Phobos is a ransomware-type malicious program that (like most programs of this type) encrypts data/locks files stored and keeps them in this state until a ransom is paid. Phobos renames all encrypted files by adding the “. phobos" extension plus the victim's unique ID and an email address.
The virus encrypts data using AES cryptography and, after encryption, generates an HTML application ("Phobos.hta") and opens it. This app displays a pop-up window that contains a ransom-demand message. In the ransom-demand message, cyber criminals state that all files are encrypted. To decrypt them, victims must contact them via the firstname.lastname@example.org, ottoZimmerman@protonmail.ch, or other email addresses and provide the assigned ID ("Encryption ID"). This ransomware targets all versions of Windows including Windows 7, Windows 8.1 and Windows 10. When this ransomware is first installed on a computer it will create a random named executable in the %AppData% or %LocalAppData% folder. This executable will be launched and begin to scan all the drive letters on your computer for data files to encrypt.
Phobos ransomware searches for files with certain file extensions to encrypt. The files it encrypts include important productivity documents and files such as .doc, .docx, .xls, .pdf, among others. When these files are detected, this infection will change the extension to id[random numbers].[email].extension, so they are no longer able to be opened. They also warn users of infected computers that only they can provide means to decrypt files. They state that any attempts to use other tools might result in permanent data damage (data loss). One victim contacted Phobos developers and received a response stating that cost of decryption (at that time) was $3000, however, they also stated that unless payment to a Bitcoin wallet (provided) was made within six hours, the cost would increase by $2000 (total cost of decryption tool would then be $5000).The Cyber criminals use cryptography algorithms that generate unique keys and are impossible to 'crack'. Cybercriminal state that There is no tool currently capable of free file decryption.
Microsoft office has huge recognition and widely used software products in the world. So, we don’t need to be surprised that Microsoft extension has been used by the email hackers as a malicious file extension. According to the Cisco report regarding cybersecurity issues in 2018 that Microsoft extension is the most malicious file extension in emails. The most famous file extensions for mail hackers were Microsoft Work, PowerPoint and Excel formats. As per my research, I can see that the majority of the malicious file extensions (38%) were Microsoft Office extensions. .zip and .jar extensions are the next two major dangerous formats. They account for 14% of the malicious file formats. However, hackers exploit these to insert malicious code.
The message in the POP-UP windows after infected system is as fallow: -
To decrypt your files, contact us using this e-mail: Cadillac.email@example.com Please set topic 'Encryption ID: ********'.
Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demanding a ransom be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension. The attackers scan for the systems running RDP (TCP port 3389) and then attempt to brute force the password for the systems. Ransomware developers spreads these infections through spam email campaigns, fake software updates, dubious software download sources, and trojans. Spam campaigns infect computers through email attachments, which could be Microsoft Office documents, archive files, executables, PDF files, and so on. Fake software updaters often download and install malware rather than the promised updates or exploit bugs/flaws of the outdated software.
Anacyber is the best Cyber Security Companies in Pune and Mumbai Offering all type of Cyber Security Services. ANA Cyber Forensic Pvt Ltd is a specialized in Cyber Forensic and Digital Forensic Investigation. We provide Cyber Security and Information Security Awareness Program. We have experienced and specialized instructors to deliver Awareness Program to college, school, corporate or government office.