Phobos Ransomware

Posted: October 23, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	3,797

First Seen:	July 24, 2009
Last Seen:	July 16, 2020
OS(es) Affected:	Windows

Phobos is one of the most recent ransomware strains to join the increasingly large database of malware threats. While Phobos appears to be a new threat, much of its code bears some striking similarities to the code that built the infamous Dharma and Crysis Ransomware families not long ago.

Infection Vector

Although most cybercriminals rely on malicious email links and attachments to distribute the ransomware payload to as many target PCs as possible, there has been a marked shift towards exploiting exposed Remote Desktop Protocols instead. By using readily available scanners, the crooks search for computers and even entire networks running unsecured RDP connections, then retrieve the login credentials by way of a brute-force attack before planting the ransomware payload. Dharma did this, and so does Phobos. This infection method is currently enjoying great popularity for two main reasons. First, millions of RDP connections remain unprotected to this day despite the tremendous efforts made by security companies worldwide to raise awareness about the underlying risks. Second, the dark web provides abundant opportunities for hackers willing to lay their hands on thousands of stolen remote access credentials.

One of the dark marketplaces offering such data – the xDedic – shuttered on Jan. 24, 2019 after an international joint operation involving law enforcement agencies from the United States (FBI, FCCU), Belgium, Germany and Ukraine seized its domains. The successful result is likely to deal a severe blow to RDP-oriented ransomware distributors, yet it will hardly bring them to a definite end.

Ransom Note and Payment

Phobos briefly made the deadlines in the last quarter of 2017, but it was not until mid-December 2018 that the ransomware started making a bigger dent in network security. Throughout the last few weeks, cybercriminals have been deploying Phobos in many successful crypto attacks. Victims know they have been infected when they see a weird extension attached to every infected file. The extension follows the pattern [ID].[contact email address].[phobos]. The ID is a combination of capital letters and numbers. It generates automatically upon successful infection and is unique for each infected computer. The email address is the one mentioned in the ransom note and victims are supposed to use it to get in touch with the actors behind the attack. At present, there are a few email addresses in circulation, namely:

Cadillac.407@aol.com
OttoZimmerman@protonmail.ch
Job2019@tutanota.com
Raphaeldupon@aol.com
matrixBTC@keemail.me
elizabeth67bysthompson@aol.com
beltoro905073@aol.com
ofizducwell1988@aol.com
FobosAmerika@protonmail.ch
Everest_2010@aol.com

Following an AES-based encryption algorithm, Phobos renders the victim's files useless and loads a ransom note dubbed 'Phobos.hta.' Phobos affects dozens of file types. Some of those files (text, music, video, etc.) are quite popular among PC users, while others ensure the proper running of your system. In spite of the 'Phobos’ logo placed on top of the note, it is practically a carbon copy of the note seen on all Dharma ransomware infections so far. As usual, the crooks demand that victims contact them using the email address provided therein if they want to stand a chance of recovering their data. The text makes no mention of any specific ransom amount, yet warns users they will have to pay more money unless they respond within a few hours at the most.

'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail cadillac.407@aol.com
Write this ID in the title of your message D08133EB
In case of no answer in 24 hours write us to theese e-mails: Everest_2010@aol.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'

The note concludes with an essential guide to purchasing Bitcoin and offers free decryption of up to 5 files totaling no more than 10MB in size (compared to just one file of up to 1MB in Dharma's note) as a guarantee that the actors in charge have a fully working decryption tool at hand.

Detected as Crysis

While Phobos has already implemented Dharma's ransom note, it appears to have borrowed some code from the infamous Crysis Ransomware, as well. As it is, some anti-virus programs are currently detecting Phobos as Crysis, which implies that the former may share code with the latter after all. Nevertheless, Phobos ransomware does have a file marker structure of its own. The striking similarity to Dharma leads security researchers to believe that both ransomware strains may be distributed by the same cyber gang.

Aliases

Win32.Trojan.Obfuscated.gx.3 [CAT-QuickHeal]Downloader.Obfuskated [AVG]Covert.Sys.Exec [Prevx1]TrojanDownloader:Win32/Agent.ZZC [Microsoft]TR/Crypt.XPACK.Gen [AntiVir]

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_output713F8B0.exe

File name: rrr_output713F8B0.exe
Size: 565.24 KB (565248 bytes)
MD5: 29d51846a76a1bfbac91df5af4f7570e
Detection count: 150
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_output713F8B0.exe
Group: Malware file
Last Updated: July 15, 2020

%SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_output8F2121F.exe

File name: rrr_output8F2121F.exe
Size: 638.97 KB (638976 bytes)
MD5: 5d533ba319fe6fd540d29cf8366775b1
Detection count: 148
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_output8F2121F.exe
Group: Malware file
Last Updated: July 15, 2020

%SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_outputEE209BF.exe

File name: rrr_outputEE209BF.exe
Size: 532.48 KB (532480 bytes)
MD5: 3677195abb0dc5e851e9c4bce433c1d2
Detection count: 138
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_outputEE209BF.exe
Group: Malware file
Last Updated: July 15, 2020

%SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_output89A8FEF.exe

File name: rrr_output89A8FEF.exe
Size: 548.86 KB (548864 bytes)
MD5: 75d594f166d438ded4f4f1495a9b57b6
Detection count: 119
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_output89A8FEF.exe
Group: Malware file
Last Updated: July 15, 2020

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rrr_output354CF0.exe

File name: rrr_output354CF0.exe
Size: 581.63 KB (581632 bytes)
MD5: 360f782f4a688aba05f73b7a0d68ef43
Detection count: 119
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: July 16, 2020

%SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rrr_output7492970.exe

File name: rrr_output7492970.exe
Size: 684.03 KB (684032 bytes)
MD5: 376625a4a031656f0667723cd601f333
Detection count: 115
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rrr_output7492970.exe
Group: Malware file
Last Updated: July 16, 2020

%SYSTEMDRIVE%\Users\<username>\AppData\Local\yvihok.exe

File name: yvihok.exe
Size: 258.56 KB (258560 bytes)
MD5: 00db62e1b519159b0c20c00c2e97288b
Detection count: 108
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\yvihok.exe
Group: Malware file
Last Updated: July 27, 2020

%SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_outputDBB65DF.exe

File name: rrr_outputDBB65DF.exe
Size: 598.01 KB (598016 bytes)
MD5: cd16baef95d0f47387e7336ceab30e19
Detection count: 75
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_outputDBB65DF.exe
Group: Malware file
Last Updated: July 15, 2020

%SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_outputF71089F.exe

File name: rrr_outputF71089F.exe
Size: 577.53 KB (577536 bytes)
MD5: 3d5ec29f0374fce02c5816c24907cafe
Detection count: 63
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_outputF71089F.exe
Group: Malware file
Last Updated: July 15, 2020

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rr_output5F98E0.exe

File name: rr_output5F98E0.exe
Size: 696.32 KB (696320 bytes)
MD5: 559973f8550ce68f7bae9c3e3aaa26aa
Detection count: 49
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: July 16, 2020

%SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_outputF0DA6CF.exe

File name: rrr_outputF0DA6CF.exe
Size: 577.53 KB (577536 bytes)
MD5: f653bc6e6dda82e487bfc4bc5197042b
Detection count: 49
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_outputF0DA6CF.exe
Group: Malware file
Last Updated: July 15, 2020

%SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_output940674F.exe

File name: rrr_output940674F.exe
Size: 540.67 KB (540672 bytes)
MD5: b76fbb1b51118459d119d2be049d7aa5
Detection count: 42
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\AppData\Local\rrr_output940674F.exe
Group: Malware file
Last Updated: July 15, 2020

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rrr_output3A9CF40.exe

File name: rrr_output3A9CF40.exe
Size: 585.72 KB (585728 bytes)
MD5: 6fa328484123906a6cfbbf5c6d7f9587
Detection count: 23
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: July 15, 2020

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rrr_outputD25868F.exe

File name: rrr_outputD25868F.exe
Size: 536.57 KB (536576 bytes)
MD5: b43db466c60b32a1b76fe3095851d026
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: July 15, 2020

%SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft\windows\start menu\programs\startup\rrr_output43f40e0.exe

File name: rrr_output43f40e0.exe
Size: 215.52 MB (215527425 bytes)
MD5: d1258b39c924746ed711af72e35e8262
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft\windows\start menu\programs\startup
Group: Malware file
Last Updated: July 15, 2020

C:\Users\<username>\Desktop\ac044b97c4bfecc78ffa3efa53ffd0938eab2d04e3ec983a5bbb0fd5059aaaec.exe

File name: ac044b97c4bfecc78ffa3efa53ffd0938eab2d04e3ec983a5bbb0fd5059aaaec.exe
Size: 5.52 MB (5523968 bytes)
MD5: 26c23da3b8683eb3a727d54dcb8ce2f0
Detection count: 12
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\Desktop
Group: Malware file
Last Updated: November 13, 2019

C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rr_output516C100.exe

File name: rr_output516C100.exe
Size: 729.08 KB (729088 bytes)
MD5: e8dedea6ce819f863da0c75c9d9bccde
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: July 16, 2020

%SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft\windows\start menu\programs\startup\rrr_output8f0a14f.exe

File name: rrr_output8f0a14f.exe
Size: 655.81 KB (655815 bytes)
MD5: 52e6b8ee647e675969d36b69070d1047
Detection count: 9
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\appdata\roaming\microsoft\windows\start menu\programs\startup
Group: Malware file
Last Updated: July 15, 2020

More files

Registry Modifications

The following newly produced Registry Values are:

File name without pathsvhost..exeRegexp file mask%APPDATA%\microsoft\windows\start menu\programs\startup\ph_exec.exe%appdata%\microsoft\windows\start menu\programs\startup\r{1,5}_outputw{6,8}.exe%LOCALAPPDATA%\ph_exec.exe%localappdata%\r{1,5}_outputw{6,8}.exe

PhobosImposter Ransomware