Phobos is a ransomware-type malicious program that (like most programs of this type) encrypts data/locks files stored and keeps them in this state until a ransom is paid. Phobos renames all encrypted files by adding the “. phobos" extension plus the victim's unique ID and an email address.

The virus encrypts data using AES cryptography and, after encryption, generates an HTML application ("Phobos.hta") and opens it. This app displays a pop-up window that contains a ransom-demand message. In the ransom-demand message, cyber criminals state that all files are encrypted. To decrypt them, victims must contact them via the,, or other email addresses and provide the assigned ID ("Encryption ID"). This ransomware targets all versions of Windows including Windows 7, Windows 8.1 and Windows 10. When this ransomware is first installed on a computer it will create a random named executable in the %AppData% or %LocalAppData% folder. This executable will be launched and begin to scan all the drive letters on your computer for data files to encrypt.

Phobos ransomware searches for files with certain file extensions to encrypt. The files it encrypts include important productivity documents and files such as .doc, .docx, .xls, .pdf, among others. When these files are detected, this infection will change the extension to id[random numbers].[email].extension, so they are no longer able to be opened. They also warn users of infected computers that only they can provide means to decrypt files. They state that any attempts to use other tools might result in permanent data damage (data loss). One victim contacted Phobos developers and received a response stating that cost of decryption (at that time) was $3000, however, they also stated that unless payment to a Bitcoin wallet (provided) was made within six hours, the cost would increase by $2000 (total cost of decryption tool would then be $5000).The Cyber criminals use cryptography algorithms that generate unique keys and are impossible to 'crack'. Cybercriminal state that There is no tool currently capable of free file decryption.

Cyber Attack Tactics
1. Microsoft office extensions mostly used by email hackers as the most malicious file extension.

Microsoft office has huge recognition and widely used software products in the world. So, we don’t need to be surprised that Microsoft extension has been used by the email hackers as a malicious file extension. According to the Cisco report regarding cybersecurity issues in 2018 that Microsoft extension is the most malicious file extension in emails. The most famous file extensions for mail hackers were Microsoft Work, PowerPoint and Excel formats. As per my research, I can see that the majority of the malicious file extensions (38%) were Microsoft Office extensions. .zip and .jar extensions are the next two major dangerous formats. They account for 14% of the malicious file formats. However, hackers exploit these to insert malicious code.

The message in the POP-UP windows after infected system is as fallow: -

All your files are encrypted

To decrypt your files, contact us using this e-mail: Please set topic 'Encryption ID: ********'.

  • We offer free decryption of your test files as a proof. You can attach them to your e-mail, and we'll send you decrypted ones.
  • Decryption price increases over time, hurry up and get discount.
  • Decryption using third parties may lead to scam or increased price.
Decryption using third parties may lead to scam or increased price.

Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demanding a ransom be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension. The attackers scan for the systems running RDP (TCP port 3389) and then attempt to brute force the password for the systems. Ransomware developers spreads these infections through spam email campaigns, fake software updates, dubious software download sources, and trojans. Spam campaigns infect computers through email attachments, which could be Microsoft Office documents, archive files, executables, PDF files, and so on. Fake software updaters often download and install malware rather than the promised updates or exploit bugs/flaws of the outdated software.

How to Mitigate from this attack
  • As with this form of malware, security software (antivirus software) might not detect a ransomware payload. due to encrypted or crafted payload your protective software’s unable to detect this kind of payloads.
  • Security experts have suggested precautionary measures for dealing with ransomware. Using software or other security policies to block known payloads from launching will help to prevent infection but will not protect against all attacks.
  • Security experts advise you how to deal with this kind of attacks.
  • Do not pay the ransom. It only encourages and funds these attackers. Even if the ransom is paid, there is no guarantee that you will be able to regain access to your files.
  • Restore any impacted files from a known good backup. Restoration of your files from a backup is the fastest way to regain access to your data.
  • Do not provide personal information when answering an email, unsolicited phone call, text message or instant message. Phishers will try to trick employees into installing malware or gain intelligence for attacks by claiming to be from IT. Be sure to contact your IT department if you or your co-workers receive suspicious calls.
  • Use reputable antivirus software and a firewall. Maintaining a strong firewall and keeping your security software up to date are critical. It’s important to use antivirus software from a reputable company because of all the fake software out there.
  • Do employ content scanning and filtering on your mail servers. Inbound e-mails should be scanned for known threats and should block any attachment types that could pose a threat.
  • Do make sure that all systems and software are up-to-date with relevant patches.
  • If traveling, alert your IT department beforehand, especially if you’re going to be using public wireless Internet. Make sure you use a trustworthy Virtual Private Network (VPN) when accessing public Wi-Fi like Norton Secure VPN.

Anacyber is the best Cyber Security Companies in Pune and Mumbai Offering all type of Cyber Security Services. ANA Cyber Forensic Pvt Ltd is a specialized in Cyber Forensic and Digital Forensic Investigation. We provide Cyber Security and Information Security Awareness Program. We have experienced and specialized instructors to deliver Awareness Program to college, school, corporate or government office.