Phobos Ransomware: What To Do If You’re Infected

Graphic for Tetra Defense Ransomware 101: Phobos


What is Phobos Ransomware?

Phobos (φοβος) is the Greek word for  “fear,” and it is also the name of ransomware that started to infect computers in late 2018 and early 2019, and we frequently still see current Phobos infections. Phobos is a particularly nasty strain of ransomware related to the Dharma (CrySis) strain that inflicted widespread damage in 2017-2018. Phobos malware code shares many similarities with Dharma, and some antivirus products even detect Phobos as Dharma (CrySis).

Phobos exploits Remote Desktop Protocol (RDP) and poorly secured RDP credentials putting millions of business servers and workstations at risk. With the proliferation of businesses using cloud services, many have Windows servers accessible on the public Internet that are potential targets. Rapid7 estimates that there were 12 million Internet-facing RDP endpoints globally, with approximately 3.5 million of these being open with no password protection.

The source code for Phobos appears to have been modified and traded on the xDedic hacking marketplace, a Ukrainian-based community forum that started life on publicly accessible the World Wide Web before going underground onto the dark web. The FBI shut down the site in late January 2019, though this action has not been attributed directly to an effort to fight Phobos.

How Does Phobos Ransomware Work?

Phobos targets remote desktop on port 338. This is a legitimate protocol used by system administrators to access servers remotely. However, problems arise when Internet-facing servers, such as cloud servers or DMZ infrastructure, are not adequately secured.

Cloud service providers can enable RDP to any public IP address on the Internet. Any user would be able to access any publicly configured computer if they know the username and password to access it. Problems arise when lazy system administrators or users choose weak passwords that are guessable, easily hacked, or vulnerable to brute force attacks.

Every organization that has not secured RDP access to their systems is a potential victim. These ports are scanned and accessed by threat actors using weak or illegally obtained login credentials. Research conducted by BankInfoSecurity discovered RDP credentials for sale for as little as $3 on the dark web.

Threat actors harvest information about servers with exposed RDP ports using botnets to query extensive IP ranges as part of a coordinated attack. Cloud providers use widely known external IP ranges, which can found using search engines such as Shodan. Botnets are configured to look for systems that have port 3389 open specifically, and once identified, the threat actors can perform a brute force attack on the RDP session to guess the password. Some RDP sessions may never be successfully cracked, but a staggering number of RDP sessions use weak passwords such as “Password1”.

After the hacker has gained remote access to a compromised server, the ransomware payload (malware executable file) is copied over and executed with administrator privileges. Many antivirus products can detect the payload immediately, so threat actors often download and use hacking tool kits to disable, kill, and unregister antivirus programs.

The threat actor, using the Phobos toolkit, targets all local disks and network shares for encryption. Phobos also uses several persistence mechanisms; it installs itself in %APPDATA% and in the Windows startup folder, adding registry keys to autostart its process when the computer system restarts. What results is in an infection process that runs over and over again to encrypt files. Encrypted file names renamed to include a victim ID, attackers email, and the .phobos extension.

The Phobos code is relatively advanced. The malware is protected and anonymized after deployment. It has many self-protective routines that occur after infection, including deleting Windows Volume Shadow (VSS) shadow copies, adding code to prevent the computer from booting into recovery mode, removing Windows backup catalogs, and disabling the Windows Firewall.

How Do I Prevent Phobos Ransomware?

Some essential security practices can be followed to mitigate the risk of Phobos ransomware. Conducting a fundamental review of any cloud and internet-facing server – physical or virtual – is paramount. RDP port 3389 should be blocked by default, and only used when necessary.

If using public cloud services, use identity access controls to restrict access from any IP, and instead isolate the protocol to predefined IP addresses known only to the organization. It is also imperative to ensure that operating systems and applications are patched to the latest security levels.

Any server that uses RDP must have the Network Level Authentication (NLA) feature enabled under advanced RDP settings. When you enable this option, users have to authenticate themselves to the network before they can connect to the server. Allowing connections only from computers running NLA is a secure authentication method that can protect against malicious users and software.

Never forward RDP ports through a perimeter firewall. RDP access to a corporate network should be over a secured VPN tunnel that utilizes multi-factor authentication for added security. This method ensures that the firewall immediately drops any RDP originating packets, and the internal network is safe.

How Do I Remove Phobos Ransomware?

Nearly all antivirus products are now capable of blocking malware using real-time protection agents, and fortunately, the Phobos application hashes are known and easily detected by AV. However, problems with Phobos can still arise when the hacker intentionally bypasses the antivirus.

There are many websites online that claim to be able to remove Phobos, but most of these are fake scamming sites. Some are genuine, like SpyHunter, but they may charge high fees to purchase the software to remove the ransomware encryption.

We strongly recommend rebuilding any infected machine from a backup. Rebuilding may cause short-term pain, but in the long term, you can be assured that all components of the malware ha been removed.

When there are no other viable options, some organizations choose to pay the ransom. Upon a verified payment, the Phobos decryptor tool is sent to the victim. This tool can be somewhat unreliable and riddled with bugs. Often the experienced help of a firm such as Tetra Defense can be useful in modifying the threat actor’s tool in order to decrypt data files successfully.

users have to authenticate themselves to the network before they can connect to the server. Allowing connections only from computers running NLA is a secure authentication method prioritizes restoration to get businesses back to where they were before the ransomware attack. We approach ransomware restoration and investigations simultaneously, so you return to normal at the same time you are getting answers.

Our teams are standing by to focus on what matters most: your business! We will survey the ransomware outbreak and perform an initial assessment; this will identify the course of action taken to fix the ransomware. When necessary, we can conduct ransom negotiation and, if needed, can facilitate ransom payment.

We remove the threat from your system and conduct malware scans and network threat hunting. Each incident leveraged to learn from the ransomware attack and discover the root cause. Once the decryption keys are obtained, we decrypt the data and get systems restored to full functionality as quickly as possible.

Get Help with Phobos Ransomware

If you’re ready to get help removing Phobos ransomware from your critical systems, contact Tetra Defense’s incident response team today. We will reach out for an assessment and build a plan to get your systems up and running once again.

Check out some related content on our blog: