In contrast to most of the malware that comes protected by some crypter, Phobos is not packed or obfuscated. In order to fully understand the encryption process, we will look inside the code. In this case it is 'LOCK96', however, different versions of Phobos have been observed with different keywords, i.e. At the end we can find a 6-character long keyword which is typical for this ransomware. That possibly means that this block contains the encrypted key, that is uniquely generated each run. Then comes the block of 128 bytes that is the same in each file from the same infection. The first 16 bytes of this block are unique per each file (possible Initialization Vector). It is separated from the encrypted content by '0' bytes padding. When we look inside the encrypted file, we can see a particular block at the end. ![]() Example - a simple BMP before and after encryption: It suggests that either a stream cipher, or a cipher with chained blocks was used (possibly AES in CBC mode). Visualization of the encrypted content does not display any recognizable patterns. The particular variant of Phobos also adds an extension '.acute' - however in different variants different extensions have been encountered. ![]() The encrypted files have an e-mail of the attacker added. It encrypts a variety of files, including executables. Each file is encrypted with an individual key or an initialization vector: the same plaintext generates a different ciphertext. The ransomware is able to encrypt files without an internet connection (at this point we can guess that it comes with some hardcoded public key). To prevent repeated infection, we should remove all the persistence mechanisms as soon as we noticed that we got attacked by Phobos. Those mechanisms make Phobos ransomware very aggressive: the infection didn't end on a single run, but can be repeated multiple times. It also uses several persistence mechanisms: installs itself in %APPDATA% and in a Startup folder, adding the registry keys to autostart its process when the system is restarted. txt versionĮven after the initial ransom note is popped up, the malware still runs in the background, and keeps encrypting newly created files.Īll local disks, as well as network shares are attacked. hta form is popped up: Ransom note in the. After the encryption process is finished, the ransom note in the. Ransom notes of two types are being dropped. ![]() It also executes some commands via windows shell. If we accept it, the main process deploys another copy of itself, with elevated privileges. When we try to run it manually, the UAC confirmation pops up: This ransomware does not deploy any techniques of UAC bypass. In this post we will take a look at the implementation of the mechanisms used in Phobos ransomware, as well as at its internal similarity to Dharma. This isn't surprising, as hacked RDP servers are a cheap commodity on the underground market, and can make for an attractive and cost efficient dissemination vector for threat groups. Phobos is one of the ransomware that are distributed via hacked Remote Desktop (RDP) connections. While attribution is by no means conclusive, you can read more about potential links between Phobos and Dharma here, to include an intriguing connection with the XDedic marketplace. CrySis), and probably distributed by the same group as Dharma. It has been noted that this new strain of ransomware is strongly based on the previously known family: Dharma (a.k.a. Phobos ransomware appeared at the beginning of 2019.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |