Phobos Ransomware is a Ransomware-as-a-Service variant that first appeared in December 2018. Phobos targets small businesses via unsecured RDP ports.
Phobos Ransomware is a type of Crysis ransomware and bears striking similarities to the Dharma ransomware variant.
The Phobos ransom splash screen is identical to Dharma except that it has the Phobos logo. Here is an example of a Phobos ransomware-infected victim computer.
Phobos Ransomware Splash Screen
Phobos ransomware uses a similar code.
Phobos ransomware encrypts your data and deletes local backups and shadow copies similar to the Sodinokibi ransomware.
Phobos also stops active operating system processes, which allows it to inflict more damage.
Phobos can also disable recovery mode, which stops the system from entering a recovery mode.
It could also disable your firewall, which can be even more harmful to your network.
PHOBOS RANSOMWARE INDICATORS OF COMPROMISE (IOC)
Phobos ransomware indicators of compromise (IoCs) are available to indicate that the malware is on a victim’s computer.
PHOBOS ENCRYPTED FILES
You will see different extensions to your files if the Phobos ransomware encrypts them.
Ransomware generally renames encrypted files according to the diagram below.
You may notice different IDs for each file share or system on your network. Threat actors might use the number IDs to determine the ransom price.
PHOBOS RANSOM NOTE
Common Phobos ransom notes are.txt and.the files that can be found in your C-drive, desktop, or AppData folders on your computer/server.
These are some of the most common places where you can find the Phobos ransom notes:
Here is an example Phobos ransom note:
These are examples of Phobos ransom notes names in the past:
The Phobos ransom note, like Dharma, provides instructions to the victim on what to do next if their files are encrypted. The Phobos ransom note is usually very brief and only contains one or two email addresses for the victim to contact the threat actor.
Your background may appear different. This is known as a ransomware splash screen. Phobos will likely start a startup process to automatically open the Info. hta file every time the server or computer is restarted.
You mustn’t delete the Phobos ransomware notice if you want to recover your data. This information will be used in the ransomware recovery process.
HOW TO STOP PHOBOS RANSOMWARE
By isolating infected devices from other networks, you can stop Phobos ransomware from spreading. The ransomware will stop other devices from being encrypted by the ransomware by disconnecting it.
After devices have been isolated, you can scan with antivirus software to find malware and other backdoors.
WHAT DOES THE PHOBOS RANSOMWARE RECOVERY COST?
The following factors influence the cost of Phobos recovery:
- Assessment fee
- Number of encrypted systems
- Service with a Priority
- Ransom demand amount
understanding what to expect from ransomware recovery costThis will allow you to make informed decisions about recovering your data.
WHAT IS THE COST OF PHOBOS RANSOM DEMANDS?
The initial conclusion of our data for Q4 2020 is that the initial average Phobos ransomware demand: $27,050.
Because the Phobos ransomware target victims are usually smaller, the initial ransom demand for Phobos ransomware tends to be lower than other variants.
Below is a comparison of Phobos ransomware’s average initial ransom demand and that of other popular variants.
The splash screens for Phobos ransomware indicate that the cost of Phobos encryption keys will rise over time. This scare tactic is used by attackers to get victims to quickly pay the requested amount.
Phobos targets businesses of small and medium-size, but it is still considered to be one of the most lucrative ransomware variants because of its sheer volume.
Proven Data has the experience to help negotiate a lower ransom request from Phobos operators. Our internal data suggests that Phobos operators will base their ransom demands on the type and size of the victim’s organizations.
HOW TO DECRYPT PHOBOS RANSOMWARE
If your files are locked from Phobos ransomware, you’re trying to see what ransomware recovery options are available to decrypt your data.
UNLOCK PHOBOS ENCRYPTED FILES
Phobos’ encryption algorithm uses AES, and CryptGenRandom generates a random key. This makes it impossible to break. There are no known flaws to the malware that could be used for data restoration.
Phobos victims are left with no other option than to pay the ransom to unlock their files and decrypt the encryption key.
We may be able, as with other ransomware variants to restore certain file types without having to pay the ransom. For more information, contact a Proven Data representative.
PHOBOS DECRYPTER INSTRUCTIONS
Because Phobos requires extra steps to decrypt files, it is more difficult to use than other ransomware decrypters.
