BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
45
Global rank
51
Month rank
42
Week rank
224
IOCs

Phobos is a ransomware that locks or encrypts files to demand a ransom. It uses AES encryption with different extensions, which leaves no chance to recover the infected files.

Ransomware
Type
Unknown
Origin
1 October, 2017
First seen
1 December, 2023
Last seen

How to analyze Phobos with ANY.RUN

Type
Unknown
Origin
1 October, 2017
First seen
1 December, 2023
Last seen

IOCs

Hashes
26135bebc99c60d3df8c2b80c4951a12dc7f23158901437ba0387d8a89eaebbf
71b46e95fba31267475537a338f49ce1cd0bc56c0f15346b05b673051cbe90a8
c21de9109580e03f0fc0a71c10bfe2923927eb0dfe748bea47d550f1fe7f1715
9eee735d0356a4d8263b9e2408e8028d6266151f5b07ac3432fb66abb43cf3fa
1e3d1dce864ea7544e10a2758f11fafacd39a0cfc7022e3493d6a25dbaffb6c3
9704a4959ec0edb5b82732944be3665e80ed974dec17ab401545ee21069da08d
d7d50f809a7808ca53c4430d484bb100aaf9c74c6c12080ff888b8c04212f405
23e988853dd3b11d7c335aa6d6299e0f834c02ea3db70343bea1d7f5a14a3f76
a99cde4467e750e6d5f95b8395f18f5fdc308cff2b120563cb822aec488891d8
6b7d70ca7d02133afbc24eeb585f2921bc35c01b23b90a66f515290c49cf0952
4867dea019f7ace3e3d16bc1dbc1ab5bc645dc4ce3113462965c57287e1d34cb
a88276e6e1a23466ef06f9f7e77e5ca6574b7f4419b1a74a6faf5c7bd5451665
f091487a8377b6841da799d54d17c2b8cd546e9e47604303cd7f61df1e87a6d4
8710ad8fb2938326655335455987aa17961b2496a345a7ed9f4bbfcb278212bc
850d6bc905aa328e13a46e3b8962298017709a19a88a543ce76c151143a61c6c
161c471b0aaaf0d7c1f0267ebb837e10fb8c5edfe09b0d00bf2472820f413713
e629c768101653789642f9f32a3b480a1fc58484e770a9dec732edf8787a7ba0
8126710dbbaa090718ff9f6d067327725144426120c043db8e078f6d03e4eea0
4d5220a88b195e3ccdc40ba1c99d5d84d06dacc0720070a72aa34c9895939a25
1ea46702e232b2a60d168a93d42053ed9043bf98fe4a2b5a8057c73e0ee3e3c4
Last Seen at

Recent blog posts

3 Cybersecurity Events ANY.RUN Attended in No...
watchers 144
comments 0
5 malware threats we discovered in the wild i...
watchers 347
comments 0
RisePro Malware Analysis: Exploring C2 Commun...
watchers 2314
comments 0

What is Phobos Ransomware?

Phobos Ransomware encrypts data until a ransom is paid. 77% of Phobos attacks are successful according to the latest research. This malicious program was recorded in the wild for the first time in October 2017.

General description of Phobos Ransomware

Phobos ransomware appeared in 2017 in Dharma, also known as the CrySIS, family. A year later Phobos developed and spread rapidly. In 2019, it accounted for 8.9% of the submitted ransomware attacks. The First-quarter of 2020 showed that the Phobos strain was noted as one of the most common ransomware with 9.70% of submissions. It constantly gets updates and new versions.

The ransomware targets organizations all over the world. Phobos compromises RDP servers that are open or have weak security. Then cyber criminals send ransom notes, where the victim is asked to contact one of the emails to get the decryption key.

Phobos attackers exactly like Dharma ones can discuss ransom amounts depending on the company. The Ransom amount can reach 20,000 USD in Bitcoin. It is lower than usual ransomware demands because Phobos chooses small companies as victims. And sometimes cybercriminals don’t give up the decryption key even after the payment.

The malicious program uses encrypt data using AES and adds extensions to infected files such as .phobos, .phoenix, .actin, .help, .mamba and others. These files can be fully or partially encrypted.

Phobos is named after the Greek god of fear, but there is nothing divine about it. Criminals buy this malware in RaaS packages, so even without deep technical knowledge, they have an opportunity to design their own strain and organize an attack on the chosen victim.

Phobos malware analysis

The ANY.RUN malware hunting service features a video that displays the complete execution process of Phobos.

phobos ransomware process graph

Figure 1: Shows the graph of processes created by the ANY.RUN interactive malware analysis service

phobos ransom note

Figure 2: Phobos ransom note

Phobos Ransomware execution process

The execution process of the Phobos ransomware is relatively typical for this type of malware such as Troldesh. The executable file makes its way into an infected system and runs, then the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. Interestingly though, as soon as it encrypts all targeted files, Phobos pops up a ransom note on the desktop, which is the ransomware executable file itself.

Phobos Ransomware distribution

Phobos has several ways to end up on your machine:

  • phishing emails with attachments
  • poorly secured RDP ports
  • fake updates
  • exploits
  • deceptive downloads
  • web injectors
  • repacked and infected installers

These distribution methods help attackers to steal victims’ information and encrypt the data by running Trojan or other malware. And a variety of the infected files is huge: documents, PDF and text files, databases, photos and videos, archives, etc. They can be located both in internal and external folders. Phobos gets rid of files’ shadow copies and backups.

Conclusion

Phobos is not a new type of ransomware, moreover, it has some similarities to Dharma. There is no need for criminals who use Phobos to be qualified specialists. Nevertheless, this ransomware always evolves, and its attacks are effective. It has a lot of ways to get into your device to get a ransom. That is why Phobos can be a serious threat to organizations.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy