Micro Focus is now part of OpenText. Learn more >

You are here

You are here

Phobos ransomware spreads fear due to your terrible infosec

Richi Jennings Your humble blogwatcher, dba RJA

Yes, ransomware is still a thing. The latest nasty doing the rounds is Phobos—a variant of Dharma and CrySiS.

It spreads via Remote Desktop Protocol (RDP), which shouldn’t really be a problem, because—c’mon—who the heck would expose the Windows RDP port to the public Internet? Oh, wait.

Many people do, apparently. Have they not heard of VPNs? In this week’s Security Blogwatch, we develop a phobia.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Make Ariana weird again 


What’s the craic? Danny Palmer says Phobos exploits weak security to hit targets around the world:

A prolific cybercrime gang behind a series of ransomware attacks is distributing a new form of the file-encrypting malware … in a series of attacks against businesses around the world. … The ransomware first emerged in December.

It shares a number of similarities with Dharma ransomware. … Like Dharma, Phobos exploits open or poorly secured RDP ports to sneak inside networks. [It] also contains elements of CrySiS ransomware.

Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy … providing attackers with a second option for conducting attacks, should Dharma end up decrypted or prevented from successfully extorting ransoms. … Organisations can go a long way to not becoming a victim … by securing their RDP ports and by regularly backing up.

Mathew J. Schwartz blames the Dharma Gang:

[They] are using easily available lists of stolen or hacked [RDP] credentials to remotely access enterprise networks. … It's been hitting organizations since the middle of last month.

[It] includes the ability to crypto-lock files on a local drive, as well as mapped network drives, unmapped network shares and virtual machine drives.

Lists of RDP ports can be purchased inexpensively on underground cybercrime forums, often compiled by attackers who guess or brute-force attack RDP-using organizations. … By the time an organization finds that its files have been forcibly encrypted and a ransom note left, attackers may have already been inside its networks for weeks or months, having already grabbed everything else of potential value.

Avoid paying a ransom whenever possible. … Doing so directly funds cybercrime and furthers ransomware attacks.

But why “Phobos”? Bill Siegel and Alex Holdtman go all classical:

The ransomware [is] dubbed Phobos by the distributors (possibly after the greek god of fear).

The attack vectors [are] open or weakly secured RDP ports. As usual, the attacks are exacerbated when companies … have not properly partitioned … the network with strong administrative controls.

Phobos carries some subtle differences from active Dharma variants. Both … draw their lines from the CySis ransomware family and commonly used AV software will identify a Phobos executable sample as CrySis. … The exploit methods, ransom notes and communications remain nearly identical.

Compare and contrast. David Bisson notes it’s Using Same Ransom Note as Dharma:

Phobos’ ransom message differs from Dharma’s only in the branding. … Otherwise, the notes are exactly the same.

Phobos’ note ends this name with the .phobos file extension, while Dharma is known to [use] numerous file extensions including .xxxxx, .like., .java, .bip, .combo, .arrow, .arena and .gamma. … It’s important that organizations protect themselves against new and old ransomware strains.

How does it work? G’day, mickyj:

I have been dealing with this one today. … The attack was quickly traced to … a Russian IP.

I found a copy of the Exec.exe file in the offline files as the computer was on a domain and the end user pulled the network. I also found the hackers tools which included various tools to kill various antivirus.

My client had IObit unlocker installed minutes before the infection.

Anyone else? Here’s Barzinga79:

Within 30 minutes it looks like this was what happened on one machine: Defender quarantined a file, then Process Hacker 2 was installed, then IObit and IObit Unlocker was ran, then TeamViewer (which was previously installed), then FxsTmp was used, then Encryption started.

And architectt thinks he’s spotted a pattern:

I keep looking for suspicious things, and one I think is … iObit Driver Booster received an update at the same day of the attack. There's a lot of reports where Malwarebytes identifies it has an Malware.

Another thing I found is I have Orbitdownloader at my Program Files (x86) and I never installed it. Is modified date ie near the attack too.

What should you do if you lose your data? Hopefully restore from a backup, says ctilsie242:

With all these ransomware products coming out, I've wondered why backup utilities have not evolved much. The ideal backup utility would be one that is "pull" based, where the client machine has zero access to the backup data.

Unlike most IT disasters where backing up to a file share or a S3 bucket is good enough, ransomware means that you have to ensure the client can only append data.

Meanwhile, nightfire-unique sounds righteously annoyed:

Another malware author who rudely refuses to build a Linux port!

The moral of the story?

Audit your open ports—including RDP. And make sure your backups are secure (not to mention recoverable).

And finally …

How to make Ariana Grande weirder

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Pascal (cc:0)

Keep learning

Read more articles about: SecurityInformation Security