Phobos Ransomware (Analysis and Recovery Options)
This page details everything you need to know about Phobos ransomware. If you have been hit by Phobos ransomware and need help recovering your data, we're here to help.
Table of Contents
What is Phobos ransomware?
Phobos ransomware is a Ransomware-as-a-Service variant that first appeared in December 2018. Phobos typically targets small organizations through unsecured RDP ports.
Phobos ransomware is a type of CrySis ransomware and bears striking similarities to the Dharma ransomware variant.
The Phobos ransom splash screen is the same as Dharma, except with the Phobos logo. Below you will find an example of a victim computer infected with the Phobos ransomware.
Additionally, the code used by Phobos ransomware is mostly the same.
Phobos ransomware encrypts your data and deletes local backups and shadow copies similar to the Sodinokibi ransomware.
Additionally, Phobos stops some active operating system processes, allowing it to be more effective at inflicting damage.
Phobos is also known to disable recovery mode which prevents the system from booting into a recovery mode.
Additionally, it could potentially disable your firewall to be even more damaging to your network.
Phobos Ransomware Indicators of Compromise (IoC)
There are several Phobos ransomware Indicators of Compromise (IoC) that signal the malware is present on a victim computer.
Phobos Encrypted Files
If the Phobos ransomware encrypts your data, you will notice different extensions added to each file.
The ransomware generally renames encrypted files per the diagram below.
You may notice that each system or file shares on your network have different IDs. The threat actors may use the number of IDs as part of determining the ransom cost.
Phobos Ransom Note
The common Phobos ransom note is a .txt or .hta file which may be located in the C-drive, desktop, or AppData folder of your computer/server.
The following are some common locations of the Phobos ransom note:
Below you will find an example Phobos ransom note:
Here are some examples of previous Phobos ransom note names:
Like Dharma, the Phobos ransom note provides the victim with instructions on what to do next if they want their files decrypted. Most Phobos ransom notes are very short and include 1 or 2 email addresses to contact the threat actor.
You may also find that the background of the infected system is different. This is called a ransomware splash screen. With Phobos, there is likely a startup process to open the Info.hta file each time you restart the computer or server.
If you are looking to have your data recovered, it is important to not delete the Phobos ransomware note as this information will be used during the ransomware recovery process.
How to stop Phobos ransomware
You can stop Phobos ransomware from spreading by isolating the infected devices from the rest of your network. Disconnecting the device will help stop the ransomware from encrypting files on other devices.
Once devices are isolated, you can start scanning with antivirus software to remove the malware and any potential back doors that have been left behind.
How much will Phobos ransomware recovery cost?
Factors that influence the total cost of Phobos recovery include:
- Assessment fee
- Number of encrypted systems
- Selected priority of service
- Ransom demand amount
How much do Phobos ransom demands cost?
Our data from Q4 of 2020 concludes that the initial average Phobos ransomware demand is $27,050.
The Phobos ransomware initial ransom demands tend to be lower than the average ransom demands from other variants because the target victims are typically smaller organizations.
The graph below shows the comparison between the average initial ransom demand of Phobos ransomware and other common variants.
Some of the Phobos ransomware splash screens indicate that the price of Phobos decryption keys will increase over time, a scare tactic the attackers use to encourage victims to pay the demanded amount quickly.
Phobos typically targets small and medium-sized businesses but is still considered one of the most profitable ransomware variants due to the sheer volume of attacks.
Proven Data is experienced in helping to negotiate for a lower ransom demand from Phobos operators. Based on our internal data, It is likely that the Phobos operators determine their ransom demands based on the size and type of the victim’s organization.
How to decrypt Phobos ransomware
If your files are locked from Phobos ransomware, you’re trying to see what ransomware recovery options are available to decrypt your data.
Unlock Phobos encrypted files
The encryption algorithm for Phobos uses AES and with CryptGenRandom a random key, making it too strong to be broken. Additionally, there are currently no known flaws in the malware that can be utilized for data restoration efforts.
The encryption strength leaves Phobos victims with the only option of considering paying the ransom to obtain the decryption key and unlock their files.
As with many ransomware variants, we may be able to assist with restoring certain file types without paying the ransom. To find out more information, you can reach out to a Proven Data representative.
How long does it take to recover from a Phobos ransomware attack?
There are several factors which contribute to the time it takes to recover from a Phobos attack. These include:
- Cleaning the environment from malware
- Securing vulnerabilities
- Negotiation time
- Compliance checks & making the ransom payment
- Scanning for the public key
- Wait for the threat actor to provide a private key
- Test the functionality of the private key
- Decrypting the data
- Size of the network
- Number of files, file sizes & types
- Backing up and verifying the data
For a network with 1-3 servers and 10-15 workstations it takes approximately 1-3 business days to complete the full recovery process.
What attack vectors did Phobos ransomware use?
Phobos ransomware primarily exploits unsecured RDP ports through brute force and dictionary attacks or by purchasing stolen credentials online through the dark web.
