Lepide Blog: A Guide to IT Security, Compliance and IT Operations

Phobos Ransomware: All You Need to Know

Phobos Ransomware

Ransomware has grown in popularity among cybercriminals seeking personal benefit. While some ransomware is distinct and inventive, others are strikingly identical. The last group includes Phobos ransomware. Despite not being the most noticeable ransomware strain, Phobos may wreak substantial harm to your system and leave a trail of ruin in its wake.

In this blog, I will present an in-depth investigation of Phobos ransomware, including its features, how it spreads, and ways to safeguard yourself or your organization.

What is Phobos Ransomware?

Phobos ransomware was first discovered in December of 2018 and is a cyber threat that primarily targets organizations. However, unlike other cybercriminal groups that go after more prominent targets for bigger payouts, the perpetrators behind Phobos tend to focus on smaller businesses that may not have the resources to pay large ransoms. As a result, the average ransom demand for a Phobos attack is around $18,755.

Phobos ransomware has close similarities in structure and approach to two other notorious viruses, Crysis and Dharma. Crysis was first detected in 2016 and gained popularity after its source code was released online. With the creation of decryption keys for Crysis, cybercriminals adapted the code to create Dharma. When decryption tools were developed to target Dharma, the ransomware evolved again, leading to the emergence of Phobos in 2018.

How Does Phobos Ransomware Spread?

Phobos ransomware, like other malware, affects systems and possibly spreads throughout the whole network in the following ways:

  • By phishing to obtain account information and passwords or to fool the victim into opening a harmful attachment.
  • Using the Remote Desktop Protocol (RDP) to obtain immediate access. Port 3389 is the port targeted by Phobos ransomware.
  • By patching exploits, other software flaws, and
  • brute-forced remote desktop protocol credentials.

How Does Phobos Ransomware Work?

When Phobos ransomware infiltrates your system, it does not usually attempt to circumvent Windows User Account Control (UAC). The threat actor will copy and run the executable file with administrative rights.

The ransomware will then install itself in critical areas, such as the Windows Startup folder, and establish registry entries to resume even when the machine is restarted.

Phobos will then begin a constant scan, focusing on local user files and network shares while looking for new files that fit the encryption requirements. This includes user-generated assets such as documents, frequently used directories, and media.

It encrypts all standard-sized files. Its technique, however, differs for huge files, partly encoding just specified regions. It manages to save time while also maximizing damage in this manner.

Phobos employs AES-256 in addition to RSA-1024. The data is AES-encrypted, whereas the private key needed for decryption is RSA-encrypted. AES and RSA are both commonly used for secure data transfer for lawful and criminal purposes

In addition to encrypting your data, Phobos stops current operating system processes to clear its route into your files. It also removes local backups and shadow copies. Lastly, it disables recovery mode and your firewall to prevent you from resetting the device and eradicating the infection.

When the first encryption procedure is complete, the ransomware program generates two files with the same ransom note. There is a text file as well as an HTA file. The HTA file is opened and presented on the screen when the encryption process is finished.

The ransom demand includes the victim’s name and demand ID, as well as an email address to which the victim should write payment instructions. The ransom amount is not displayed in demand and can be changed at any time by the attacker. The attackers will also bargain. But, if the ransom is not paid, it will rise over time.

Notable Phobos Ransomware Attacks and Damages

Phobos ransomware has been responsible for several high-profile attacks since its emergence in 2018. Here are some of the notable incidents:

  • In December 2019, the University of Maastricht in the Netherlands was hit by a Phobos ransomware attack that affected its computer systems, email, and file servers. The university ended up paying a ransom of 30 bitcoin (approximately $220,000) to regain access to its files.
  • In March 2019, the National Association of the Deaf (NAD) suffered a Phobos ransomware attack that encrypted the organization’s files and disrupted its operations.
  • In March 2020, the insurance company Chubb was hit by a Phobos ransomware attack that reportedly affected its computer systems worldwide. The attackers demanded a ransom of $15 million, which Chubb did not pay.
  • In May 2020, the International Labour Organization (ILO), a United Nations agency, suffered a Phobos ransomware attack that affected its computer systems and forced it to temporarily shut down its website and email services.

How to Prevent from Phobos Ransomware Attack

Damages are involved whenever an organization or an individual is hit by a ransomware attack. Phobos ransomware can cause significant damage to an organization’s operations, reputation, and financial stability, as we have seen from the attacks mentioned above.

