Those mechanisms make Phobos ransomware very aggressive: the infection didn’t end on a single run, but can be repeated multiple times. It also uses several persistence mechanisms: installs itself in %APPDATA% and in a Startup folder, adding the registry keys to autostart its process when the system is restarted. txt versionĮven after the initial ransom note is popped up, the malware still runs in the background, and keeps encrypting newly created files.Īll local disks, as well as network shares are attacked. hta form is popped up: Ransom note in the. After the encryption process is finished, the ransom note in the. Ransom notes of two types are being dropped. It also executes some commands via windows shell.
If we accept it, the main process deploys another copy of itself, with elevated privileges. When we try to run it manually, the UAC confirmation pops up: This ransomware does not deploy any techniques of UAC bypass. In this post we will take a look at the implementation of the mechanisms used in Phobos ransomware, as well as at its internal similarity to Dharma. This isn’t surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups. Phobos is one of the ransomware that are distributed via hacked Remote Desktop (RDP) connections. While attribution is by no means conclusive, you can read more about potential links between Phobos and Dharma here, to include an intriguing connection with the XDedic marketplace. CrySis), and probably distributed by the same group as Dharma. It has been noted that this new strain of ransomware is strongly based on the previously known family: Dharma (a.k.a. Phobos ransomware appeared at the beginning of 2019.
0 kommentar(er)
