Quote:

Phobos Ransomware Emerged in December 2018. Here’s What You Need to Know About It.

Ransomware is an increasingly popular threat that cybercriminals weaponize for their own gain. Although some strains are incomparable, innovative even, others are six of one, half a dozen of the other. Phobos ransomware is an example of the latter category.
 
But while it might not be the most unique ransomware variant out there, Phobos can still lay waste to your system and scorch the earth behind it. In this article, I will attempt a deep dive into what Phobos ransomware is, how it spreads, and how you can protect your enterprise against it.

What is Phobos Ransomware?

First detected in December 2018, Phobos ransomware is yet another cyber-threat that mainly targets organizations. However, unlike other cybercrime gangs that practice big game hunting, the malicious actors behind Phobos typically target smaller enterprises with fewer means to pay large ransoms. Therefore, the average ransom demand from an attack averages $18,755.

As far as its genetic makeup goes, so to speak, Phobos ransomware is a heavily similar strain to the infamous Dharma variant. Experts regard the former as a highly similar version (some would go as far as to say rip-off) of the latter. What is more, according to Coverware both Phobos and Dharma seem to be inspired by the larger CrySis ransomware family.

A. Phobos Ransom Note

The first similarity between the two strains to stand out is the ransom note. Phobos ransomware essentially deploys the same HTA file onto the infected computers as Dharma, the only difference being its branding slapped onto the top and bottom of the HTA file. See the image embedded below for an illustration of the ransom note, courtesy of ZDNet and Coverware.

On top of the HTA file, Phobos ransomware also drops a text document ransom note that is considerably shorter than its counterpart on the infected device. It reads as follows:
 

Quote:!!! All of your files are encrypted !!!

To decrypt them send e-mail, to this address: [email address 1]

If there is no response from our mail, you can install the Jabber client and write to us in support of [email address 2]

As you can notice by comparing the two, the latter does not contain relevant information such as the generated ID, nor is it that explicative in terms of demands.

This means that less tech-savvy victims might have to resort to doing their research if the TXT file is the only one they recognize.

Nevertheless, HTA files are actually not difficult to maneuver at all. An HTA file is executable and can be run from an HTML document. It contains hypertext code, as well as VBScript or Jscript code readable by the Microsoft HTML Application Host. This means that you can easily open it in Microsoft’s Internet Explorer or Edge browsers by double-clicking it if your device operates on Windows.

B. Phobos Ransomware Encryption

Phobos ransomware encrypts files on the infected device through AES-256 with RSA-1024 asymmetric encryption. Therefore, on top of the copied and pasted ransom note, it is worth noting that both Phobos and Dharma employ the same RSA algorithm. However, one notable difference is that Phobos operators implement it from Windows Crypto API, while the Dharma gang runs it from a third-party static library.

Furthermore, encrypted files names are created through the same process in both cases, namely by adjoining:

• the original file name,
  
• a unique ID number,
  
• the ransomware operator email,
  
• and the .phobos extension.
  

Therefore, if your data has been corrupted by it, your file names will read as follows:

• [filename].[ID][email address 1].[added extension]
  

While the .phobos extension is the most logical visual cue to look for, you should also be aware that it might not always be the one present in the eventuality of an infection. In an article she penned for the MalwareBytes Labs blog, malware intelligence analyst Jovi Umawing identified over 50 other file extensions used by the ransomware operators behind the operation:

• 1500dollars, actin, Acton, actor, Acuff,
  
• Acuna, acute, adage, Adair, Adame, banhu,
  
• banjo, Banks, Banta, Barak, bbc, blend,
  
• BORISHORSE, bqux, Caleb, Cales, Caley,
  
• calix, Calle, Calum, Calvo, CAPITAL, com,
  
• DDoS, deal, deuce, Dever, devil, Devoe,
  
• Devon, Devos, dewar, Eight, eject, eking,
  
• Elbie, elbow, elder, Frendi, help, KARLOS,
  
• karma, mamba, phoenix, PLUT, WALLET, zax.
  

How Does Phobos Ransomware Spread?

Much like other cyber-threats, Phobos ransomware infects devices and potentially spreads across the entire network in five main ways:

• unprotected remote desktop protocol (RDP) connections,
  
• brute-forced remote desktop protocol credentials,
  
• stolen RDP credentials bought on the black market,
  
• patch exploits and other software vulnerabilities,
  
• and phishing campaigns.
  

Once Phobos ransomware enters your system, it fully encrypts standard-sized files. Its algorithm differs for large files, however, partially encoding selected segments only. In this way, it manages to save time and maximize damage at the same time.

Most file formats are affected by the ransomware, including popular extensions such as .avi, .backup, .doc, .docx, .html, .jpg, .jpeg, .mkv, .mp3, .mp4, .pdf, .rar, and .zip. The following operating system files are not encrypted as a result of the infection:

• boot.ini
  
• bootfont.bin
  
• io.sys
  
• ntldr
  
• ntdetect.com
  

On top of encoding your files, Phobos also terminates active operating system processes to clear its path into your files. It also deletes local backups and shadow copies, similarly to Sodinokibi ransomware. Finally, it disables recovery mode and your firewall as well to further prevent you from rebooting the device and stopping the infection.
...