Phobos Ransomware

Phobos Ransomware Description

Phobos is one of the most recent ransomware strains to join the increasingly large database of malware threats. While Phobos appears to be a new threat, much of its code bears some striking similarities to the code that built the infamous Dharma and Crysis ransomware families not long ago.

Infection Vector

Although most cybercriminals rely on malicious email links and attachments to distribute the ransomware payload to as many target PCs as possible, there has been a marked shift towards exploiting exposed Remote Desktop Protocols instead. By using readily available scanners, the crooks search for computers and even entire networks running unsecured RDP connections, then retrieve the login credentials by way of a brute-force attack before planting the ransomware payload. Dharma did this, and so does Phobos. This infection method is currently enjoying great popularity for two main reasons. First, millions of RDP connections remain unprotected to this day despite the tremendous efforts made by security companies worldwide to raise awareness about the underlying risks. Second, the dark web provides abundant opportunities for hackers willing to lay their hands on thousands of stolen remote access credentials.

One of the dark marketplaces offering such data – the xDedic – shuttered on Jan. 24, 2019 after an international joint operation involving law enforcement agencies from the United States (FBI, FCCU), Belgium, Germany and Ukraine seized its domains. The successful result is likely to deal a severe blow to RDP-oriented ransomware distributors, yet it will hardly bring them to a definite end.

Ransom Note and Payment

Phobos briefly made the deadlines in the last quarter of 2017, but it was not until mid-December 2018 that the ransomware started making a bigger dent in network security. Throughout the last few weeks, cybercriminals have been deploying Phobos in many successful crypto attacks. Victims know they have been infected when they see a weird extension attached to every infected file. The extension follows the pattern [ID].[contact email address].[phobos]. The ID is a combination of capital letters and numbers. It generates automatically upon successful infection and is unique for each infected computer. The email address is the one mentioned in the ransom note and victims are supposed to use it to get in touch with the actors behind the attack. At present, there are a few email addresses in circulation, namely:










Following an AES-based encryption algorithm, Phobos renders the victim's files useless and loads a ransom note dubbed 'Phobos.hta.' Phobos affects dozens of file types. Some of those files (text, music, video, etc.) are quite popular among PC users, while others ensure the proper running of your system. In spite of the 'Phobos’ logo placed on top of the note, it is practically a carbon copy of the note seen on all Dharma ransomware infections so far. As usual, the crooks demand that victims contact them using the email address provided therein if they want to stand a chance of recovering their data. The text makes no mention of any specific ransom amount, yet warns users they will have to pay more money unless they respond within a few hours at the most.

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail
Write this ID in the title of your message D08133EB
In case of no answer in 24 hours write us to theese e-mails:
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 5 files for free decryption. The total size of files must be less than 10Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The note concludes with an essential guide to purchasing Bitcoin and offers free decryption of up to 5 files totaling no more than 10MB in size (compared to just one file of up to 1MB in Dharma's note) as a guarantee that the actors in charge have a fully working decryption tool at hand.

Detected as Crysis

While Phobos has already implemented Dharma's ransom note, it appears to have borrowed some code from the infamous Crysis Ransomware, as well. As it is, some anti-virus programs are currently detecting Phobos as Crysis, which implies that the former may share code with the latter after all. Nevertheless, Phobos ransomware does have a file marker structure of its own. The striking similarity to Dharma leads security researchers to believe that both ransomware strains may be distributed by the same cyber gang.


Win32.Trojan.Obfuscated.gx.3 [CAT-QuickHeal]Downloader.Obfuskated [AVG]Trojan.Crypt.XPACK.GenCovert.Sys.Exec [Prevx1]BlockReason.0TrojanDownloader:Win32/Agent.ZZC [Microsoft]TR/Crypt.XPACK.Gen [AntiVir]

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Phobos Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

lenveqvt.exe File name: lenveqvt.exe
Size: 94.2 KB (94208 bytes)
MD5: 3cfcf070d6b025443254eb2f0ed44c16
Detection count: 90
File type: Executable File
Mime Type: application/octet-stream
Group: Malware file
Last Updated: December 11, 2009
nabmlare.exe File name: nabmlare.exe
Size: 98.3 KB (98304 bytes)
MD5: 64a8e5a0937fc83633337c1613fc578b
Detection count: 55
File type: Executable File
Mime Type: application/octet-stream
Group: Malware file
Last Updated: December 11, 2009
tujwbkbm.exe File name: tujwbkbm.exe
Size: 90.11 KB (90112 bytes)
MD5: 416639cf3452afa1b68071701dde4137
Detection count: 54
File type: Executable File
Mime Type: application/octet-stream
Group: Malware file
Last Updated: December 11, 2009
%SYSTEMDRIVE%\Users\abc\AppData\Local\ItFoV.exe\ItFoV.exe File name: ItFoV.exe
Size: 676.04 KB (676048 bytes)
MD5: 84172a6854479c9ad2bdbc6d276bc49a
Detection count: 54
File type: Executable File
Mime Type: application/octet-stream
Path: %SYSTEMDRIVE%\Users\abc\AppData\Local\ItFoV.exe\
Group: Malware file
Last Updated: July 23, 2019

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\microsoft\windows\start menu\programs\startup\ph_exec.exe%LOCALAPPDATA%\ph_exec.exe%UserProfile%\Local Settings\Application Data\ph_exec.exe
Posted: October 23, 2017
Threat Metric
Threat Level: 10/10
Infected PCs 187
Home Malware Programs Ransomware Phobos Ransomware