A new strain of ransomware has been attacking businesses throughout the globe since the middle of December. The ransomware, dubbed Phobos, is possibly named after the Greek god of fear and shares several similarities to the most recent Dharma variants. In fact, it’s believed the creators of Dharma are behind the newly formed Phobos variant.
Similarities Between Phobos and Dharma
Like Dharma, Phobos exploits open or poorly secured RDP (Remote Desktop Protocol) ports to gain access to networks and execute a ransomware attack. Once the ransomware completes its encryption process, encrypted files have .phobos appended to the end of the file name. What makes Phobos even more like Dharma is the ransom note. Aside from the Phobos logo being added, the ransom note is exactly the same as the note used in Dharma ransomware attacks. After further analysis, researchers also found much of the code behind Phobos ransomware is the same as Dharma. It has even been described as a ‘largely cut and paste variant of Dharma.’
It also appears that Phobos contains elements of CrySiS ransomware which just so happens to be related to the Dharma family. Anti-virus software even falsely detects Phobos as CrySiS. Lastly, the attack methods and threats remain the same.
“What is clear is that while the ransomware type may be different, the group distributing Phobos, the exploit methods, ransom notes and communications remain nearly identical to Dharma,” Coveware researchers said in a blog post.
Dharma Ransomware Tabbed as one of the Most Damaging Ransomware Variants of 2018
Dharma – joined by the likes of Cerber, Cryptolocker, CrySiS, CTBLocker, and Locky – was cited as one of the most damaging ransomware variants to businesses in 2018. Note, this list does not include the high-profile ransomware campaigns such as the ones we saw with WannaCry, NotPetya, and SamSam.
It’s likely that Phobos is being distributed to serve as an insurance policy for the Dharma crew, providing attackers with a second option for conducting attacks, should Dharma end up decrypted or prevented from successfully extorting ransoms from victims.
Organizations can go a long way to avoid becoming a victim of Dharma or Phobos ransomware in the first place by securing their RDP ports and by regularly backing up their data. If the worst happens, and you become infected by one of these ransomware variants, it’s possible to restore systems without giving into the demands of the Dharma crew.
Photo courtesy of MySpotBot