Phobos Ransomware: Everything You Need to Know and More
Phobos Ransomware Emerged in December 2018. Here’s What You Need to Know About It.
Ransomware is an increasingly popular threat that cybercriminals weaponize for their own gain. Although some strains are incomparable, innovative even, others are six of one, half a dozen of the other. Phobos ransomware is an example of the latter category. But while it might not be the most unique ransomware variant out there, Phobos can still lay waste to your system and scorch the earth behind it. In this article, I will attempt a deep dive into what Phobos ransomware is, how it spreads, and how you can protect your enterprise against it.
What is Phobos Ransomware?
First detected in December 2018, Phobos ransomware is yet another cyber-threat that mainly targets organizations. However, unlike other cybercrime gangs that practice big game hunting, the malicious actors behind Phobos typically target smaller enterprises with fewer means to pay large ransoms. Therefore, the average ransom demand from an attack averages $18,755. As far as its genetic makeup goes, so to speak, Phobos ransomware is a heavily similar strain to the infamous Dharma variant. Experts regard the former as a highly similar version (some would go as far as to say rip-off) of the latter. What is more, according to Coverware both Phobos and Dharma seem to be inspired by the larger CrySis ransomware family.
A. Phobos Ransom Note
The first similarity between the two strains to stand out is the ransom note. Phobos ransomware essentially deploys the same HTA file onto the infected computers as Dharma, the only difference being its branding slapped onto the top and bottom of the HTA file. See the image embedded below for an illustration of the ransom note, courtesy of ZDNet and Coverware.
Image Source: ZDNet
On top of the HTA file, Phobos ransomware also drops a text document ransom note that is considerably shorter than its counterpart on the infected device. It reads as follows:
!!! All of your files are encrypted !!! To decrypt them send e-mail, to this address: [email address 1] If there is no response from our mail, you can install the Jabber client and write to us in support of [email address 2]
As you can notice by comparing the two, the latter does not contain relevant information such as the generated ID, nor is it that explicative in terms of demands. This means that less tech-savvy victims might have to resort to doing their research if the TXT file is the only one they recognize. Nevertheless, HTA files are actually not difficult to maneuver at all. An HTA file is executable and can be run from an HTML document. It contains hypertext code, as well as VBScript or Jscript code readable by the Microsoft HTML Application Host. This means that you can easily open it in Microsoft’s Internet Explorer or Edge browsers by double-clicking it if your device operates on Windows.
B. Phobos Ransomware Encryption
Phobos ransomware encrypts files on the infected device through AES-256 with RSA-1024 asymmetric encryption. Therefore, on top of the copied and pasted ransom note, it is worth noting that both Phobos and Dharma employ the same RSA algorithm. However, one notable difference is that Phobos operators implement it from Windows Crypto API, while the Dharma gang runs it from a third-party static library. Furthermore, encrypted files names are created through the same process in both cases, namely by adjoining:
- the original file name,
- a unique ID number,
- the ransomware operator email,
- and the .phobos extension.
Therefore, if your data has been corrupted by it, your file names will read as follows:
- [filename].[ID][email address 1].[added extension]
While the .phobos extension is the most logical visual cue to look for, you should also be aware that it might not always be the one present in the eventuality of an infection. In an article she penned for the MalwareBytes Labs blog, malware intelligence analyst Jovi Umawing identified over 50 other file extensions used by the ransomware operators behind the operation:
- 1500dollars, actin, Acton, actor, Acuff,
- Acuna, acute, adage, Adair, Adame, banhu,
- banjo, Banks, Banta, Barak, bbc, blend,
- BORISHORSE, bqux, Caleb, Cales, Caley,
- calix, Calle, Calum, Calvo, CAPITAL, com,
- DDoS, deal, deuce, Dever, devil, Devoe,
- Devon, Devos, dewar, Eight, eject, eking,
- Elbie, elbow, elder, Frendi, help, KARLOS,
- karma, mamba, phoenix, PLUT, WALLET, zax.
How Does Phobos Ransomware Spread?
Much like other cyber-threats, Phobos ransomware infects devices and potentially spreads across the entire network in five main ways:
- unprotected remote desktop protocol (RDP) connections,
- brute-forced remote desktop protocol credentials,
- stolen RDP credentials bought on the black market,
- patch exploits and other software vulnerabilities,
- and phishing campaigns.
Once Phobos ransomware enters your system, it fully encrypts standard-sized files. Its algorithm differs for large files, however, partially encoding selected segments only. In this way, it manages to save time and maximize damage at the same time. Most file formats are affected by the ransomware, including popular extensions such as .avi, .backup, .doc, .docx, .html, .jpg, .jpeg, .mkv, .mp3, .mp4, .pdf, .rar, and .zip. The following operating system files are not encrypted as a result of the infection:
On top of encoding your files, Phobos also terminates active operating system processes to clear its path into your files. It also deletes local backups and shadow copies, similarly to Sodinokibi ransomware. Finally, it disables recovery mode and your firewall as well to further prevent you from rebooting the device and stopping the infection.
How to Decrypt Phobos Ransomware
As per the extensive list of decryption tools on the No More Ransom Project website, both Dharma and CrySis are decrypted by the Rakhni decryptor developed by Kaspersky Lab. What is more, CrySis can also be decrypted through a specialized tool created by Trend Micro. Unfortunately, no Phobos ransomware decryption tool has been made available as of yet. However, we also keep an alphabetical tally of all the ransomware decryptors released into the wild, so you can also check back to our blog from time to time and see if one has materialized. Therefore, the only way you can receive a decryptor upon infection is by paying the ransom, which I do not recommend. As per a thorough investigation conducted by Coverware, the data recovery rate is around 85%, which means not everyone gets a decrypting tool after sending the required amount of money. Thus, there is simply no guarantee that you will get your files restored. Plus, you will also fund cybercriminal activity in the process, which will allow the Phobos ransomware gang to wreak even more havoc in the future. So, long story short, don’t pay the ransom. Focus your funds and efforts on prevention instead.
Preventing a Phobos Ransomware Infection
#1 Educate Your Employees on Ransomware
As a small business owner targeted by Phobos ransomware, your employees are your first line of defense against an incoming cyberattack. This is why I recommend training them to be your priority in the context of a larger prevention plan. For example, good ol’ fashioned phishing campaigns were among the five main ways in which Phobos and other ransomware strains spread. Therefore, teaching staff how to recognize suspicious links, malicious attachment, counterfeit branding, and other components of malspam constitutes a valuable security resource for your business. Of course, proper cybersecurity training should not end there. Members of your company’s personnel should be aware of all the complexities that come with a ransomware infection, as well as the other types of cyber-threats out there.
#2 Always Patch Software Vulnerabilities
As previously mentioned, Phobos spreads through patch exploits and other software vulnerabilities as well, among other things. This is why you should deploy system updates as soon as they are released by their respective developers. However, this can become quite disruptive to your employees’ activity, which is why most of them will probably postpone patch deployment as much as they can. The Heimdal Patch & Asset Management automatic updater integrated with our core offering Heimdal™ Threat Prevention takes care of this issue efficiently, installing third-party patches in the background as soon as they are distributed.
Heimdal™ Threat Prevention - Endpoint
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
- Protection against data leakage, APTs, ransomware and exploits;
#3 Create Online and Offline Data Backups
In the eventuality of a Phobos ransomware attack, having backups of your company data means that you can restore files without the need to pay cybercriminals for a decryptor. My recommendation is to create both online copies in the cloud, as well as offline ones using external storage devices. Nevertheless, please keep in mind that linked storage accounts and devices can also be encrypted via ransomware infection. For this reason, you will also need to respond quickly in case this happens to you and disconnect them as soon as possible.
Final Thoughts on Phobos Ransomware
Phobos ransomware might be a carbon copy of Dharma and CrySis, but unlike the two, it cannot be decrypted as of yet. Instead of paying the ransom, I suggest directing company efforts towards protection and prevention. With the proper cybersecurity solutions, extensive employee training, and a reliable data backup source you can increase your odds in the battle against advanced online threats.