SOCRadar® Cyber Intelligence Inc. | Dark Web Threat Profile: Phobos Ransomware Group


Nov 10, 2021
3 Mins Read

Dark Web Threat Profile: Phobos Ransomware Group

Phobos ransomware, first discovered in December 2018, is another notorious cyber threat that targets businesses. Unlike other cybercrime gangs that go after big hunts, the Phobos bad guys usually go after smaller firms that don’t have the financial wherewithal to pay massive ransoms. 

Phobos, An Ordinary Ransomware

Phobos is popular among threat actors of various technical abilities because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic; hence the name Phobos was likely inspired by him.

The CrySIS and Dharma malware families are closely connected to the Phobos ransomware. CrySIS was first identified in 2016; however, when the original author released the source code that same year, it earned a new level of popularity among threat actors. 

The malware was renamed Dharma when its decryption keys were disclosed. Dharma is a ransomware-as-a-service (RaaS) paradigm that is sold by a number of different parties. After decryption tools and keys for the Dharma family were accessible late in 2018, Phobos debuted in the threat environment as a successor to Dharma. Dharma and Phobos have nearly identical ransom messages and share code commonalities. During an attack, the critical difference between the two is how they encrypt files. 

Victims of Phobos Ransomware Group

Phobos is a ransomware family that primarily targets small to medium-sized businesses including healthcare and victims were located in the U.S., Portugal, Brazil, Seychelles, Romania, Indonesia, Germany, and Japan.  

Attackers typically demand far lower ransom sums than other ransomware families, making it more appealing to victims and increasing the possibility of payment. In July 2021, the average Phobos ransom payment was roughly $54,700. 

How Phobos Infiltrates Data

Phobos is standard ransomware that offers little in the way of innovation. They do not use the double extortion approach. There have been no reports of any underground leak sites revealing confidential information about their targets. This threat is most likely inserted to influence the victim, capitalizing on worries sparked by other high-profile ransomware attacks this year. 

Phobos is a ransomware infection that spreads through hijacked Remote Desktop (RDP) connections. This isn’t surprising, given that hacked RDP servers are a cheap commodity on the underground market and can be an appealing and cost-effective distribution route for threat actors. 

Additionally, Phobos is not packed or obfuscated, unlike the majority of malware that is secured by a crypter. Although the absence of packing is not frequent in the general population of malware, it is widespread among malware that is manually distributed by attackers. 

Cyber Killchain of Dharma/Phobos (Source: Sophos Labs)

Ways to Avoid Being Infected with Phobos

When accessing the web, downloading, installing, and upgrading software, take precautions, such as 

  • Avoid opening attachments in emails that aren’t relevant.
  • If you receive an email with an attachment (or a web link) from an unknown/untrustworthy email account, do not open it or click the provided link.
  • Use only tools or implemented functions given by official program developers instead of unofficial software update tools.
  • Install reliable anti-virus or anti-spyware software; these programs can detect and remove numerous threats (computer infections) before they may cause any harm. 
Discover SOCRadar® Free Edition

With SOCRadar® Free Edition, you’ll be able to:

  • Discover your unknown hacker-exposed assets
  • Check if your IP addresses tagged as malicious
  • Monitor your domain name on hacked websites and phishing databases
  • Get notified when a critical zero-day vulnerability is disclosed

Free for 12 months for 1 corporate domain and 100 auto-discovered digital assets.
Try for free