What is Phobos ransomware and how to protect against it

Phobos is the Greek god of fear. The Phobos ransomware is named after this god to increase its profile on the cybercrime stage

Phobos is a copy of the Dharma ransomware system. It doesn’t replace Phobos; it supplements it. The hackers behind Phobos seem to be using it as a backup system if the encryption by Dharma fails.

In addition to being used as ransomware, Phobos is a support system for Advanced Persistent Threats (APTs). In this scenario, hackers gain access to a network and spend time exploring resources, extending control, and assessing the value of data held within. So, Phobos is both an avenue for ransomware and data theft. Both of these threats can cause severe financial and reputational damage to businesses.

Here is our list of the best Phobos Ransomware protection tools:

  1. CrowdStrike Falcon Insight – This tool stands out for its integration of local antivirus capabilities with cloud-based threat intelligence, ensuring continuous protection even for offline devices. Its ability to excel in hybrid environments and its intuitive admin console make it a top recommendation for businesses seeking robust, scalable cybersecurity solutions.
  2. ManageEngine DataSecurity Plus – Tailored for businesses adhering to strict data privacy standards, this tool offers comprehensive file integrity monitoring and data loss prevention, combined with an audit trail for complete visibility over sensitive data handling.
  3. BitDefender GravityZone – BitDefender GravityZone is an excellent choice for businesses looking for a multi-faceted approach to fend off ransomware and other cyber threats. Its range of editions caters to different business sizes, from home offices to small businesses.

About Phobos ransomware

Cybersecurity analysts first identified Phobos in December 2018. While many malware systems are anonymous and named by security researchers, Phobos declared its name in its ransom note. For the true origin of Phobos, we need to look back further – to February 2016. This is when Crysis first made an appearance. Phobos is a variant of the Crysis ransomware.

Crysis and its derivatives attack computers running Windows. Crysis is still in operation. It gets into systems through phishing emails, which is the most widely-used entry method for ransomware.

The Crysis system is a little outside the norm for ransomware because it also encrypts system files. This makes it difficult for the computer to continue in operation, so the victim can’t pay the ransom from the infected computer. Another unusual aspect of Crysis is that the team periodically releases all of its master keys, allowing all victims to decrypt their files for free.

The team behind Crysis produced another ransomware system called Dharma. This uses the Crysis attack but with a different delivery system – the Remote Desktop Protocol (RDP). Another difference between Crysis and Dharma is that the Dharma product is a Ransomware-as-a-Service platform. It provides a toolkit for other hackers who want to break into ransomware. A typical Dharma attack is a bespoke process with hackers moving about a system and dropping the ransomware over internal connections.

Phobos is an in-house version of the Dharma RaaS, which could also be seen as Crysis with RDP for delivery instead of spam email. The Phobos ransom note is precisely the same as Dharma, only with the Phobos name replacing Dharma. Many AVs that can detect Phobos misreport it as Dharma because the code for the two is so similar. Others will report it as Crysis.

How does a Phobos attack start?

RDP uses TCP port 3389. It enables technicians and office workers to access workstations from another location. The RDP system doesn’t just give access to the operating system, like a Telnet service; it lets users see the target computer’s Desktop. Microsoft developed RDP, and several commercial products, such as TeamViewer, are based on that original underlying service in the Windows operating system.

A detection scan by cybersecurity software provider, Rapid7 discovered nine million computers that had Internet-facing, open RDP ports in a 2016 sweep. In 2017, that number was 11 million. As RDP is useful for telecommuters, the recent trend of home working due to Covid-19 has probably tempted many more businesses to allow open RDP ports.

A Phobos attack gets into a target computer through an open RDP port. It is possible to set up RDP accessibility on a computer and require a password for external access. Unfortunately, many system administrators don’t set up a password for external access via RDP.

The main piece of information that the hacker needs to get Phobos onto a computer is its IP address. If a business doesn’t operate password protection, all the hacker has to do is set up an RDP connection to the discovered IP address. Anyone can break in for any purpose through a standard remote desktop tool, many of which are free to use.

What does Phobos do?

Just as Rapid7 did a sweep of the Internet with a crawler, cycling through IP addresses and probing RDP ports, any hacker can perform the same sweep. Some hacker teams just perform this type of research and then package their findings of vulnerable targets for sale. A second hacker group, such as the Crysis team, buys a list, uploads it into their attack system, and then lets it run.

The attack software just works through the target list, making a connection, transferring the ransomware bundle, and then moving on to the following address in the list. In some cases, the information about an open port might be out of date, and no attack occurs. However, in many others, the installer will run, and a Phobos ransomware attack is underway.

The installer unpacks a bundle of tools, many of which are off-the-shelf commercial seems available as legitimate software packages. Unfortunately, the Crysis team did not produce these, so they simply acquired free versions or pirated the paid tools.

The controlling software for the ransomware is called Exec.exe. Unfortunately, the Crysis team does not produce these, and it calls a series of other programs in sequence to perform its attack. The first two of these are Process Hacker 2 and IObit Unlocker. The first of these identifies processes that have control of files, and the second kills them. This makes files available for alteration by encryption.

