BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
50
Global rank
28 infographic chevron month
Month rank
70 infographic chevron week
Week rank
0
IOCs

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Ransomware
Type
Unknown
Origin
1 October, 2017
First seen
11 September, 2024
Last seen

How to analyze Phobos with ANY.RUN

Type
Unknown
Origin
1 October, 2017
First seen
11 September, 2024
Last seen

IOCs

IP addresses
45.138.48.20
45.9.74.14
147.78.47.224
Hashes
61c37de4578d08f21a33252ee643c7bb9f542e2a3b5aa10f031b842abfb3ae46
f9de0d6af30204954b78f10500990e1b9c149a1d4376b082052af542168c587e
60a529bf654e30d391cf60e30a2b3aece6dc1b6f79899f117a1be4e61b2fc206
d3565f751197a40d3f16180bc4b405b546e51503b2474ab15145276ceba2f202
4f22872aadfcd5450d9d736570b05d0046c13d1b436ab9d9a00d9566eeff447c
c34a3f67d915a76e6346ddba93d47c56f8b79f84d9ce550eea127c67e9330403
8642770995c3663ff3b46a3f8c946d38d475c0a2373c281aca3fae221c430ed5
883162246c3d0a2c10e5c35a2a43ff444a24dbcf9e64dc5cc09009b9cd0ab48e
942d089998dd35902c034a489b4ee7d45d450ba89a552f4d83b73eb8b9f44d5e
80f8b5688126db9f1b410e922da7307df0668988bcf477d9d99eab04960bac13
07e5886e2df0e1477b1ecfcf6fde158aa72ee4a689240db6b8d71e676109d9a9
f08472dce8f14d5eac38c530b6d467e01150cc68deddc5eb238f672578f88c98
30999d295aa681d2b6b7ca9f05c0d15b22e76d9772bc6ddf734e83c5b3f5ef2b
8b3c99d319fbfc24bd2d1836c852cc70b71dfac450e5243ef463aeaa92dc836c
31450fa09f5f23ead382c30a55238d2d705a817f32a84e6f66baafd0c1eca939
00ad311a7ef556af6c73a9d21c1e5d1ed7a48fe132f4849b6963f3381e02fdc4
39802aee5a7eeccf481f0edd551b96e6aa545cf1a4e24a14b07d963733e470af
7a4d0bec3b440dbd2e8fe06c28a339229b6d20857e0b6d73f17db80e68ad7584
4d30670f6311dc373dcbfb5bd93cf1621b1d6c425c8c9a95dc0a1317d0bdf648
05eb6a100b33f2bcf48a1acaa989b96de246d09e6e8526de83a622ebe575d25f
Domains
wlaexfpxrs.org
Last Seen at

Recent blog posts

post image
ANY.RUN Now Integrates with Splunk!
watchers 316
comments 0
post image
How to Analyze Malware in ANY.RUN Sandbox: Er...
watchers 365
comments 0
post image
Security Training Lab: Educational Program fo...
watchers 1162
comments 0

What is Phobos Ransomware?

Phobos Ransomware encrypts data until a ransom is paid. 77% of Phobos attacks are successful according to the latest research. This malicious program was recorded in the wild for the first time in October 2017.

General description of Phobos Ransomware

Phobos ransomware appeared in 2017 in Dharma, also known as the CrySIS, family. A year later Phobos developed and spread rapidly. In 2019, it accounted for 8.9% of the submitted ransomware attacks. The First-quarter of 2020 showed that the Phobos strain was noted as one of the most common ransomware with 9.70% of submissions. It constantly gets updates and new versions.

The ransomware targets organizations all over the world. Phobos compromises RDP servers that are open or have weak security. Then cyber criminals send ransom notes, where the victim is asked to contact one of the emails to get the decryption key.

Phobos attackers exactly like Dharma ones can discuss ransom amounts depending on the company. The Ransom amount can reach 20,000 USD in Bitcoin. It is lower than usual ransomware demands because Phobos chooses small companies as victims. And sometimes cybercriminals don’t give up the decryption key even after the payment.

The malicious program uses encrypt data using AES and adds extensions to infected files such as .phobos, .phoenix, .actin, .help, .mamba and others. These files can be fully or partially encrypted.

Phobos is named after the Greek god of fear, but there is nothing divine about it. Criminals buy this malware in RaaS packages, so even without deep technical knowledge, they have an opportunity to design their own strain and organize an attack on the chosen victim.

Phobos malware analysis

The ANY.RUN malware hunting service features a video that displays the complete execution process of Phobos.

phobos ransomware process graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

phobos ransom note

Figure 2: Phobos ransom note

Phobos Ransomware execution process

The execution process of the Phobos ransomware is relatively typical for this type of malware such as Troldesh. The executable file makes its way into an infected system and runs, then the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. Interestingly though, as soon as it encrypts all targeted files, Phobos pops up a ransom note on the desktop, which is the ransomware executable file itself.

Phobos Ransomware distribution

Phobos has several ways to end up on your machine:

  • phishing emails with attachments
  • poorly secured RDP ports
  • fake updates
  • exploits
  • deceptive downloads
  • web injectors
  • repacked and infected installers

These distribution methods help attackers to steal victims’ information and encrypt the data by running Trojan or other malware. And a variety of the infected files is huge: documents, PDF and text files, databases, photos and videos, archives, etc. They can be located both in internal and external folders. Phobos gets rid of files’ shadow copies and backups.

Conclusion

Phobos is not a new type of ransomware, moreover, it has some similarities to Dharma. There is no need for criminals who use Phobos to be qualified specialists. Nevertheless, this ransomware always evolves, and its attacks are effective. It has a lot of ways to get into your device to get a ransom. That is why Phobos can be a serious threat to organizations.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More