Phobos is a Ransomware that has been making its presence felt since 21st October 2017. It is known for targeting a large number of systems in Western Europe & United States. Spam e-mail attachments & unprotected RDP (Remote Desktop Protocol) Ports are the prime methods using which Phobos Ransomware propagates.
Once the system is infected, Phobos implements AES 265 Encryption method to encrypt user & system files. The encrypted files are renamed & appended with extensions such as .phobos, .mamba, .pheonix, .karlos or .Frendi, hence rendering them inaccessible.
|Operating System Impacted||Windows|
|Targeted Browser||Google Chrome, Internet Explorer, Mozilla Firefox|
Phobos, the recent menacing member in the family of Ransomware, is targeting a large number of computers across the world.
Initially, Phobos appeared as an independent threat since it didn’t show signs of being connected to the vast family of RaaS (Ransomware As A Service). However, detailed analysis of this file-encrypting malware has revealed its alliance with two infamous & thriving threats to the cyber world – Dharma Ransomware & Crysis Ransomware.
Cyber Security Analysts at “Coveware” exposed how Phobos bears resemblance to Dharma.
Just like Dharma, Phobos Ransomware exploits vulnerabilities on open/unsecured RDP to creep in to the networks & infect the associated system. Once the system has been infected, the Ransomware Attack is executed.
The user & the system files are encrypted & renamed using AES Cryptography. The original file name is appended with victim’s unique ID of 8 characters, an e-mail address & .phobos extension.
For Example- The file name “12.xls” might be renamed as “12.xls.ID-xxxxxxx.[ firstname.lastname@example.org].phobos”.
The user-generated files targeted by the Phobos may include files with the extensions mentioned below-
Once the files are encrypted, the Phobos Ransomware generates an HTML Application (phobos.hta). This Application displays a pop-up window on the victim’s screen that contains a ransom message.
The Ransom Note for Phobos Ransomware bears resemblance to that of Dharma’s.
The note appears in the form of a program window & holds the title- “Your files have been encrypted”.
To purchase the decryption key, Victims are asked to contact the hackers via e-mail addresses such as email@example.com and ottoZimmerman@protonmail.ch & provide the assigned Encryption ID.
It further prompts the users to pay the ransom amount in Bitcoin(s) in order to restore the encrypted data.
Ransom Note for Phobos Ransomware reads as follows-
Text presented in the other variant of Phobos Ransomware reads as follows-
Phobos Ransomware can propagate its infection through various common methods. These may include-
1). Spam e-mail Campaigns containing harmful attachments.
2). Exploiting Unpatched Vulnerabilities in RDP.
3). Fake Software updates & dubious software download sources.
4). Infected Network File-Sharing Services
5). Zipped Java Script Attachments
Cyber criminals often insert harmful executable files, malicious links or attachments to the e-mails. A mere click on these attachments can install malicious software such as Phobos Ransomware on the system, resulting in computer infection.
Continue to follow steps 4 & 5 of Method 2 to restore the System Files and settings.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.