Phobos ransomware

Phobos ransomware

Phobos NotDharma Ransomware


Translation into English

This crypto-extortionist encrypts user data using AES, and then requires extortionists to write to an email in order to pay a ransom in # BTC to decrypt files. Original title: Phobos (reflected on the ransom note). There is evidence that it is distributed from Ukraine. Detection:  Dr.Web -> Trojan.Encoder.27737, Trojan.PWS.Banker1.30220 BitDefender -> Trojan.GenericKD.31737610, Gen: Variant.Ulise.24543, Trojan.GenericKD.31838640 Malwarebytes -> Trojan.Crypt, Ransom .Phobos © Genealogy:  CrySiS   >  ✂ Dharma > Phobos

Image – Article Logo

? According to the basics of the Ransomware Genealogy , the scissors icon ✂ here means any borrowing – in this case we see a similar form for encrypted files, later a similar note appeared, similar ID with 8 characters and other elements. Most likely, this is used to confuse the detection, analysis and intimidate the victims. The visual difference is the big letters ID , instead of the small id of the Dharma Ransomware . The principal differences are well shown in Michael Gillespie’s post on the BC forum ( link ). 
There is also something that was used in CrySiS. 

A composite extension is added to the encrypted files using the pattern  ID <hex>. [<Email] .PHOBOS

The first activity of this crypto-extortionist came in the second half of October 2017. It is focused on English-speaking users, which does not prevent spreading it around the world. At the end of 2018, again began to actively spread. See new options and updates after the main article. The ransom note is called:  Phobos.hta

Phobos ransomware

The content of the repurchase of the text: 
the All your files is encrypted are  
the Hello World  
the Data on the this the PC Turned Into a useless binary below code 
the To return statement to normal, please contact us by the this an e-mail: 
the Set topic of your message to ‘the Encryption ID : 6BBC6934 ‘ 
Interesting Facts:  
• 1. Over time, no cost,  
2. You can help, for sure, no one else. 
• 3. BE CAREFUL !!! If you’re still trying to find a solution, you’re Otherwise, they can be permanently damaged 
• 4. Any services that you need to give you, and you will be able to intervene. Since the antidote is only among the creators  of the virus Translate  text  into Russian: All your files are encrypted Hello worlddata on this PC turned into a useless binary code to return to normal, contact us at this email: Specify Subject of your message as  ‘Encryption ID: 6BBC6934’Interesting facts: • 1. Over time, the cost increases, do not waste your time • 2. Only we can help you, of course, no one else. •

 3. Caution! If you are still trying to find other solutions to the problem, make backup files you want to experiment with and play with them. Otherwise, they may be permanently damaged
• 4. Any services for offering assistance or simply take money from you and disappear, or will be intermediaries between us, with an inflated cost. Since only the creators of the virus have an antidote

Technical details

It can be spread by hacking through an unprotected RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injections, fake updates, repackaged and infected installers. See also “Basic ways to distribute cryptographers” on the introductory page of the blog . ➤ Removes shadow copies of files, disables Windows recovery and repair functions,  at boot time , disables the firewall with commands, starts the mshta.exe application to display the ransomware requirements: vssadmin.exe vssadmin delete shadows / all / quiet WMIC.exe wmic shadowcopy delete bcdedit.exe bcdedit / set {default} recoveryenabled no bcdedit.exe bcdedit / set {default} bootstatuspolicy ignoreallfailures

netsh.exe netsh advfirewall set currentprofile state off 
netsh.exe netsh firewall set opmode mode = disable 
mshta.exe “% USERPROFILE% \ Desktop \ info.hta” 
mshta.exe “% PUBLIC% \ desktop \ info.hta” 
mshta.exe “C: \ info.hta” ➤ Prescribed to Startup . C: \ ProgramData \ Microsoft \ Windows \ Start Menu \ Programs \ Startup \ exec.exe ➤ Victims noticed installing or unpacking Process Hacker 2 on their PCs. It is often used by attackers for “black” cases. For example, at the end of December 2018 and the beginning of January 2019, the processhacker-2.39-setup.exe file was used. The list of file extensions that are encrypted:


These are MS Office documents, OpenOffice, PDF, text files, databases, photos, music, video, image files, archives, etc. ➤ PHOBOS file marker is used

Related Ransomware files:
<random> .exe 

Registry entries related to this Ransomware:
See below for analysis results. Network connections and See below the analysis results. Test results: Hybrid analysis >> VirusTotal analysis >> Other analysis >> Prevalence rate: average . Details are collected regularly.




Phobos ransomware decryptor

This is the original decoder from the extortionists. 

Files that are required for the decryptor to decrypt files. 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.