BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
50
Global rank
28 infographic chevron month
Month rank
28 infographic chevron week
Week rank
229
IOCs

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Ransomware
Type
Unknown
Origin
1 October, 2017
First seen
22 May, 2024
Last seen

How to analyze Phobos with ANY.RUN

Type
Unknown
Origin
1 October, 2017
First seen
22 May, 2024
Last seen

IOCs

IP addresses
45.138.48.20
185.202.0.111
45.9.74.14
147.78.47.224
Hashes
61c37de4578d08f21a33252ee643c7bb9f542e2a3b5aa10f031b842abfb3ae46
60a529bf654e30d391cf60e30a2b3aece6dc1b6f79899f117a1be4e61b2fc206
76258eafda16daf2ebd66bdd981d5392b0c0e1a8f8fd7a60b32276fbd77261d4
7fb694fdc0c631f0c7de4cac710103449af7190297fb414e6fa2efab0aed9c1d
d3565f751197a40d3f16180bc4b405b546e51503b2474ab15145276ceba2f202
3d4a18a66658bdae299d2334de4043b54cb6ae06f776362831eba6669e9a962b
4f22872aadfcd5450d9d736570b05d0046c13d1b436ab9d9a00d9566eeff447c
0385dd2419adf0fe1a1e5d5ed28aaecbceb1411010fb06a1b0798d84eca4732e
af2b17869af01c416477cf5c2b415cbdc207a991bef97771ae8e5c9b6d92823d
8642770995c3663ff3b46a3f8c946d38d475c0a2373c281aca3fae221c430ed5
883162246c3d0a2c10e5c35a2a43ff444a24dbcf9e64dc5cc09009b9cd0ab48e
07e5886e2df0e1477b1ecfcf6fde158aa72ee4a689240db6b8d71e676109d9a9
f08472dce8f14d5eac38c530b6d467e01150cc68deddc5eb238f672578f88c98
76d3664a3b7dcc4f14970c0d5f1faf8cbf5ea40eeb1f673fc438bafcc54adb21
30999d295aa681d2b6b7ca9f05c0d15b22e76d9772bc6ddf734e83c5b3f5ef2b
31450fa09f5f23ead382c30a55238d2d705a817f32a84e6f66baafd0c1eca939
39802aee5a7eeccf481f0edd551b96e6aa545cf1a4e24a14b07d963733e470af
782d18b840c4ea06c51b9dfae728ddd918f38abbb98583c0ac5eb637b0127d8a
7a4d0bec3b440dbd2e8fe06c28a339229b6d20857e0b6d73f17db80e68ad7584
05eb6a100b33f2bcf48a1acaa989b96de246d09e6e8526de83a622ebe575d25f
Domains
wlaexfpxrs.org
Last Seen at

Recent blog posts

post image
ANY.RUN attends Osintomático 2024
watchers 54
comments 0
post image
Windows 11 UAC Bypass in Modern Malware
watchers 768
comments 0
post image
New Hijack Loader Variant: Uses Process Hollo...
watchers 573
comments 0

What is Phobos Ransomware?

Phobos Ransomware encrypts data until a ransom is paid. 77% of Phobos attacks are successful according to the latest research. This malicious program was recorded in the wild for the first time in October 2017.

General description of Phobos Ransomware

Phobos ransomware appeared in 2017 in Dharma, also known as the CrySIS, family. A year later Phobos developed and spread rapidly. In 2019, it accounted for 8.9% of the submitted ransomware attacks. The First-quarter of 2020 showed that the Phobos strain was noted as one of the most common ransomware with 9.70% of submissions. It constantly gets updates and new versions.

The ransomware targets organizations all over the world. Phobos compromises RDP servers that are open or have weak security. Then cyber criminals send ransom notes, where the victim is asked to contact one of the emails to get the decryption key.

Phobos attackers exactly like Dharma ones can discuss ransom amounts depending on the company. The Ransom amount can reach 20,000 USD in Bitcoin. It is lower than usual ransomware demands because Phobos chooses small companies as victims. And sometimes cybercriminals don’t give up the decryption key even after the payment.

The malicious program uses encrypt data using AES and adds extensions to infected files such as .phobos, .phoenix, .actin, .help, .mamba and others. These files can be fully or partially encrypted.

Phobos is named after the Greek god of fear, but there is nothing divine about it. Criminals buy this malware in RaaS packages, so even without deep technical knowledge, they have an opportunity to design their own strain and organize an attack on the chosen victim.

Phobos malware analysis

The ANY.RUN malware hunting service features a video that displays the complete execution process of Phobos.

phobos ransomware process graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

phobos ransom note

Figure 2: Phobos ransom note

Phobos Ransomware execution process

The execution process of the Phobos ransomware is relatively typical for this type of malware such as Troldesh. The executable file makes its way into an infected system and runs, then the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. Interestingly though, as soon as it encrypts all targeted files, Phobos pops up a ransom note on the desktop, which is the ransomware executable file itself.

Phobos Ransomware distribution

Phobos has several ways to end up on your machine:

  • phishing emails with attachments
  • poorly secured RDP ports
  • fake updates
  • exploits
  • deceptive downloads
  • web injectors
  • repacked and infected installers

These distribution methods help attackers to steal victims’ information and encrypt the data by running Trojan or other malware. And a variety of the infected files is huge: documents, PDF and text files, databases, photos and videos, archives, etc. They can be located both in internal and external folders. Phobos gets rid of files’ shadow copies and backups.

Conclusion

Phobos is not a new type of ransomware, moreover, it has some similarities to Dharma. There is no need for criminals who use Phobos to be qualified specialists. Nevertheless, this ransomware always evolves, and its attacks are effective. It has a lot of ways to get into your device to get a ransom. That is why Phobos can be a serious threat to organizations.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy