What is Phobos?
Phobos, named after the Greek god of fear, is a type of ransomware with close ties to two other types of notorious virus, Crysis and Dharma, in terms of structure and approach. Crysis was first identified in 2016 and became popular when its source code was released online. Following the creation of Crysis decryption keys, cybercriminals updated the code to create Dharma. Similarly, when decryption tools were developed to target Dharma, the ransomware again evolved. This 2018 iteration is known as Phobos.
While Dharma and Phobos are very similar in terms of their code and popular due to their simplicity, there is one major difference: as of early 2022, there is still not a decryption tool available for Phobos. As a result, small and medium-sized businesses must be particularly vigilant of the impact a Phobos ransomware attack could have on their data security.
One reason that Dharma and Phobos are popular with hackers is their ransomware-as-a-service (RaaS) approach, which requires minimal technical skills to launch an attack. Both are designed to target Windows systems, as they use exploits in Microsoft’s RDP communication protocol.
Phobos ransomware attack vectors
Hackers use Phobos ransomware to target remote desktops with weak passwords using two main attack vectors:
- By conducting phishing campaigns to steal account details and passwords, or to trick the targeted individual into opening a malicious attachment.
- By gaining direct access using the Remote Desktop Protocol (RDP). The specific port targeted by the ransomware is port 3389. Botnets can be used to scan for systems that have left this port open, providing an opportunity for the bad actor to guess the login details using, for example, a brute force attack.
What does Phobos do?
Once access to a system has been secured, the ransomware does not typically attempt to bypass Windows User Account Control (UAC). The threat actor will copy the executable file and launch it using access privileges. As this process is so simple, Phobos has become popular with cybercriminals as it allows those with less skill to conduct an impactful attack.
The ransomware will then install itself into key locations, such as the Windows Startup folder and %APPDATA% folder, and create registry keys so it can resume even after a system restart.
Phobos will then begin a continuous scan, targeting local user files and network shares, and monitoring for new files that meet the requirements for encryption. This will typically include user-generated files, including documents, commonly used folders, and media.
The malware will also conduct some protective measures, including:
- Deleting shadow copy backups of files
- Blocking recovery mode
- Disabling security measures, including firewalls.
These attempts to cover its tracks are similar to the approach taken by Sodinokibi ransomware.
Phobos uses the Advanced Encryption Standard AES-256 alongside another popular algorithm, RSA-1024. The data itself is encrypted with AES, while the private key used for decryption is encrypted with RSA. Both AES and RSA are widely used for secure data transmission, for both legitimate and malicious purposes.
The files are then renamed with an extension containing:
- An ID number, which is also in the ransom note. This will be in two parts and could contain letters and numbers
- An email address, which also appears in the note and is where victims are instructed to request their files
- An extension, which is a seemingly random word used to differentiate the person or group responsible for the attack.
The extension will be structured as follows:
.ID[email address 1].[added extension]
For example, a file originally named Photo.jpg might be renamed to something like;
Unfortunately, there is no Phobos decryptor available other than the keys held by the cybercriminals who created the ransomware. This highlights the importance of making regular system backups and storing these in a secure location – this may be the only way to recover your business data – and using cybersecurity software to scan for and remove malicious files.
What to do if your computer is hacked for ransom
You might have done all you can to prevent ransomware, but if you discover that your device or network has been infected, there are a number of measures you should take to protect your business.
Isolate the device from the network
The first step is to minimize damage and prevent the virus from spreading any further. The infected device should be immediately disconnected from the internet and removed from the network. Any devices that were connected should be scanned for malicious software.
Keep in mind that receiving a ransom message is not the end of a Phobos attack – the ransomware will continue to scan for changes to the device and infect new files even without an internet connection.
Use security tools to remove the malicious software
Depending on the type of ransomware, there are a number of removal methods. In some cases, the ransomware will delete itself to make it harder to identify the type of attack and locate a decryption key, if one is available. In others, the file will remain and require a removal tool to clean your system.
Avast Small Business Cybersecurity Solutions can identify and remove many different types of ransomware, keeping your devices protected against future attacks.
Restore data from a backup
If you have kept regular backups, you should be able to safely recover your business data once the ransomware has been removed.
Without a backup and with no decryption key available, there are no recovery solutions for a Phobos attack. In this situation, all that can be done is to backup any files you can access until a key becomes publicly available.
Paying the ransom is not recommended. Not only will payments encourage further attacks, there is no guarantee that the cybercriminal will return your files.
Report the attack to the authorities
Cybercrime should be reported to the authorities so that attack trends can be recorded. In the US, ransomware incidents should be reported to the Cyberstructure & Infrastructure Security Agency (CISA) through their reporting tool. In the UK, cybercrime should be reported to Action Fraud.