FANDOM


Phobos, also known as Phobos NextGen or Phobos NotDharma is a ransomware that runs on Microsoft Windows. It is aimed at English-speaking users. It is part of the CrySiS/Dharma family. 

Phobos was first observed on October 21st, 2017. At the end of 2018, it began to spread actively again.

Over the course of December 2018 and February 2019, hackers released numerous new variants, which use different emails, including:

  • Job2019@tutanota.com
  • Bad_boy700@aol.com
  • Cadillac.407@aol.com
  • Everest_2010@aol.com
  • Raphaeldupon@aol.com
  • paper_plane1@aol.com
  • barcelona_100@aol.com
  • elizabethz7cu1jones@aol.com
  • beltoro905073@aol.com
  • Raphaeldupon@aol.com
  • Gomer_simpson2@aol.com
  • ofizducwell1988@aol.com
  • FobosAmerika@protonmail.ch

2019 came with even more news about Phobos virus because the ransomware started exploiting weak security to attack users all over the world.[4] It also targets businesses and large companies since these attacks ensure bigger profit from a single victim.

Behavior

Phobos does not deploy any techniques of UAC bypass. The mechanisms Phobos uses makes it very aggressive.

Payload

Transmission

Phobos is distibuted by hacking through an insecure RDP configuration, using email spam and malicious attachments, fraudulent downloads, exploits, web injects, fake updates, repackaged and infected installers. 

Infection

During its execution, Phobos starts several threads, responsible for its different actions, such as: killing blacklisted processes, deploying commands from commandline, encrypting accessible drives and network shares.

Phobos comes with a list of processes that it kills before the encryption is deployed. Just like other strings, the full list is decrypted on demand:

msftesql.exe, sqlagent.exe, sqlbrowser.exe, sqlservr.exe, sqlwriter.exe,
oracle.exe, ocssd.exe, dbsnmp.exe, synctime.exe, agntsvc.exe,
mydesktopqos.exe, isqlplussvc.exe, xfssvccon.exe, mydesktopservice.exe, 
ocautoupds.exe, agntsvc.exe, agntsvc.exe, agntsvc.exe, encsvc.exe, 
firefoxconfig.exe, tbirdconfig.exe, ocomm.exe, mysqld.exe, mysqld-nt.exe, 
mysqld-opt.exe, dbeng50.exe, sqbcoreservice.exe, excel.exe, infopath.exe, 
msaccess.exe, mspub.exe, onenote.exe, outlook.exe, powerpnt.exe, steam.exe, 
thebat.exe, thebat64.exe, thunderbird.exe, visio.exe, winword.exe, 
wordpad.exe,

Those processes are killed so that they will not block access to the files that are going to be encrypted. Phobos also uses several commands from the commandline. Those commands are supposed to prevent from recovering encrypted files from any backups.

First, it first deletes the shadow copies by executing the following commands:

bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no

Phobos then changes the Bcdedit options (preventing booting the system in a recovery mode) using the following commands:

bcdedit /set {default} bootstatuspolicy ignoreallfailures
bcdedit /set {default} recoveryenabled no

After that, Phobos deletes the backup catalog on the local computer using the following command:

wbadmin delete catalog -quiet

Finally, Phobos disables the firewall with the following commands:

netsh advfirewall set currentprofile state off
netsh firewall set opmode mode=disable
exit

Before Phobos starts its malicious actions, it checks system locale (using GetLocaleInfoW options: LOCALE_SYSTEM_DEFAULTLOCALE_FONTSIGNATURE ). It terminates execution in case if the 9th bit of the output is cleared. The 9th bit represent Cyrlic alphabets so the systems that have set it as default are not affected. Both local drives and network shares are encrypted.

Before the encryption starts, Phobos lists all the files, and compare their names against the hardcoded lists. The lists are stored inside the binary in AES encrypted form, strings are separated by the delimiter ‘;’.

Among those lists,  i.e. blacklist (those files will be skipped) can be found. Those files are related to operating system, plus the info.txt, info.hta files are the names of the Phobos ransom notes:

  • info.hta
  • info.txt
  • boot.ini
  • bootfont.bin
  • ntldr
  • ntdetect.com
  • io.sys

There is also a list of directories to be skipped which it contains only one directory:

C:\Windows.

Phobos is able to encrypt files without an internet connection (at this point we can guess that it comes with some hardcoded public key). Each file is encrypted with an individual key or an initialization vector: the same plaintext generates a different ciphertext.

