Ransomware test subject – Phobos
Phobos appeared on the ransomware scene late 2018 – early 2019, and since then, the developers released more than 50 variants, making the family one of the most active of this year. The malware itself is closely related to Dharma (or CrySis), and we can only assume that the actors behind both ransomware families are the same. We covered Dharma in this blog post: https://temasoft.com/live-ransomware-attack-video/dharma-crysis-arena-variant/.
Phobos is mostly distributed via hacked Remote Desktop connections, a type of attack which is heavily used lately. RDP is, by no means, insecure, but it needs some security configuration and user awareness, which most victims probably lack.
Phobos ransomware – test findings
When Phobos is executed, it immediately starts encrypting. It will make no attempt to bypass UAC so that the consent dialog will pop up every time. This will ensure that the copies it makes of itself will also execute with elevated privileges. These copies are used for automatically running the malware after a reboot, by adding them to the Windows registry – Startup section, but also to encrypt newly created files, as they keep running in the memory.
Phobos will encrypt all local drives, as well as network shares. Just a handful of folders are skipped, the ones containing critical system processes. The operating system needs to run in order to display the ransom notes and increase the chances of a ransom payout. These mechanisms will ensure that the attacks continue even after the first run, but just enough not to damage the operating systems critically. It will also run without an active internet connection, probably using a hardcoded encryption key.
All these make Phobos very dangerous, and needless to say, all measures must be taken to avoid infection.
Our sample will rename the files using a Phobos specific pattern, finally adding the “banta” extension to the attacked files. To encrypt as many files as possible, also to avoid different file system errors (like “file in use”), the malware will kill some processes on the system.
To make things even harder for the user, Phobos will also delete shadow volume copies of files to avoid file restoration methods offered by Windows, and disable the firewall.
Even though experienced malware researchers worked hard to analyze the Phobos family samples, the code is well written, and there’s no way to recover the attacked files.
Phobos ransomware vs Ranstop – test results
TEMASOFT Ranstop detects this version of Phobos ransomware soon after it starts encrypting files. Upon detection, alerts are triggered, and the malware process is blocked and quarantined. The affected files are automatically restored so that the user doesn’t lose any essential document.
About TEMASOFT Ranstop
TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.
For more information, follow us on social media and subscribe to our newsletter.