What is Phobos ransomware and how to protect against it

Phobos is the Greek god of fear. The Phobos ransomware is named after this god to increase its profile on the cybercrime stage

Phobos is a copy of the Dharma ransomware system. It doesn’t replace Phobos; it supplements it. The hackers behind Phobos seem to be using it as a backup system if the encryption by Dharma fails.

In addition to being used as ransomware, Phobos is a support system for Advanced Persistent Threats (APTs). In this scenario, hackers gain access to a network and spend time exploring resources, extending control, and assessing the value of data held within. So, Phobos is both an avenue for ransomware and data theft. Both of these threats can cause severe financial and reputational damage to businesses.

About Phobos ransomware

Cybersecurity analysts first identified Phobos in December 2018. While many malware systems are anonymous and named by security researchers, Phobos declared its name in its ransom note. For the true origin of Phobos, we need to look back further – to February 2016. This is when Crysis first made an appearance. Phobos is a variant of the Crysis ransomware.

Crysis and its derivatives attack computers running Windows. Crysis is still in operation. It gets into systems through phishing emails, which is the most widely-used entry method for ransomware.

The Crysis system is a little outside the norm for ransomware because it also encrypts system files. This makes it difficult for the computer to continue in operation, so the victim can’t pay the ransom from the infected computer. Another unusual aspect of Crysis is that the team periodically releases all of its master keys, allowing all victims to decrypt their files for free.

The team behind Crysis produced another ransomware system called Dharma. This uses the Crysis attack but with a different delivery system – the Remote Desktop Protocol (RDP). Another difference between Crysis and Dharma is that the Dharma product is a Ransomware-as-a-Service platform. It provides a toolkit for other hackers who want to break into ransomware. A typical Dharma attack is a bespoke process with hackers moving about a system and dropping the ransomware over internal connections.

Phobos is an in-house version of the Dharma RaaS, which could also be seen as Crysis with RDP for delivery instead of spam email. The Phobos ransom note is precisely the same as Dharma, only with the Phobos name replacing Dharma. Many AVs that can detect Phobos misreport it as Dharma because the code for the two is so similar. Others will report it as Crysis.

How does a Phobos attack start?

RDP uses TCP port 3389. It enables technicians and office workers to access workstations from another location. The RDP system doesn’t just give access to the operating system, like a Telnet service; it lets users see the target computer’s Desktop. Microsoft developed RDP, and several commercial products, such as TeamViewer, are based on that original underlying service in the Windows operating system.

A detection scan by cybersecurity software provider, Rapid7 discovered nine million computers that had Internet-facing, open RDP ports in a 2016 sweep. In 2017, that number was 11 million. As RDP is useful for telecommuters, the recent trend of home working due to Covid-19 has probably tempted many more businesses to allow open RDP ports.

A Phobos attack gets into a target computer through an open RDP port. It is possible to set up RDP accessibility on a computer and require a password for external access. Unfortunately, many system administrators don’t set up a password for external access via RDP.

The main piece of information that the hacker needs to get Phobos onto a computer is its IP address. If a business doesn’t operate password protection, all the hacker has to do is set up an RDP connection to the discovered IP address. Anyone can break in for any purpose through a standard remote desktop tool, many of which are free to use.

What does Phobos do?

Just as Rapid7 did a sweep of the Internet with a crawler, cycling through IP addresses and probing RDP ports, any hacker can perform the same sweep. Some hacker teams just perform this type of research and then package their findings of vulnerable targets for sale. A second hacker group, such as the Crysis team, buys a list, uploads it into their attack system, and then lets it run.

The attack software just works through the target list, making a connection, transferring the ransomware bundle, and then moving on to the following address in the list. In some cases, the information about an open port might be out of date, and no attack occurs. However, in many others, the installer will run, and a Phobos ransomware attack is underway.

The installer unpacks a bundle of tools, many of which are off-the-shelf commercial seems available as legitimate software packages. Unfortunately, the Crysis team did not produce these, so they simply acquired free versions or pirated the paid tools.

The controlling software for the ransomware is called Exec.exe. Unfortunately, the Crysis team does not produce these, and it calls a series of other programs in sequence to perform its attack. The first two of these are Process Hacker 2 and IObit Unlocker. The first of these identifies processes that have control of files, and the second kills them. This makes files available for alteration by encryption.

Other legitimate software used in a Phobos attack includes TeamViewer, remote access and remote control system, and Orbit Downloader. However, this download manager is no longer distributed commercially because of its extensive use by hackers.

Before performing its encryption routine, Phobos deletes all shadow copies and locally held backups, such as those created by autosave functions.

What is the Phobos encryption system?

Phobos encrypts working files, such as those containing documents, spreadsheets, presentations, images, audio, and video. It will also encrypt archives, such as .rar and .zip files. Fortunately, it won’t encrypt system files or executables, so the target computer will still be functional once the encryption completes. The system also installs its source code in the %APPDATA% directory and writes a key in the registry to get it included in Startup routines.