It encrypts a variety of files, including executables. The encrypted files have an e-mail of the attacker added. The particular variant of Phobos also adds an extension ‘.acute’ – however in different variants different extensions have been encountered. The general pattern is: <original name>.id[<victim ID>-<version ID>][<attacker's e-mail>].<added extention>

Phobos encrypts the following extensions:

.1cd, .3ds, .3fr, .3g2, .3gp, .7z, .accda, .accdb, .accdc, .accde, .accdt, .accdw, .adb, .adp, .ai, .ai3, .ai4, 
.ai5, .ai6, .ai7, .ai8, .anim, .arw, .as, .asa, .asc, .ascx, .asm, .asmx, .asp, .aspx, .asr, .asx,. avi, .avs, 
.backup, .bak, .bay, .bd, .bin, .bmp, .bz2, .c, .cdr, .cer, .cf, .cfc, .cfm, .cfml, .cfu, .chm, .cin, .class, 
.clx, .config, .cpp, .cr2, .crt, .crw, .cs, .css, .csv, .cub, .dae, .dat, .db, .dbf .dbx, .dc3, .dcm, .dcr, 
.der, .dib, .dic, .dif, .divx, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm,. dotx, .dpx, .dqy, .dsn, .dt, .dtd, 
.dwg, .dwt, .dx, .dxf, .edml, .efd, .elf, .emf, .emz, .epf, .eps, .epsf, .epsp, .erf, .exr, .f4v, .fido, .flm, 
.flv, .frm, .fxg, .geo, .gif, .grs, .gz, .h, .hdr, .hpp .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .indd, 
.ini, .iqy, .j2c, .j2k, .java, .jp2, .jpc,. jpe, .jpeg, .jpf, .jpg, .jpx, .js,.jsf, .json, .jsp, .kdc, .kmz, 
.kwm, .lasso, .lbi, .lgf, .lgp, .log, .m1v, .m4a, .m4v, .max, .md, .mda, .mdb, .mde, .mdf, .mdw, .mef, .mft, 
.mfw, .mht, .mhtml, .mka, .mkidx, .mkv, .mos, .mov, .mp3, .mp4, .mpeg .mpg, .mpv, .mrw, .msg, .mxl, .myd, .myi, 
.nef, .nrw, .obj, .odb, .odc, .odm, .odp, .ods, .oft,. one, .onepkg, .onetoc2, .opt, .oqy, .orf, .p12, .p7b, 
.p7c, .pam, .pbm, .pct, .pcx, .pdd, .pdf, .pdp, .pef, .pem, .pff, .pfm, .pfx, .pgm, .php, .php3, .php4, .php5, 
.phtml, .pict, .pl, .pls, .pm, .png, .pnm, .pot .potm, .potx, .ppa, .ppam, .ppm, .pps, .ppsm, .ppt, .pptm, 
.pptx, .prn, .ps, .psb, .psd, .pst, .ptx,. pub, .pwm, .pxr, .py, .qt, .r3d, .raf, .rar, .raw, .rdf, .rgbe, .rle, 
.rqy, .rss, .rtf, .rw2, .rwl, .safe, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql, .sr2, .srf, .srw, .ssi, .st, 
.stm, .svg, .svgz, .swf , .tab, .tar, .tbb, .tbi, .tbk,.tdi, .tga, .thmx, .tif, .tiff, .tld, .torrent, .tpl, 
.txt, .u3d, .udl, .uxdc, .vb, .vbs, .vcs, .vda, .vdr .vdw, .vdx, .vrp, .vsd, .vss, .vst, .vsw, .vsx, .vtm, 
.vtml, .vtx, .wav, .wb2, .wbm, .wbmp, .wim,. wmf, .wml, .wmv, .wpd, .wps, .x3f, .xl, .xla, .xlam, .xlk, .xlm, 
.xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xsd, .xsf, .xsl, .xslt, .xsn, .xtp, .xtp2, 
.xyze, .xz, .zip

Phobos uses the WindowsCrypto API for encryption of files. There are several parallel threads to deploy encryption on each accessible disk or a network share. An AES key is created prior to the encrypting thread being run, and it is passed in the thread parameter. Although the AES key is common to all the files that are encrypted in a single round, yet, each file is encrypted with a different initialization vector. The initialization vector is 16 bytes long, generated just before the file is open, and then passed to the encrypting function. 

Underneath, the AES key and the Initialization Vector both are generated with the help of the same function, that is a wrapper of CryptGenRandom (a strong random generator). The AES IV is later appended to the content of the encryped file in a cleartext form. Before the file encryption function is executed, the random IV is being generated. The AES key, that was passed to the thread is being imported to the context (CryptImportKey), as well the IV is being set.

