Phobos ransomware appeared at the beginning of 2019. It has been noted that this new strain of ransomware is strongly based on the previously known family: Dharma (a.k.a. CrySis), and probably distributed by the same group as Dharma.
This ransomware does not deploy any techniques of UAC bypass. When we try to run it manually, the UAC confirmation pops up:
If we accept it, the main process deploys another copy of itself, with elevated privileges. It also executes some commands via windows shell.
Ransom notes of two types are being dropped: .txt as well as .hta. After the encryption process is finished, the ransom note in the .hta form is popped up:
Even after the initial ransom note is popped up, the malware still runs in the background, and keeps encrypting newly created files.
All local disks, as well as network shares are attacked.
It also uses several persistence mechanisms: installs itself in %APPDATA% and in a Startup folder, adding the registry keys to autostart its process when the system is restarted.
Those mechanisms make Phobos ransomware very aggressive: the infection didn’t end on a single run, but can be repeated multiple times. To prevent repeated infection, we should remove all the persistence mechanisms as soon as we noticed that we got attacked by Phobos.
Indicators of Compromise
Malware Hash (MD5/SHA1/SH256)