Phobos

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Type
Ransomware
Origin
Unknown
First seen
1 October, 2017
Last seen
26 January, 2023
Global rank
42
Week rank
29
Month rank
28
IOCs
380

What is Phobos Ransomware?

Phobos Ransomware encrypts data until a ransom is paid. 77% of Phobos attacks are successful according to the latest research. This malicious program was recorded in the wild for the first time in October 2017.

General description of Phobos Ransomware

Phobos ransomware appeared in 2017 in Dharma, also known as the CrySIS, family. A year later Phobos developed and spread rapidly. In 2019, it accounted for 8.9% of the submitted ransomware attacks. The First-quarter of 2020 showed that the Phobos strain was noted as one of the most common ransomware with 9.70% of submissions. It constantly gets updates and new versions.

The ransomware targets organizations all over the world. Phobos compromises RDP servers that are open or have weak security. Then cyber criminals send ransom notes, where the victim is asked to contact one of the emails to get the decryption key.

Phobos attackers exactly like Dharma ones can discuss ransom amounts depending on the company. The Ransom amount can reach 20,000 USD in Bitcoin. It is lower than usual ransomware demands because Phobos chooses small companies as victims. And sometimes cybercriminals don’t give up the decryption key even after the payment.

The malicious program uses encrypt data using AES and adds extensions to infected files such as .phobos, .phoenix, .actin, .help, .mamba and others. These files can be fully or partially encrypted.

Phobos is named after the Greek god of fear, but there is nothing divine about it. Criminals buy this malware in RaaS packages, so even without deep technical knowledge, they have an opportunity to design their own strain and organize an attack on the chosen victim.

Phobos malware analysis

The ANY.RUN malware hunting service features a video that displays the complete execution process of Phobos.

phobos ransomware process graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

phobos ransom note

Figure 2: Phobos ransom note

Phobos Ransomware execution process

The execution process of the Phobos ransomware is relatively typical for this type of malware such as Troldesh. The executable file makes its way into an infected system and runs, then the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. Interestingly though, as soon as it encrypts all targeted files, Phobos pops up a ransom note on the desktop, which is the ransomware executable file itself.

Phobos Ransomware distribution

Phobos has several ways to end up on your machine:

  • phishing emails with attachments
  • poorly secured RDP ports
  • fake updates
  • exploits
  • deceptive downloads
  • web injectors
  • repacked and infected installers

These distribution methods help attackers to steal victims’ information and encrypt the data by running Trojan or other malware. And a variety of the infected files is huge: documents, PDF and text files, databases, photos and videos, archives, etc. They can be located both in internal and external folders. Phobos gets rid of files’ shadow copies and backups.

Conclusion

Phobos is not a new type of ransomware, moreover, it has some similarities to Dharma. There is no need for criminals who use Phobos to be qualified specialists. Nevertheless, this ransomware always evolves, and its attacks are effective. It has a lot of ways to get into your device to get a ransom. That is why Phobos can be a serious threat to organizations.

IOCs

IP addresses

No IP adresses found

Hashes
7c2a9bae3bbdc9e38516754d76a192d6a3ce37849c06a8a8d3b06fb7f75916c1
7d9c97a133997396b0625a5d2b762fb8b333f5152d4dd893c7a463cc41372ab5
cc43fc18d6d1dc662ad747652cd961152ee13dbf2cea9bf75564f3e2e8ffd2e8
d50b23e12c661bb78fa3cb317e679fabc4178600048572368bec173a520e4aaf
71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8
5a96b929383817aa298eec8cca019bcd984fcd71dd8ee353541392c1082756a4
b54d6dc708eade0818fcf91e59c7dbe37267abbe43a1672fb5f1c126e021ad7d
aeae9f524a881e67bb62cf15fc67dc36a5a751f91a849a1d546f618104a33191
0c0c9a19db1f89d94ddcd8af54fa631798e3ccc82743faae6d9818759f2dbcc1
31abbe40aaca118988dc836309552f53decfbdd47fe7df338d7fb87b1ef4268e
bc3b5ef9b1dc2f1b6a23b138c4c7b047479d98dfbdf216097c08a68c2f771732
4ae6519e0d6a7aaf9b684497763257e3a752ef0b31b4ba31afb9aecd1af59d9a
f4db61bb14a7af406c9cfc33075c6f74ab711bedf1e1fd6edc4f524bd304c1b6
e165b3e962a2916ed4693993f1911c04b18fcbf7fbdaa824d0e57449da4e4099
c8d9a9758516d5a8936bd3bc01a9997fb677ed1dc54081caa985883935ff092b
883162246c3d0a2c10e5c35a2a43ff444a24dbcf9e64dc5cc09009b9cd0ab48e
231bba5652f6fbdbab3016362fb7925fc4e4489fff5e6a4a98c37fba5bd0cfe9
e63bfc04792f9f4b921ef182b83f03a5212f061a7c7d8cfe3c51f4fbc0032cba
928aca01498ca60e1dd3e263c462f3a04ef49b91d94b566293e8edfbc54fcf13
9159208a7e61698ef8b5982e6fe349ef1eb41bc13250f37a80a17dba62d6050a
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy