New Phobos ransomware exploits weak security to hit targets around the world

Ransomware strain has many similarities with one of the most damaging ransomware families.
Written by Danny Palmer, Senior Writer

A prolific cybercrime gang behind a series of ransomware attacks is distributing a new form of the file-encrypting malware that combines two well-known and successful variants in a series of attacks against businesses around the world.

Dubbed Phobos by its creators, the ransomware first emerged in December and researchers at CoveWare have detailed how it shares a number of similarities with Dharma ransomware.

Like Dharma, Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demanding a ransom be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension.

The demand is made in a ransom note — and aside from 'Phobos' logos being added to the ransom note, it's exactly the same as the note used by Dharma, with the same typeface and text used throughout.

It isn't only the ransom note Phobos shares with Dharma — much of the code behind the ransomware is the same, which researchers describing it as a "largely cut and paste variant of Dharma."


Phobos ransom note.

Image: Coveware

However, Phobos also contains elements of CrySiS ransomware — also related to Dharma — with anti-virus software detecting Phobos as CrySiS. The ransomware's file markers also differentiate it from Dharma. However, the attack methods and threat remains the same.

"What is clear is that while the ransomware type may be different, the group distributing Phobos, the exploit methods, ransom notes and communications remain nearly identical to Dharma," researchers said in a blog post.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy for malicious campaigns, providing attackers with a second option for conducting attacks, should Dharma end up decrypted or prevented from successfully extorting ransoms from victims.

Currently, Dharma remains one of the most damaging families of ransomware during 2018.

However, organisations can go a long way to not becoming a victim in the first place by securing their RDP ports and by regularly backing up their data, so if the worst happens, it's possible to restore systems without giving into the demands of cyber criminals.


Editorial standards