We’re sorry, your browser appears to be outdated.
To see the content of this webpage correctly, please update to the latest version or install a new browser for free, such as Avast Secure Browser or Google Chrome.

Not sure which solution is right for your business?

What is Phobos Ransomware and how to remove it

Phobos is a type of ransomware that first emerged in 2018 and remains a threat to business servers. This is because it exploits incorrectly configured Remote Desktop Protocols (RDP), which are used by millions of people around the world when remotely connecting to their business networks. In this guide, you’ll discover what Phobos is, how it works, and what to do to prevent an attack on your business.

What is Phobos?

Phobos, named after the Greek god of fear, is a type of ransomware with close ties to two other types of notorious virus, Crysis and Dharma, in terms of structure and approach. Crysis was first identified in 2016 and became popular when its source code was released online. Following the creation of Crysis decryption keys, cybercriminals updated the code to create Dharma. Similarly, when decryption tools were developed to target Dharma, the ransomware again evolved. This 2018 iteration is known as Phobos.

While Dharma and Phobos are very similar in terms of their code and popular due to their simplicity, there is one major difference: as of early 2022, there is still not a decryption tool available for Phobos. As a result, small and medium-sized businesses must be particularly vigilant of the impact a Phobos ransomware attack could have on their data security.

One reason that Dharma and Phobos are popular with hackers is their ransomware-as-a-service (RaaS) approach, which requires minimal technical skills to launch an attack. Both are designed to target Windows systems, as they use exploits in Microsoft’s RDP communication protocol.

Phobos ransomware attack vectors

Hackers use Phobos ransomware to target remote desktops with weak passwords using two main attack vectors:

  • By conducting phishing campaigns to steal account details and passwords, or to trick the targeted individual into opening a malicious attachment.
  • By gaining direct access using the Remote Desktop Protocol (RDP). The specific port targeted by the ransomware is port 3389. Botnets can be used to scan for systems that have left this port open, providing an opportunity for the bad actor to guess the login details using, for example, a brute force attack.

What does Phobos do?

Once access to a system has been secured, the ransomware does not typically attempt to bypass Windows User Account Control (UAC). The threat actor will copy the executable file and launch it using access privileges. As this process is so simple, Phobos has become popular with cybercriminals as it allows those with less skill to conduct an impactful attack.

The ransomware will then install itself into key locations, such as the Windows Startup folder and %APPDATA% folder, and create registry keys so it can resume even after a system restart.

Phobos will then begin a continuous scan, targeting local user files and network shares, and monitoring for new files that meet the requirements for encryption. This will typically include user-generated files, including documents, commonly used folders, and media.

The malware will also conduct some protective measures, including:

  • Deleting shadow copy backups of files
  • Blocking recovery mode
  • Disabling security measures, including firewalls.

These attempts to cover its tracks are similar to the approach taken by Sodinokibi ransomware.

Phobos encryption

Phobos uses the Advanced Encryption Standard AES-256 alongside another popular algorithm, RSA-1024. The data itself is encrypted with AES, while the private key used for decryption is encrypted with RSA. Both AES and RSA are widely used for secure data transmission, for both legitimate and malicious purposes.

The files are then renamed with an extension containing:

  • An ID number, which is also in the ransom note. This will be in two parts and could contain letters and numbers
  • An email address, which also appears in the note and is where victims are instructed to request their files
  • An extension, which is a seemingly random word used to differentiate the person or group responsible for the attack.

The extension will be structured as follows:

.ID[email address 1].[added extension]

For example, a file originally named Photo.jpg might be renamed to something like;


Unfortunately, there is no Phobos decryptor available other than the keys held by the cybercriminals who created the ransomware. This highlights the importance of making regular system backups and storing these in a secure location – this may be the only way to recover your business data – and using cybersecurity software to scan for and remove malicious files.

What to do if your computer is hacked for ransom

You might have done all you can to prevent ransomware, but if you discover that your device or network has been infected, there are a number of measures you should take to protect your business.

Isolate the device from the network

The first step is to minimize damage and prevent the virus from spreading any further. The infected device should be immediately disconnected from the internet and removed from the network. Any devices that were connected should be scanned for malicious software.

Keep in mind that receiving a ransom message is not the end of a Phobos attack – the ransomware will continue to scan for changes to the device and infect new files even without an internet connection.

Use security tools to remove the malicious software

Depending on the type of ransomware, there are a number of removal methods. In some cases, the ransomware will delete itself to make it harder to identify the type of attack and locate a decryption key, if one is available. In others, the file will remain and require a removal tool to clean your system.

Avast Small Business Cybersecurity Solutions can identify and remove many different types of ransomware, keeping your devices protected against future attacks.

Restore data from a backup

If you have kept regular backups, you should be able to safely recover your business data once the ransomware has been removed.

Without a backup and with no decryption key available, there are no recovery solutions for a Phobos attack. In this situation, all that can be done is to backup any files you can access until a key becomes publicly available.

Paying the ransom is not recommended. Not only will payments encourage further attacks, there is no guarantee that the cybercriminal will return your files.

Report the attack to the authorities

Cybercrime should be reported to the authorities so that attack trends can be recorded. In the US, ransomware incidents should be reported to the Cyberstructure & Infrastructure Security Agency (CISA) through their reporting tool. In the UK, cybercrime should be reported to Action Fraud.

Protect against Phobos with Avast Small Business Cybersecurity Solutions

As Phobos encryption cannot yet be deciphered, the security of your business and its data depends on conducting regular backups and preventing ransomware from reaching your devices.

Avast Small Business Cybersecurity Solutions can help protect users against Phobos, WannaCry, and many other types of malware. Choose the level of protection required for your specific needs, and keep your devices and network protected against cyberattacks.


Almost done!

Complete installation by clicking your downloaded file and following the instructions.

Initiating download...
Note: If your download did not start automatically, please click here.
Click this file to start installing Avast.