PHOBOS RANSOMWARE

ransomware-2320793_1920

Introduction

Phobos ransomware made its first appearance in 2018 as it was being distributed by exploits Remote Desktop Protocol (RDP) and poorly secured RDP credentials.
Attacks involving the Phobos ransomware have been frequent and have been recorded to target organisations of small to medium size from many countries.
There is no decryptor for any of the active variants of the Phobos ransomware and the average ransom required is $38,100 which can be paid via emails addresses provided in the ransomware note.

Modus Operandi

Initial access

The threat actor exploits Remote Desktop Protocol (RDP) services via TCP port 3389 and brute force the password to gain access to a computer. Although there have been recorded cases of Phobos being distributed as malicious attachments in phishing emails

Installation

After the hacker has gained remote access to a compromised server, the payload downloaded to the compromised server and Phobos is unpacked by a packer program into the memory. Then Phobos add itself into the system registry as an auto-run item and installs itself into the Startup folders and in %APPDATA%. Then it is executed with administrator privileges.
Phobos will scan the network for shadow copies and then deletes any shadow copies that were found to ensure that the victims will not be able to recover their encrypted files. It also kills processes and stop services related to antivirus, database, backup, and document editing software from a list of predefined service and process names.

Encryption

When Phobos is executed, it starts to encrypt files on the compromised machines through AES-256 with RSA-1024 asymmetric encryption algorithm via Windows Crypto API. Due to it using preinstalled windows functions, Phobos can encrypt the files without the need of being connected to the internet as it comes with hardcoded public keys.

Command and Control

During the attack, Phobos sends the results from the scans from initial reconnaissance of the target’s network to a C&C server which is used to determine how much the initial ransom will be.