Rewterz Threat Alert – Jupyter trojan – Active IOCs
December 20, 2022Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs
December 20, 2022Rewterz Threat Alert – Jupyter trojan – Active IOCs
December 20, 2022Rewterz Threat Alert – STOP (DJVU) Ransomware – Active IOCs
December 20, 2022Severity
High
Analysis Summary
Phobos Ransomware is based on the Dharma (aka CrySIS) malware that first appeared at the beginning of 2019. It spreads into several systems via compromised Remote Desktop Protocol (RDP) connections. This malware does not use any UAC bypass methods. Unlike other cybercrime gangs that go after big hunts, Phobos creators go after smaller firms that don’t have sufficient funding to pay massive ransoms. This ransomware usually targets healthcare providers, with victims in the United States, Seychelles, Portugal, Brazil, Indonesia, Germany, Romania, and Japan. Its perpetrators demand a little ransom payment, which appeals to victims and enhances the chances of payment. The average Phobos ransom payment in July 2022 was $36,932
Phobos encrypts data & files and keeps them locked until a ransom is paid. All encrypted files are renamed with the “.phobos” extension, as well as the victim’s unique ID and email address.
ransom note
Impact
- File Encryption
- Data Exfiltration
Indicators of Compromise
MD5
- e79a0ff95197b185ba8c04e73b33770d
- 9d698f5fb023c21b0629273b0ef42594
- 578244d3c1afbe8009f04bbc9eb54076
SHA-256
- 0385dd2419adf0fe1a1e5d5ed28aaecbceb1411010fb06a1b0798d84eca4732e
- 62b096449d5dc6f876c43e48d1c27a63de0f75e70279f811b5c6ba18f9126f7b
- 84ad231f0d74cd4bed8da0fbfc6801fc77424ee74a560e0d3175aa37b4ecab23
SHA-1
- 66a0c740be5d70840da4f57aa4b01818424a0b13
- 76ba11bfc956c6c68b8d34731f6573e308d6771b
- 83c1841f67d81d90aec1217766721bbb6856973e
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.
- Maintain cyber hygiene by updating your anti-virus software and implementing patch management lifecycle.
- Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
- Emails from unknown senders should always be treated with caution.
- Never trust or open ” links and attachments received from unknown sources/senders.