Phobos Ransomware is an encryption ransomware threat that was first observed on October 21, 2017. While Phobos ransomware technically emerged after the infamous Dharma and Crysis ransomware families, it reuses significant chunks of their code. Phobos ransomware has been used to target computer users in Western Europe and the United States and delivers its ransom messages in English to the victims.
One of the methods in which Phobos ransomware is being distributed is through the use of spam email attachments, which may appear as Microsoft Word documents that have enabled macros. These macro scripts are designed to download and install the Phobos ransomware onto the victim’s computer when the malicious file is accessed. Although most initial reported instances of Phobos ransomware were traced to email links and attachments, there has been a pronounced shift towards exploiting exposed Remote Desktop Protocols. Employing the use of scanners, hackers search for computers and networks running unsecured RDP connections. This allows them to escalate their privileges, collect user login credentials, gain lateral access inside the compromised network before delivering the ransomware payload.
Like most other, similar threats, Phobos ransomware works by encrypting the victim’s files by using a strong encryption algorithm. The encryption makes the files inaccessible, allowing Phobos ransomware to take the victim’s data hostage until the victim pays a ransom. Phobos ransomware will target the user-generated files, which may include files with the following extensions:
.mp3, .mp4, xls, .xlsx, .zip, .jpeg. And many others
In late 2018, a prolific cybercrime gang behind a series of ransomware attacks was distributing a new form of Phobos ransomware that combined two well-known and successful variants in a series of attacks against businesses around the world.
The demand is made in a ransom note, and aside from an ominous ‘Phobos’ logo being added to the ransom note, it’s basically the same as the note used by it’s predecessor Dharma ransomware.
The note in part reads:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail email@example.com
Write this ID in the title of your message
In case of no answer in 24 hours write us to this e-mail: firstname.lastname@example.org
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
While the vast majority of ransomware threats out there rely on spam email campaigns to reach targeted PCs, Phobos ransomware has brought about a marked shift towards exploiting exposed Remote Desktop Protocols (RDPs) instead. By using readily available scanners, the cybercrooks in charge scour entire networks for unsecured active RDP connections, then retrieve the necessary login credentials by way of a brute-force attack before planting the ransomware payload. Dharma ransomware did this, and so does Phobos ransomware.
This infection method is currently enjoying great popularity for two main reasons. First, millions of RDP connections remain unprotected to this day despite the tremendous efforts made by security companies worldwide to raise awareness about the underlying risks. Second, the Dark Web provides abundant opportunities for hackers willing to lay their hands on thousands of stolen remote access credentials. One of the dark marketplaces offering such data – xDedic – shuttered on Jan. 24, 2019 after an international joint operation involving law enforcement agencies from the United States, Germany, Belgium and Ukraine seized its domains and servers.
Contrary to other malware strains, Phobos ransomware does NOT bypass Windows’ User Account Control (UAC) feature. That is why, the UAC pop-up will come up asking for permission to “allow the following program from an unknown publisher to make changes to this computer.” Should the targeted PC user select ‘Yes,’ Windows will no longer be able to prevent the program or process from running. Instead, Phobos ransomware will launch with elevated privileges and will install itself in the system’s AppData folder. Last, but not least, Phobos ransomware will modify the targeted machine’s registry settings in order to launch during system startup.
Data Loss Mitigation
As far as recovering your data after an outbreak of Phobos ransomware, according to Research from Data Security Consultants Coveware, “While the total data recovery rate is ~85%, there are also instances of no decryption tool being delivered after payment. The data success rate (when a decryptor is delivered) is relatively high despite the logistical complexity of receiving decryption keys and running the decryption tool.”
So as you can see, even if you pay the hackers, there is no guarantee you will be able to recover your files after infection.
In other words, the only way to guarantee you won’t lose your data is to prevent the initial infection.
If you are still having trouble, consider contacting remote technical support options.