These are the steps for running the Phobos decrypter software:
1. Verify that the decrypter is not containing malicious code. A ransomware recovery company can help with this.
2. You must disable anti-virus software from the machine where you plan to run the tool. This includes Microsoft Defender.
3. Threat actors have provided a scanner tool. All encrypted files must be connected to the system where you will be running the scanner. This includes attaching external hard drives and mapping network shares. This is crucial to ensure that the scanner finds all public keys in files you wish to decrypt.
4. Right-click the executable file decryption and run it as administrator.
5. A dialog box will appear. To begin the scan, click ‘Scan PC’.
6. It will begin to scan for encrypted files and public key information.
7. After the scan is complete, the output file will be displayed on your screen. This is your public key.
8. Copy and paste the key into a notepad. Save it as a text file to a location you choose and name it.
9. Send the threat actor the text file containing the public key.
10. If they honor your agreement, they will give you the key to unlock your files. Copy the key and save it in a safe place.
11. As an administrator, open the same scanning tool as before.
12. There are two options for decryption:
- All: All drive letters that are accessible through the system can be decrypted. Click the “Decrypt All” button in the main window to decrypt them all.
- Decrypt your folder you can only decrypt a specific folder. Click the ‘…’ button at the top of the main window to decrypt only one folder. Next, navigate to the folder that you wish to decrypt.
13. The default options for deleting encrypted files after decryption are ‘Delete encrypted file’ and ‘Overwrite existing data. It is recommended that you uncheck the box ‘Delete encrypted file after decryption’ if you have not made a backup and you have sufficient space on your system.
14. Copy the private key and paste it into the box. Copying spaces can cause problems.
15. To decrypt, click ‘Decrypt’
16. If the key was entered correctly, the decrypter will examine all devices that are connected to encrypted files.
17. A dialog box will appear indicating that the decryption process is completed after it is complete.
The private key and Phobos decryption tool are only available to victims who pay the ransom to unlock encrypted files.
HOW LONG WILL IT TAKE TO RECOVER AN ATTACK ON PHOBOS RANSOMWARE?
Many factors can affect the recovery time from a Phobos attack. These are:
- Cleansing the environment of malware
- Securing vulnerabilities
- Time for negotiations
- Compliance checks and ransom payment
- Scanning of the public key
- Wait for the threat actor’s private key to be provided
- Check the functionality of your private key
- Encrypting the data
- Network size
- Types, number of files, and file sizes
- Data verification and backing up
It takes about 1-3 business days for a network of 1-3 servers and 10-15 workstations to complete the entire recovery process.
WHAT ATTACK VECTORS DID PHOBOS RANSOMWARE USE?
Phobos ransomware exploits unsecured RDP ports via brute force, dictionary attacks, and/or by buying stolen credentials online through the dark web.
Phobos also uses Phobos email phishing to exploit unpatched software flaws to launch attacks.
DOES PHOBOS RANSOMWARE STEAL DATA?
Our internal forensic investigations and additional research have not shown that Phobos ransomware attacks steal data from victims. It is important to still conduct a forensic investigation, as ransomware threat actors change tactics all the time.
PRESERVING EVIDENCE FROM PHOBOS RANSOMWARE
A forensic investigation is required to determine the extent of damage done to your network by attackers. It is crucial to preserve all evidence if you’re considering a forensic inquiry.
These are the steps you need to take to preserve the forensic evidence
- Shut down your computer and server. This will cause some artifacts to be lost.
- Make sure you have a solid image that is forensically sound and then take it offline
- Remote software logs, VPN, and firewall downloads
- All information related to ransomware attacks should be documented
Complete instructions on preserving ransomware evidence can be found as part of the ransomware forensics process.
WHY CHOOSE PROVEN DATA PHOBOS RANSOMWARE RECOVERY?
With our extensive experience, we have a solid understanding of Phobos ransomware and can help you make informed business decisions. To fully recover from the attack, it is essential to understand the threat profile and attack vectors.
We developed a sanctions compliance program to meet our compliance requirements. This ensures that we make ransom payments for clients who are responsible. We provide you with a compliance and incident report upon completion of the service. This can be used for reporting purposes or insurance.
We can help you get past the unfortunate Phobos cyber incident.