Other legitimate software used in a Phobos attack includes TeamViewer, remote access and remote control system, and Orbit Downloader. However, this download manager is no longer distributed commercially because of its extensive use by hackers.

Before performing its encryption routine, Phobos deletes all shadow copies and locally held backups, such as those created by autosave functions.

What is the Phobos encryption system?

Phobos encrypts working files, such as those containing documents, spreadsheets, presentations, images, audio, and video. It will also encrypt archives, such as .rar and .zip files. Fortunately, it won’t encrypt system files or executables, so the target computer will still be functional once the encryption completes. The system also installs its source code in the %APPDATA% directory and writes a key in the registry to get it included in Startup routines.

The AES cipher performs the encryption with a 256-bit key. This key seems to be generated locally because the encryption process can proceed even if the machine is disconnected from the internet. The encryptor also creates a victim ID and an attack ID.

Each encrypted file gets its file name changed by the addition of extra extensions on end. These extensions include the ID for the attack and the attacker’s email address. A final “.phobos” extension is also added. The format for the new file name is:

<original name>.id[<victim ID>-<version ID>].[<attacker’s e-mail>].phobos

The standard size and small files are encrypted in their entirety, while the system only encrypts sections of huge files.

The encryptor locks up the ID and AES key in 1048-bit RSA encryption. It is believed that this uses a standard public key for encryption that is the same for all attacks. The encryption key for this RSA protection is probably hard-coded into the encryptor.

The Phobos ransomware will encrypt all working files on all drives accessible by users on the target computer. That means it will also encrypt files on networked and shared drives mounted on the device.  The ransomware remains resident even after the initial encryption has finished. As the computer’s software is operational, it is possible to create new documents. However, these will all be encrypted and made inaccessible as soon as they are saved.

The Phobos ransom

When the initial encryption process finishes, the ransomware package creates two files that contain the same ransom note. There are a text file and an HTA file. The HTA file is opened and displayed on the screen once the encryption run completes.

The ransom demand includes the victim and demand ID plus an email address to which the victim needs to write for instructions on payment. The ransom amount is not displayed in demand and can be adjusted by the attacker on a whim. The attackers will also negotiate. However, the ransom will increase over time if not paid.

Phobos is a mid-market ransom system. Its ransom level is too high for the general public, but it doesn’t reach up into the “big game hunting” ransom levels. The average ransom for Phobos works out at $18,755. Remember, that’s the average – some attacks will ask for a lot less and others for a lot more.

The ransom must be paid in Bitcoin, and the hackers will send payers a decoder to reverse the encryption. The good news is that the hackers do always send a decryptor and that it always works. Unfortunately, there isn’t any alternative free system or trick that gets around the encryption of Phobos at present.

Defending against Phobos

Ordinarily, the best way to defend against ransomware is to educate your users about downloading attachments or clicking on links in emails from unfamiliar sources. However, the Phobos tactic of getting onto computers through open RDP ports is a different matter. While it is still a good idea to enforce best practices over email treatment, your primary defense against Phobos lies in securing your ports, especially now that more employees work from home.

Our methodology for selecting Phobos Ransomware Protection tools:

We’ve broken down our analysis for you based on these key criteria:

  • Real-Time Detection and Response: Ensuring the tool can identify and neutralize threats as they occur, minimizing potential damage.
  • Comprehensive Backup Solutions: A key defense against ransomware, allowing for quick recovery of encrypted or lost data without paying a ransom.
  • Advanced Threat Intelligence: Utilizing the latest cybersecurity research and data to predict and prevent ransomware attacks, including Phobos.
  • User and Endpoint Behavior Analytics: Detecting anomalies that may indicate a ransomware attack, based on deviations from normal patterns.
  • Robust Encryption and Data Protection: Safeguarding sensitive information to prevent unauthorized access, even in the event of a breach.

Here are some helpful tools that will help you to defend against Phobos:

1. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is a cybersecurity system package that includes endpoint agents and a cloud-based system protection coordinator. The endpoint agent is also available as a standalone package, called Falcon Prevent. This can continue monitoring each endpoint even when it is disconnected from the network. In addition, the service spots abnormal behavior and can be set to implement automated responses, such as killing suspicious processes and isolating infected machines.

Key Features:

  • Local AV
  • Cloud-based threat hunting
  • Protection continuity for offline devices
  • Blocks lateral movement
  • Private threat intelligence

Why do we recommend it?

CrowdStrike Falcon Insight involves two elements that work together constantly to protect endpoints from ransomware and other threats. Unlike many XDRs that operate an endpoint agent, this system has a fully independent next-gen antivirus package operating on each device. This is able to continue its detection and response even if a ransomware attack disconnects the device from the network.

The cloud-based section of this system receives a threat intelligence feed from CrowdStrike, which adjusts threat-hunting methods. It also receives activity reports from endpoint agents, which are scoured for indicators of compromise.

Who is it recommended for?

