Inside "Phobos" Ransomware: "Dharma" Past & Underground

Updated: Oct 8, 2021

By Bridgit Sullivan

What is Phobos Ransomware?

Phobos is a type of Advanced Encryption Standard (AES) ransomware that was first seen in October 2017 but became increasingly active in 2019. Also referred to as Phobos NextGen or Phobos Not Dharma, Phobos ransomware is extremely similar to the Dharma and Crysis ransomware family due to the same Dharma codebase. It is an offline file-encoding virus that targets Windows operating systems. Phobos is offered as a Ransomware-as-a-Service (RaaS) package on the top-tier Eastern European forums. Phobos is an increasingly dangerous and credible ransomware threat that usually targets business and occasionally customers.

How Does it Work?

There are multiple ways for Phobos ransomware to end up on your device. The payload can be distributed as an attachment through traditional phishing schemes, through open and poorly secured Remote Desktop Protocol (RDP) connections, and through fake system updates. There are multiple ways that Phobos gains access to RDP connections: by using brute-force to get RDP credentials, using stolen or bought RDP credentials, or through an insecure connection on port 3389. Once deployed, the payload locks the victim’s files and then places two ransom notes–one .txt and one .hta–on their desktop. In addition to locking the victim’s files, Phobos deletes any shadow copies or backups of the files, as well as the system, restore point.

As soon as the victim views the .hta ransom note, which pops up automatically, negotiations can begin with Phobos operators. While most ransom notes are unique to the type of ransomware being used, the rhetoric in the ransom notes that Phobos places on the victim’s desktop are identical to the one that Dharma used. The only difference between the notes is that in Phobos’ ransom note they have placed their name on the note, effectively branding it as theirs.

The ransom note offers an email for the victim to contact the operator to negotiate the ransom. Once the victim has reached out, the initial response from Phobos is, again, a copy of the initial response that Dharma used. However, Phobos has added a section that aims to convince the victim to pay another 0.1 Bitcoin (BTC) for the operator to give the victim security advice, on top of the amount in BTC the victim is being asked to pay to decrypt their files. Before paying the ransom, the victim is instructed to send 5 files below a certain size to be decrypted for free.

The average ransom ranges from $5,000-$6,000, but it must be paid in Bitcoin. However, this amount is because as negotiations continue and the ransom is still not paid, the ransom is increased from the original amount of usually $3,000. The average negotiation period between a victim and a Phobos operator lasts about 8 days. This is a longer average negation period than other ransomware syndicates usually have, which could be due to unorganized and unprofessional amateur hackers using Phobos. Phobos is sold as RaaS packages on the Dark Web, which gives hackers and cybercriminals with little to no skill the ability to deploy effective and established ransomware. Victims have found that it was difficult to get their files decrypted and on multiple occasions, the decryption tool was not provided after the ransom was paid.

Phobos and the Underground

Phobos operates with a RaaS (ransomware-as-a-service) model. On April 11, 2019, with using their representative on underground forums announced that they were looking for affiliate partners to use their ransomware, Phobos. This was the beginning of a long forum thread, with posts as recent as February 2020 that give insight into how Phobos has evolved over the past year. The initial post by its representative from April of last year was meant to entice new partners to use Phobos; they detailed how the software works, how to get in touch with Phobos developers, and some of the guidelines for using the ransomware.

The post begins by describing Phobos as a “popular offline cryptolocker.” Phobos representative continues by detailing that the software is run completely offline–it does not require an internet connection to run–and while it is running it does not attract additional attention. In addition, when the infected device is turned on and off, Phobos will automatically scan for the presence of connected external and network devices, and if it finds any it will encrypt their data. The Phobos representative also discussed other aspects of their software, including its productivity, automatic functions, and file encryption. They also mentioned that this ransomware could not be used to target Russian or Commonwealth of Independent State (CIS) entities. Throughout the post, the ransomware administrator emphasized that Phobos is secure, easy to use and that there is a direct line of communication between partners and developers, no intermediaries necessary.