Phobos

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Type
Ransomware
Origin
Unknown
First seen
1 October, 2017
Last seen
19 June, 2021
Global rank
41
Week rank
18
Month rank
26
IOCs
149

What is Phobos Ransomware?

Phobos Ransomware encrypts data until a ransom is paid. 77% of Phobos attacks are successful according to the latest research. This malicious program was recorded in the wild for the first time in October 2017.

General description of Phobos Ransomware

Phobos ransomware appeared in 2017 in Dharma, also known as the CrySIS, family. A year later Phobos developed and spread rapidly. In 2019, it accounted for 8.9% of the submitted ransomware attacks. First-quarter of 2020 showed that the Phobos strain was noted as one of the most common ransomware with 9.70% of submissions. It constantly gets updates and new versions.

The ransomware targets organizations all over the world. Phobos compromises RDP servers that are open or have weak security. Then cybercriminals send ransom notes, where the victim is asked to contact one of the emails to get the decryption key.

Phobos attackers exactly like Dharma ones can discuss ransom amounts depending on the company. The Ransom amount can reach 20,000 USD in Bitcoin. It is lower than usual ransomware demands because Phobos chooses small companies as victims. And sometimes cybercriminals don’t give up the decryption key even after the payment.

The malicious program uses encrypt data using AES and adds extensions to infected files such as .phobos, .phoenix, .actin, .help, .mamba and others. These files can be fully or partially encrypted.

Phobos is named after the Greek god of fear, but there is nothing divine about it. Criminals buy this malware in RaaS packages, so even without deep technical knowledge, they have an opportunity to design their own strain and organize an attack on the chosen victim.

Phobos malware analysis

The ANY.RUN malware hunting service features a video that displays the complete execution process of Phobos.

phobos ransomware process graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

phobos ransom note

Figure 2: Phobos ransom note

Phobos Ransomware execution process

The execution process of the Phobos ransomware is relatively typical for this type of malware. The executable file makes its way into an infected system and runs, then the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. Interestingly though, as soon as it encrypts all targeted files, Phobos pops up a ransom note on the desktop, which is the ransomware executable file itself.

Phobos Ransomware distribution

Phobos has several ways to end up on your machine:

  • phishing emails with attachments
  • poorly secured RDP ports
  • fake updates
  • exploits
  • deceptive downloads
  • web injectors
  • repacked and infected installers

These distribution methods help attackers to steal victim’s information and encrypt the data by running Trojan or other malware. And a variety of the infected files is huge: documents, PDF and text files, databases, photos and videos, archives, etc. They can be located both in internal and external folders. Phobos gets rid of files’ shadow copies and backups.

Conclusion

Phobos is not a new type of ransomware, moreover, it has some similarities to Dharma. There is no need for criminals who use Phobos to be qualified specialists. Nevertheless, this ransomware always evolves, and its attacks are effective. It has a lot of ways to get into your device to get a ransom. That is why Phobos can be a serious threat to organizations.

IOCs

IP addresses

No IP adresses found

Hashes
e54392c329658f6b36b4422de94172be965db417d8f9b58a379cbc2492295ece
0c3fd0aa9520d1e2c79e8ec7ba835c32abe439b174ab8bdd1a106af4f7d980c7
bf93e73906b02c48da6e1ff6bdf19e5f21378c217fc09e382bce59f842d01fbb
8710ad8fb2938326655335455987aa17961b2496a345a7ed9f4bbfcb278212bc
7a8a5b750439c6f4b7293cf3ee8be5475608438300099ce68ad92cd719eb38d0
7915b61828b1bd4f1c5bc155286380f659af69c78fbe7031da4487e07a95d5ff
c855e25a3f195b606a46b5c8dcf4466a6711c3393b649c68dc8c8bc674139616
fc6865253d4c6bc89ce344a15778ad374c4bcb128fad7cd7cdcb2a3da178fb4e
9a72b128f8ca2506eb4fef6fde4a9bcc284092b48fbf059d5f2d60989b821729
bb1e8e2dcc7b03cad837602c067a2d688ef1675b8552613f584d345917aaa52a
40837a459caf3021771f4d7954b29664ad3166633b1b400c512e960470d5d8b8
38481563583d32ca5776f2190157cbd4f497d5daeaf32065e40ca34bbe704d87
3d9b93a08f5322043d4f1f4b82ed131cf5e168259a38773adee7d35fcf930f74
e25d6317e2a6bd9f8b3c1c0bc9c4a8f593c48da0ea479eb77890db086b15fd95
ce40058314b131a63ee248a85505ac02b9473c1032d7bfe63b081dc57171dd3f
0eda9b8fc30253665fd74ad07ef646814c9d770e83f196f7df83724f818f947a
9159208a7e61698ef8b5982e6fe349ef1eb41bc13250f37a80a17dba62d6050a
f08472dce8f14d5eac38c530b6d467e01150cc68deddc5eb238f672578f88c98
1295fa2bf88ac6357237b60052fc1225e5a683d13feb3e278ee3d32544212459
67a1c5d8c65ec362256b260592af2ff3c682d31aa15d618221f8a705950e87e0
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More