Therefore, it is essential to implement adequate preventive and protective measures. The following are some measures you can take to protect your organization from a Phobos attack;

  • Educate your staff on Ransomware – Your staff is your first line of defense against an impending attack as a small company owner targeted by Phobos ransomware. This is why I propose prioritizing teaching them as part of a bigger preventative strategy. As a result, training employees to spot suspicious links, malware attachments, counterfeit branding, and other spam components is a great security resource for your company.
  • Create Offline and Online Data Backups – In a Phobos ransomware attack, retaining backups of your company’s data allows you to restore files without paying hackers for a decryptor.
  • Patch Software Vulnerabilities Regularly – As previously stated, Phobos spreads via patch exploits and other software vulnerabilities, among other methods. You should install software updates as soon as their various developers release them.

Impacts of the Phobos Ransomware Attack

Phobos ransomware attacks can result in significant financial losses for organizations. For example, in December 2019, the University of Maastricht paid a ransom of 30 bitcoin to regain access to its files.

Further, the attacks can disrupt an organization’s operations, causing downtime and lost productivity. For instance, in January 2019, the City of Del Rio in Texas was forced to shut down certain services following a Phobos ransomware attack on its email system.

Phobos ransomware attacks can damage an organization’s reputation, especially if sensitive or confidential data is stolen or leaked. For example, in March 2019, the National Association of the Deaf suffered a Phobos ransomware attack that disrupted its operations and compromised some of its data.

Lastly, Phobos ransomware attacks can also result in legal and regulatory compliance issues for organizations, especially if personal or sensitive data is stolen or compromised. This can result in fines, legal action, and reputational damage.

What are the Benefits of Cybersecurity Measures?

Cybersecurity is critical in today’s digital age because it helps protect organizations and individuals from a wide range of cyber threats, including ransomware attacks like Phobos. Here are some reasons why cybersecurity is essential:

  • Cybersecurity helps protect sensitive information such as personal data, financial information, and trade secrets from cybercriminals who seek to exploit them for malicious purposes. This is crucial to maintaining trust and credibility with customers and stakeholders.
  • Cybersecurity measures help prevent financial losses from cyber attacks such as ransomware, which can cause significant financial loss to organizations and individuals.
  • Cybersecurity helps maintain business operations by preventing disruptions caused by cyber-attacks. Disruptions can result in lost productivity, downtime, and other negative consequences.
  • Cybersecurity helps organizations comply with legal and regulatory requirements for protecting sensitive data. Failure to comply can result in fines, legal action, and reputational damage.
  • Cybersecurity measures help protect against reputational damage resulting from cyber attacks. A cyber attack can damage an organization’s reputation, losing trust and credibility with customers and stakeholders.

How Lepide Helps Protect Against Phobos Ransomware Attacks

Lepide helps protect against ransomware attacks in several ways. Primarily, the Lepide Data Security Platform can help detect ransomware attacks in progress in a variety of ways, including:

  • User Behavior Analytics – Detecting abnormal behavior from users or entities on the network. This can include activities such as accessing files at unusual times, accessing files they don’t normally access, or attempting to access files from unusual locations. These activities can be an indication of a ransomware attack.
  • Automated Threat Models – Lepide can automatically detect unusual activity that might indicate ransomware, such as bulk file renames, and execute custom scripts in real-time to address the threat. These threat models come out of the box and can be turned on with a single click.

Lepide is also useful when it comes to mitigating the risk of ransomware attacks by narrowing your attack surface. Use Lepide Data Security Platform to identify users with passwords that never expire, inactive users, stale sensitive data, open shares, and more. Rectifying these states can help to improve your overall threat surface area and reduce the risk of a ransomware attack.

Conclusion

In conclusion, Phobos ransomware is a strain of malware that targets small businesses, encrypts all standard-sized files, and demands a ransom from victims to recover their files. Phobos ransomware spreads through phishing, exploiting software flaws, and brute-forcing remote desktop protocol credentials. It installs itself in critical system areas, encrypts files, disables recovery mode and firewall, and clears local backups and shadow copies.

Several high-profile attacks have been attributed to Phobos ransomware, such as the University of Maastricht, Chubb, and the International Labour Organization. It is thus essential to educate staff on ransomware and implement measures to prevent and protect systems from Phobos ransomware.

By staying up to date about ransomware attacks, individuals and organizations can be better prepared to prevent and mitigate the impact of such attacks. This includes being aware of the latest techniques and tools cybercriminals use to spread ransomware, understanding the vulnerabilities in your systems and networks, and implementing effective preventive measures to reduce the risk of an attack.

Moreover, staying informed about ransomware attacks can help individuals and organizations recognize the signs of an attack and take prompt action to limit the damage. This includes identifying the type of ransomware, isolating affected systems and networks, and reporting the attack to the relevant authorities.

If you’d like to see how the Lepide Data Security Platform can help you protect against ransomware attacks, schedule a demo with one of our engineers.