CrowdStrike has a very good reputation in the cybersecurity market. However, its AV, called Falcon Prevent is quite expensive, which will deter small businesses. Thus, this is a solution for mid-sized and large organizations. The system is easy to expand because any installation of Falcon Prevent will communicate with the cloud-based Insight controller.


  • Excels in hybrid environments (Windows, Linux, Cloud, BYOD, etc.)
  • Intuitive admin console makes it easy to get started and is accessible in the cloud
  • Can track and alert anomalous behavior over time, improves the longer it monitors the network
  • Lightweight agents take up little system resources


  • Would benefit from a longer trial period

CrowdStrike Prevent is available for a 15-day free trial.


CrowdStrike Falcon Insight is our premier choice for organizations aiming to fortify their defenses against ransomware and a myriad of other cybersecurity threats. This solution uniquely blends advanced local antivirus capabilities with sophisticated cloud-based threat hunting, ensuring comprehensive protection across all endpoints, whether they’re online or offline.

What particularly sets Falcon Insight apart is its ability to autonomously detect and mitigate threats in real-time, leveraging a private threat intelligence feed to stay ahead of attackers. Its lightweight agents ensure robust protection without burdening system resources, a critical feature for maintaining operational efficiency in today’s fast-paced business environments. I appreciate its intuitive admin console, which demystifies cybersecurity for newer users, making it accessible even to those with limited technical expertise. For businesses looking for a scalable, effective cybersecurity solution, CrowdStrike Falcon Insight offers unparalleled protection that evolves with your security needs.

OS: Compatible with Windows, Linux, and cloud environments

2. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is an essential tool for those businesses that follow a data privacy standard, such as GDPR, HIPAA, or PCI DSS. It specifically protects sensitive data from attack or theft.

Key Features:

  • File integrity monitoring
  • Data loss prevention
  • System-wide view
  • Audit trail

Why do we recommend it?

ManageEngine DataSecurity Plus is a large package of tools that block automated attacks, such as ransomware, and also protect sensitive data and intellectual property (IP). The system’s file integrity monitor spots the early stages of ransomware activity, which involves renaming files and encrypting them. Responses can be automated and they can isolate a device and shut down all processes.

This system includes a scanner for sensitive data discovery, which also categorizes each discovered data instance. The service also has a file integrity monitor that can block unauthorized activity on files, such as encryption.

Who is it recommended for?

This system is a package of five tools, which also cover data held on cloud platforms. There is a Free edition of the bundle but it doesn’t include the file integrity monitor, which is vitally important for ransomware detection. It does provide data loss prevention services for up to 50 workstations.


  • Provides a detailed account of file access, allowing sysadmin to understand the context of the file change
  • The platform can track access trends over time, allowing for better malicious behavior detection
  • Supports built-in compliance reporting for popular standards such as HIPAA, PCI DSS, and FISMA
  • Can integrate with numerous helpdesk solutions, notification platforms, and backup systems


  • Requires a sizable time investment to fully explore all the platforms features and tools

ManageEngine DataSecurity Plus installs on Windows Server, and it is available for a 30-day free trial.

3. BitDefender GravityZone

Bitdefender GravityZone

BitDefender GravityZone offers the perfect mix of system hardening and constant security monitoring that will protect your system against Phobos.

Key Features:

  • Antivirus
  • Backup and recovery
  • Range of editions

Why do we recommend it?

BitDefender GravityZone provides the ideal combination of services to combat ransomware because it has a backup and recovery system, which preserves your data in the event of an attack, and an antivirus to (hopefully) block ransomware files or spot their activities. Data is scanned for viruses as it goes into and out of the backup repository.

The GravityZone page includes a bit of everything. It has endpoint-resident next-generation AV modules, and system sweeps to detect security weaknesses. The first tool that you will use in this bundle is the vulnerability manager. This examines all of the devices on your network and scans through all of its ports. It highlights those that are open or incorrectly secured. The service also examines the operating system and software versions, looking for out-of-date systems, which it will then patches for you.

Malware scanners in multiple locations protect against Phobos and other ransomware. These scans occur on each endpoint, so Phobos will be spotted as soon as it lands on a device on your network. Crucially, the GravityZone system manages backups and scans each file before uploading it to the backup server. In addition, security scans of the entire system constantly look for anomalous traffic and malicious processes. Other protection measures include file integrity monitoring and configuration management.

Who is it recommended for?

BitDefender is available in a range of editions that are packaged to suit home users, home offices, small businesses, and managed service providers. Large organizations probably won’t be so interested in it. Add-ons provide email security, user behavior analysis, and patch management. Small business options run on endpoints and the MSP edition is based in the cloud with endpoint agents.


  • Simple UI reduces the learning curve and helps users gain insights faster
  • Uses both signature-based detection and behavior analysis to identify threats
  • Offers disc encryption on top of endpoint protection
  • Includes device control options for locking down USB ports


  • Could use more documentation to help users get started quicker

BitDefender GravityZone installs a hypervisor as a virtual appliance, and it is available for a one-month free trial.