020 showed that the Phobos strain was noted as one of the most common ransomware with 9.70% of submissions. It constantly gets updates and new versions.

The ransomware targets organizations all over the world. Phobos compromises RDP servers that are open or have weak security. Then cyber criminals send ransom notes, where the victim is asked to contact one of the emails to get the decryption key.

Phobos attackers exactly like Dharma ones can discuss ransom amounts depending on the company. The Ransom amount can reach 20,000 USD in Bitcoin. It is lower than usual ransomware demands because Phobos chooses small companies as victims. And sometimes cybercriminals don’t give up the decryption key even after the payment.

The malicious program uses encrypt data using AES and adds extensions to infected files such as .phobos, .phoenix, .actin, .help, .mamba and others. These files can be fully or partially encrypted.

Phobos is named after the Greek god of fear, but there is nothing divine about it. Criminals buy this malware in RaaS packages, so even without deep technical knowledge, they have an opportunity to design their own strain and organize an attack on the chosen victim.

Phobos malware analysis

The ANY.RUN malware hunting service features a video that displays the complete execution process of Phobos.

phobos ransomware process graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

phobos ransom note

Figure 2: Phobos ransom note

Phobos Ransomware execution process

The execution process of the Phobos ransomware is relatively typical for this type of malware such as Troldesh. The executable file makes its way into an infected system and runs, then the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. Interestingly though, as soon as it encrypts all targeted files, Phobos pops up a ransom note on the desktop, which is the ransomware executable file itself.

Phobos Ransomware distribution

Phobos has several ways to end up on your machine:

  • phishing emails with attachments
  • poorly secured RDP ports
  • fake updates
  • exploits
  • deceptive downloads
  • web injectors
  • repacked and infected installers

These distribution methods help attackers to steal victims’ information and encrypt the data by running Trojan or other malware. And a variety of the infected files is huge: documents, PDF and text files, databases, photos and videos, archives, etc. They can be located both in internal and external folders. Phobos gets rid of files’ shadow copies and backups.

Conclusion

Phobos is not a new type of ransomware, moreover, it has some similarities to Dharma. There is no need for criminals who use Phobos to be qualified specialists. Nevertheless, this ransomware always evolves, and its attacks are effective. It has a lot of ways to get into your device to get a ransom. That is why Phobos can be a serious threat to organizations.

IOCs

IP addresses

No IP adresses found

Hashes
3c4ad3e800eb1b6e313b86f527ffed41f34e46221da557d611b55bae2ba46588
2f20391b12a612772a84ee9beb7f4461fdab101cfb97415665b5ce69c5f1c7bd
a45cb14bc1a3c2e00a9d52fe2e12d28bb49ee8e7d5790134e429188cc894c0b7
a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2
3106348928e250aa431c2a8da9545d47cbc76ed1f0046b47abd1845e00c45583
00e9bb7d0354c1eceb3448126f56ea7984e1c57cf80966d61135a4daa9208160
954379cbe71712efc31629d7ed517afda31ce4e82c0b9f585fea1e11ce5c1f6a
26135bebc99c60d3df8c2b80c4951a12dc7f23158901437ba0387d8a89eaebbf
43f846c12c24a078ebe33f71e8ea3b4f75107aeb275e2c3cd9dc61617c9757fc
e3b24be8f01c1ba3cb56aee56737316e3f3a0e621fa7dc709b7128c6a9c46167
7f5da8f254f3d5ffce9412c98a4f8faa1f1d57d4e5932641c6ee004ec1038738
790eb5cdc4d2c2f33cd5188972c03da2cf89d84ab0393378615a812bdc151ad4
76d3664a3b7dcc4f14970c0d5f1faf8cbf5ea40eeb1f673fc438bafcc54adb21
ac410d2c14a934242729feb26c926d7413843470604fc29683165bfbaaf4821c
2bf3f6ad7c97a8565b745670e1ab85926372e53ba56d1203cbd9f177f81bf449
088e64fad4916dd9835df6eac79bf56f3d6fb41531e8bd32a6470946b20141ef
7fb694fdc0c631f0c7de4cac710103449af7190297fb414e6fa2efab0aed9c1d
0f3791db31a8c4f1f01b6f25b89199e8d586c61e1659cf14f69abb07b5335370
c6ecc7f61683d709383c0bb74adb3220b2d101515a5b5c18739f20a36a4b4832
d73163b7a5707fa18b07ba845446d4a705faa6851fa4ce19a0aa9f257f688b69
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild, this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More