Rewterz Threat Alert – Phobos Ransomware Threat Indicators

Severity

High

Analysis Summary

Analysis Summary
Phobos ransomware appeared at the beginning of 2019. It has been noted that this new strain of ransomware is strongly based on the previously known family: Dharma (a.k.a. CrySis), and probably distributed by the same group as Dharma.

This ransomware does not deploy any techniques of UAC bypass. When we try to run it manually, the UAC confirmation pops up:

If we accept it, the main process deploys another copy of itself, with elevated privileges. It also executes some commands via windows shell.

Ransom notes of two types are being dropped: .txt as well as .hta. After the encryption process is finished, the ransom note in the .hta form is popped up:

Even after the initial ransom note is popped up, the malware still runs in the background, and keeps encrypting newly created files.

All local disks, as well as network shares are attacked.

It also uses several persistence mechanisms: installs itself in %APPDATA% and in a Startup folder, adding the registry keys to autostart its process when the system is restarted.

Those mechanisms make Phobos ransomware very aggressive: the infection didn’t end on a single run, but can be repeated multiple times. To prevent repeated infection, we should remove all the persistence mechanisms as soon as we noticed that we got attacked by Phobos.

Impact

File encryption

Indicators of Compromise

Malware Hash (MD5/SHA1/SH256)

• d50f69f0d3a73c0a58d2ad08aedac1c8
• a91491f45b851a07f91ba5a200967921bf796d38677786de51a4a8fe5ddeafd2

Remediation

• Block all threat indicators at your respective controls.
• Always be suspicious emails sent by unknown senders.
• Never click on the link/ attachments sent by unknown senders.