After the content of the file is encrypted, it is being saved into the newly created file, with the ransomware extension. The ransomware creates a block with metadata, including checksums, and the original file name. After this block, the random IV is being stored, and finally, the block containing the encrypted AES key. The last element is the file marker: “LOCK96”. 

Before being written to the file, the metadata block is being encrypted using the same AES key and IV as the file content. Finally, the content is appended to the end of the newly created file. 

Phobos uses a different algorithm to encrypt big files (above 0x180000 bytes long). The algorithm explained above was used for encrypting files of typical size (in such case the full file was encrypted, from the beginning to the end). In case of big files, the main algorithm is similar, however only some parts of the content are selected for encryption.

On the following example. The file ‘test.bin’ was filled with 0xAA bytes. Its original size was 0x77F87FF. After being encrypted with Phobos, some fragments of the file has been left unencrypted. Between of them, starting from the beginning, some fragments are wiped. Some random-looking block of bytes has been appended to the end of the file, after the original size. This is the encrypted content of the wiped fragments. At the very end of the file, a block of data typical for Phobos is seen.

Looking inside the reason of such an alignment is seen. Only 3 chunks from the large file are being read into a buffer. Each chunk is 0x40000 bytes long. All read chunks are merged together into one buffer. After this content, usual metadata (checksums, original file name) are added, and the full buffer is encrypted.

Phobos has a separate thread dedicated to attacking network shares. Network shares are enumerated in a loop.

After the encryption process is finished, the ransom note in the .hta file is popped up. The .hta file saids the following:

All your files are encrypted
Hello World
Data on this PC runed into useless binary code
To return to normal, please contact us by this email: OttoZimmerman@protonmail.ch
Set topic of your message to 'Encryption ID:[8 random characters]'
Interesting facts:
1. Over time, the cost increases, do not waste your time
2. Only we can help you, for sure, no one else.
3. BE CAREFUL If you still try to find other solutions to the problem, make a backup copy of the files you 
want to experiment on, a. play with them. Otherwise, they can be permanently damaged.
4. Any services that offer you help or just take money from you and disappear, or they will be intermediaries 
between us, with inflated value. Since the antidote is only among the creators of the virus
PHOBOS

Variants

Frendi

Frendi is a variant that came out at the end of February 2019. This is the first version known to researchers that haven't marked files with the initial .phobos appendix. The particular file extension that lands on encoded files include the .frendi appendix and tlalipidas1978@aol.com contact email. The same email address also included as the name of the main executable with ransomware payload.

Later on, a few more .phobos versions got delivered and after that at the start of April additional Frendi virus variants with withdirimugh1982@aol.com contact email emerged. 

Phoenix

Phoenix is a variant that also appeared in multiple versions of the virus throughout the years. Like other versions, not much changed from the initial cryptovirus, this threat included a few different contact emails in the ransom notes and file markers. autrey.b@aol.com and Costelloh@aol.com, hickeyblair@aol.com are one of those. Ransom notes resembling Dharma family and marked with PHOBOS at the corner remained the same for years, while developers only changed the contact information and IDs per victim.

Actor

Actor is a variant that appeared once or twice in the campaign. One of these variants found in 2019, at the start of May, contained returnmefiles@aol.com on the file extension and delivered a text file name Encrypted.txt with a few sentences, as per usual. Although, the common HTA window was not delivered, according to some victims, this version was spotted at different times the same year with the same contact information.

Mamba

Mamba is a variant that came out with a few distinct features and an alternate name of HDD Cryptor. This virus was more dangerous because at first, it started targeting large businesses and attacking victims to gain large amounts via ransoms up to 70 000$. This was one of the versions that exploit unprotected RDP to infect the machines. Contact emails for this particular version are known to be fileb@protonmail.com, back7@protonmail.ch. It is also known to be part of the Petya family as well.

Actin

Actin is a variant that targets more PC users and individual victims. This threat also uses AES algorithm for the encryption process and demands victims to contact developers via kew07@qq.com to get their files back allegedly.

Acton

Acton was one of the less repeated variants in the family. It delivers the same info.hta program window with the payment instructions and contact information. Acton leaves out a ransom text file. Data encrypted by the virus got extensions including datadecryption@countermail.com.

Adage

Adage is a variant that comes in the traditional pattern .id[XXXXXXXX -1096].[lockhelp@qq.com].acute.

Community content is available under CC-BY-SA unless otherwise noted.