A prolific cybercrime gang behind a series of ransomware attacks is distributing a new form of the file-encrypting malware that combines two well-known and successful variants in a series of attacks against businesses around the world.
Like Dharma, Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demanding a ransom be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension.
The demand is made in a ransom note — and aside from ‘Phobos’ logos being added to the ransom note, it’s exactly the same as the note used by Dharma, with the same typeface and text used throughout.
It isn’t only the ransom note Phobos shares with Dharma — much of the code behind the ransomware is the same, which researchers describing it as a “largely cut and paste variant of Dharma.”
However, Phobos also contains elements of CrySiS ransomware — also related to Dharma — with anti-virus software detecting Phobos as CrySiS. The ransomware’s file markers also differentiate it from Dharma. However, the attack methods and threat remains the same.
“What is clear is that while the ransomware type may be different, the group distributing Phobos, the exploit methods, ransom notes and communications remain nearly identical to Dharma,” researchers said in a blog post. Phobos is being distributed by the gang behind Dharma and likely serves as an insurance policy for malicious campaigns, providing attackers with a second option for conducting attacks, should Dharma end up decrypted or prevented from successfully extorting ransoms from victims. Currently, Dharma remains one of the most damaging families of ransomware during 2018.