The AES cipher performs the encryption with a 256-bit key. This key seems to be generated locally because the encryption process can proceed even if the machine is disconnected from the internet. The encryptor also creates a victim ID and an attack ID.

Each encrypted file gets its file name changed by the addition of extra extensions on end. These extensions include the ID for the attack and the attacker’s email address. A final “.phobos” extension is also added. The format for the new file name is:

<original name>.id[<victim ID>-<version ID>].[<attacker’s e-mail>].phobos

The standard size and small files are encrypted in their entirety, while the system only encrypts sections of huge files.

The encryptor locks up the ID and AES key in 1048-bit RSA encryption. It is believed that this uses a standard public key for encryption that is the same for all attacks. The encryption key for this RSA protection is probably hard-coded into the encryptor.

The Phobos ransomware will encrypt all working files on all drives accessible by users on the target computer. That means it will also encrypt files on networked and shared drives mounted on the device.  The ransomware remains resident even after the initial encryption has finished. As the computer’s software is operational, it is possible to create new documents. However, these will all be encrypted and made inaccessible as soon as they are saved.

The Phobos ransom

When the initial encryption process finishes, the ransomware package creates two files that contain the same ransom note. There are a text file and an HTA file. The HTA file is opened and displayed on the screen once the encryption run completes.

The ransom demand includes the victim and demand ID plus an email address to which the victim needs to write for instructions on payment. The ransom amount is not displayed in demand and can be adjusted by the attacker on a whim. The attackers will also negotiate. However, the ransom will increase over time if not paid.

Phobos is a mid-market ransom system. Its ransom level is too high for the general public, but it doesn’t reach up into the “big game hunting” ransom levels. The average ransom for Phobos works out at $18,755. Remember, that’s the average – some attacks will ask for a lot less and others for a lot more.

The ransom must be paid in Bitcoin, and the hackers will send payers a decoder to reverse the encryption. The good news is that the hackers do always send a decryptor and that it always works. Unfortunately, there isn’t any alternative free system or trick that gets around the encryption of Phobos at present.

Defending against Phobos

Ordinarily, the best way to defend against ransomware is to educate your users about downloading attachments or clicking on links in emails from unfamiliar sources. However, the Phobos tactic of getting onto computers through open RDP ports is a different matter. While it is still a good idea to enforce best practices over email treatment, your primary defense against Phobos lies in securing your ports, especially now that more employees work from home.

Here are some helpful tools that will help you to defend against Phobos:

1. CrowdStrike Falcon Insight (FREE TRIAL)

CrowdStrike Falcon Insight

CrowdStrike Falcon Insight is a cybersecurity system package that includes endpoint agents and a cloud-based system protection coordinator. The endpoint agent is also available as a standalone package, called Falcon Prevent. This can continue monitoring each endpoint even when it is disconnected from the network. In addition, the service spots abnormal behavior and can be set to implement automated responses, such as killing suspicious processes and isolating infected machines.

The cloud-based section of this system receives a threat intelligence feed from CrowdStrike, which adjusts threat hunting methods. It also receives activity reports from endpoint agents, which are scoured for indicators of compromise.

CrowdStrike Prevent is available for a 15-day free trial.

CrowdStrike Falcon Insight Start 15-day FREE Trial

2. ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus

ManageEngine DataSecurity Plus is an essential tool for those businesses that follow a data privacy standard, such as GDPR, HIPAA, or PCI DSS. It specifically protects sensitive data from attack or theft.

This system includes a scanner for sensitive data discovery, which also categorizes each discovered data instance. The service also has a file integrity monitor that can block unauthorized activity on files, such as encryption.

ManageEngine DataSecurity Plus installs on Windows Server, and it is available for a 30-day free trial.

3. BitDefender GravityZone

Bitdefender GravityZone

BitDefender GravityZone offers the perfect mix of system hardening and constant security monitoring that will protect your system against Phobos.

The GravityZone page includes a bit of everything. It has endpoint-resident next-generation AV modules, and system sweeps to detect security weaknesses. The first tool that you will use in this bundle is the vulnerability manager. This examines all of the devices on your network and scans through all of its ports. It highlights those that are open or incorrectly secured. The service also examines the operating system and software versions, looking for out-of-date systems, which it will then patches for you.

Malware scanners in multiple locations protect against Phobos and other ransomware. These scans occur on each endpoint, so Phobos will be spotted as soon as it lands on a device on your network. Crucially, the GravityZone system manages backups and scans each file before uploading it to the backup server. In addition, security scans of the entire system constantly look for anomalous traffic and malicious processes. Other protection measures include file integrity monitoring and configuration management.

BitDefender GravityZone installs a hypervisor as a virtual appliance, and it is available for a one-month free trial.