Phobos, the new ransomware of Dharma Group, infects hundreds of organizations

A new ransomware called Phobos is infecting devices and networks in a massive way

A group of hackers is finding remote access to networks of different organizations to distribute new variants of ransomware. According network security and ethical hacking experts from the International Institute of Cyber Security, attackers are also infecting sites that share cracked versions of commercial software to spread the ransomware. 

Hackers have been remotely accessing enterprise networks to infect PCs, shared networks and virtual infrastructure with a ransomware called Phobos, as commented by network security specialists. In addition, attackers continue to distribute variants of STOP ransomware through adware embedded in some “cracked software” sites.

Although many hackers abandoned the use of ransomware attacks to engage themselves in other malicious activities, such as the cryptojacking, some cybercriminals gangs continue to dedicate themselves to distributing encryption software.  

ID Ransomware is a platform where victims of ransomware attacks can identify what kind of malware was used to encrypt their files; it currently has 673 variants of ransomware identified, a notable increase compared to the 631 variants registered in the platform in the mid-2018.

Among the malware variants identified in ID Ransomware, there is a new variant of crypto-locker called Phobos, derived from the Greek term for ‘fear’. Phobos has been attacking multiple organizations since the beginning of 2019, warn experts in network security, emphasizing that this malware is very similar to the ransomware Dharma; this ransomware has the ability to block files on a local drive, as well as mapped network drives, unmapped network shares, and virtual machine drives.

While some variants of ransomware infect systems with the help of spam or phishing campaigns, Phobos seeks access to open or with few security measures RDP ports, according to experts.  

Lists of vulnerable RDP ports can be purchased at low cost in some forums frequented by cybercriminals that try to exploit these weaknesses with brute force attacks. This means that criminals could spend weeks, even months, infiltrated into an organization’s networks to infect their systems with ransomware. The ransom note that Phobos delivers to the victims after blocking and encrypting their files is identical to the ransom note that delivered the ransomware Dharma at the time, because it really only changes the name of the malware.

In the ransom note even some security services are offered: “We also offer services. Want to know multiple tips to protect yourself against these attacks? -The price is 0.1 Bitcoin, and you must remember, our work is very difficult and requires a lot of time and costs”. At this time, 1 Bitcoin is equivalent to $350 USD.

Network security experts are asking organizations and individual victims of ransomware to avoid making any payment for ransom as far as possible, since paying these fees directly finances these malicious activities.