Installation

After the hacker has gained remote access to a compromised server, the payload downloaded to the compromised server and Phobos is unpacked by a packer program into the memory. Then Phobos add itself into the system registry as an auto-run item and installs itself into the Startup folders and in %APPDATA%. Then it is executed with administrator privileges.
Phobos will scan the network for shadow copies and then deletes any shadow copies that were found to ensure that the victims will not be able to recover their encrypted files. It also kills processes and stop services related to antivirus, database, backup, and document editing software from a list of predefined service and process names.

Encryption

When Phobos is executed, it starts to encrypt files on the compromised machines through AES-256 with RSA-1024 asymmetric encryption algorithm via Windows Crypto API. Due to it using preinstalled windows functions, Phobos can encrypt the files without the need of being connected to the internet as it comes with hardcoded public keys.

Command and Control

During the attack, Phobos sends the results from the scans from initial reconnaissance of the target’s network to a C&C server which is used to determine how much the initial ransom will be.