Phobos also uses phishing emails and exploits unpatched software vulnerabilities to deploy attacks.
Does Phobos ransomware steal data?
Based on our internal forensic investigations and additional research, there has been no evidence that Phobos ransomware attacks are known to steal data while on the victim network. However, since ransomware threat actors are constantly changing tactics, it is still critical to conduct a forensic investigation.
Preserving evidence from Phobos ransomware
To determine what the attackers removed from your network, you will need a forensic investigation performed. If you are considering a forensic investigation, it is important to preserve the evidence as soon as possible.
Here are the steps to preserve the forensic evidence:
- Do not shut down the computer or server as this will erase some artifacts
- Create a forensically sound image and take it offline
- Download firewall, VPN, and remote software logs
- Document all information pertaining to the ransomware attack
Complete instructions on preserving ransomware evidence can be found as part of the ransomware forensics process.
Why choose Proven Data Phobos ransomware recovery?
Our firm understanding of the Phobos ransomware from our vast experience guides you to make informed decisions for your business. Understanding the attack vectors, threat actor profile, and negotiation expectations are essential to recovering from the attack completely.
To meet compliance needs, we adopted a sanctions compliance program to ensure we are making ransom payments on behalf of our clients responsibly. At the service’s conclusion, we provide you with an incident and compliance report that you can use for insurance or law enforcement reporting purposes.
If you are looking for a transparent experience from a professional ransomware incident response company to help you move past your unfortunate Phobos cyber incident, we are here to help.
Most frequent questions and answers
There are currently no publicly available Phobos ransomware decryption tools to assist victims unlock their files. If your files are encrypted by Phobos, you may have to recover your data by:
- Recreating the data from scratch
- Restoring from backups
- Paying the ransom
No, it is currently not possible to decrypt Phobos encrypted files without paying the ransom. However, there are some file types that can be repaired. You may ask a Proven Data representative about those file types.
Phobos ransomware tends to have a high success rate of data restoration after paying the ransom and going through the decryption process. Compared to other types of ransomware, the decrypter tool is relatively straightforward to use and doesn’t have any known bugs.
Here are some file types which may have problems decrypting or could require further troubleshooting:
- VHDX/VHD images
Paying the ransom in exchange for the decryption key does not always guarantee that a functional decryption key will be delivered. However, using the threat intelligence we have gathered from previous Phobos ransomware cases, we can determine the threat actor’s past reputation and risk for data corruption to help you make informed decisions.
In 2020 our records indicate that Phobos delivered the decryption tool after the first ransom payment on 84.2 % of cases. In the other 15.8%, the threat actors demanded a second payment after agreeing to an amount.
Phobos is known to download sensitive data from victim’s networks when they gain access. A digital forensics investigation can help you learn about what may have been removed from your network during the incident.
The forensic report can be used to satisfy regulatory requirements for HIPAA or other regulated data you may store on your network.
The Phobos decryptor is more complicated to use compared to other ransomware decryptors, given that it requires additional steps to decrypt your files.
Here are the steps to run the Phobos decrypter tool:
- Ensure the decrypter does not contain malicious code (a ransomware recovery company should be able to help you with this).
- Disable anti-virus software on the machine you will be running the tool from. This includes Microsoft Defender.
- The tool provided by the threat actors is a scanning tool. Connect all the encrypted files to the system you are going to be running the scanner tool from. This includes mapping network shares and attaching external hard drives. This step is critical to ensure the scanning tool picks up all the public keys in the files you want decrypted.
- Right click the decryption executable file and run as administrator.
- A dialog box will pop up. Click ‘Scan PC’ to begin the scan.
- The scan will start picking up encrypted files and public keys it finds.
- When the scan is finished the output file on the screen is your public key.
- Copy the key and paste it to a notepad, saving it as a text file to a location of your choosing and naming the file.
- Email the text file with the public key back to the threat actor.
- If they honor the agreement, they will send you back the private key needed to unlock your files. Copy the key to a safe place.
- Open the same scanning tool again as an administrator on the system you scanned from.
- For the decryption method, you have two options:
- Decrypt all: decrypts all drive letters accessible from the system. To decrypt all, click the ‘Decrypt’ button in the main window.
- Decrypt folder: decrypter only a folder of your choosing. To decrypt only a folder, click the ‘…’ button in the main window and navigate to the folder you want to decrypt.
- The default options are ‘Delete encrypted files after decryption’ and ‘Overwrite existing files’. If you haven’t made a backup of the encrypted files and have enough space on the system you are decrypting, it is recommended to uncheck ‘Delete encrypted files after decryption’.
- Paste the private key into the text box. When copying, make sure you don’t copy any spaces as this could influence the process.
- Click ‘Decrypt’ to start decrypting.
- If the correct key was input, the decrypter will go through all the devices connected with encrypted files.
- When the process is finished, a dialog box will pop up indicating the decryption is complete.
This Phobos decryption tool and the private key is only available if the victim chooses to pay the ransom as a method to unlock their encrypted files.