{
	"id": "865adaa0-463a-47a7-8d7e-926d67249ae0",
	"created_at": "2026-04-06T00:16:24.778324Z",
	"updated_at": "2026-04-10T13:11:57.613966Z",
	"deleted_at": null,
	"sha1_hash": "6159873e83e3060235016ec960a270229117b1dc",
	"title": "Threat spotlight: Phobos ransomware lives up to its name | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 538232,
	"plain_text": "Threat spotlight: Phobos ransomware lives up to its name |\r\nMalwarebytes Labs\r\nBy Jovi Umawing\r\nPublished: 2020-01-09 · Archived: 2026-04-05 19:22:51 UTC\r\nRansomware has struck dead on organizations since it became a mainstream tool in cybercriminals’ belts years\r\nago. From massive WannaCry outbreaks in 2017 to industry-focused attacks by Ryuk in 2019, ransomware’s got\r\nits hooks in global businesses and shows no signs of stopping. That includes a malware family known as Phobos\r\nransomware, named after the Greek god of fear.\r\nPhobos is another one of those ransomware families that primarily targets organizations by employing tried-and-tested tactics to infiltrate systems. While this ransomware may have been coined with different aliases, many\r\nconsider it an off-shoot or variant—if not a rip-off—of the Dharma ransomware family, which is also called\r\nCrySis. This is attributed to Phobos’ operational and technical likeness to recent Dharma strains.\r\nPhobos ransomware, like Sodinokibi, is sold in the underground in ransomware-as-a-service (RaaS) packages.\r\nThis means that criminals with little to no technical know-how can create their own ransomware strain with the\r\nhelp of a kit, and organize a campaign against their desired targets.\r\nHowever, Coveware researchers have noted that, compared to their peers, Phobos operators are “less organized\r\nand professional,” which has eventually led to extended ransom negotiations and more complications retrieving\r\nfiles and systems for Phobos ransomware victims during the decryption process.\r\nPhobos ransomware infection vectors\r\nPhobos can arrive on systems in several ways: via open or insecure remote desktop protocol (RDP) connections\r\non port 3389, brute-forced RDP credentials, the use of stolen and bought RDP credentials, and old-fashion\r\nphishing. Phobos operators can also leverage malicious attachments, downloads, patch exploits, and software\r\nvulnerabilities to gain access to an organization’s endpoints and network.\r\nPhobos ransomware primarily targets businesses; however, there have been several reports of consumers finding\r\nthemselves face-to-face with this adversary, too.\r\nSymptoms of Phobos ransomware infection\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/\r\nPage 1 of 8\n\nSystems affected by variants of the Phobos ransomware display the following symptoms:\r\nPresence of ransom notes. Upon infection, Phobos drops two ransom notes in text (.TXT) and in executable web\r\nfile (.HTA) format. The latter automatically opens after Phobos finishes encrypting files.\r\nHere’s a snippet of the note:\r\nAll your files have been encrypted due to a security problem with your PC. If you want to restore them,\r\nwrite us to the e-mail [email address 1]\r\nWrite this ID in the title of your message [generated ID]\r\nIf there is no response from our mail, you can install the Jabber client and write to us in support of\r\n[email address 2]\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/\r\nPage 2 of 8\n\nYou have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After\r\npayment we will send you the decryption tool that will decrypt all your files.\r\nAs you can see, Phobos operators are requiring victims to contact them in the event of their ransomware infection.\r\nIn some notes from other variants, instructions to reach threat actors via Jabber are not included.\r\nAside from pertinent channels victims can reach the threat actors, this ransom note also contains information on\r\nhow they can acquire Bitcoins and how to install the messenger client.\r\n!!! All of your files are encrypted !!!\r\nTo decrypt them send e-mail, to this address: [email address 1]\r\nIf there is no response from our mail, you can install the Jabber client and write to us in support of\r\n[email address 2]\r\nAfter triggering the opening of the HTA ransom note, which supposedly signifies the end of Phobos’ encryption,\r\nwe have observed that it is an aggressive ransomware that continues to run in the background and encode new\r\nfiles it is programmed to encrypt. It can do this with or without an Internet connection.\r\nEncrypted files with a long, appended string after the extension name. Phobos encrypts target files using\r\nAES-256 with RSA-1024 asymmetric encryption. Both Phobos and Dharma implement the same RSA algorithm;\r\nhowever, Phobos uses it from Windows Crypto API while Dharma uses it from a third-party static library. Upon\r\nencryption, it appends a compound extension name at the end of encrypted files. This implements the format or\r\nformula:\r\n.ID[ID][email address 1].[added extension]\r\nIn the formula, [ID] is the generated ID number specified in the ransom note. It is a two-part alpha-numeric string:\r\nthe victim ID and the version ID, separated by a dash. [email address 1] is the email address victims are\r\nprescribed to use in reaching out to the threat actors. This is also specified in the ransom note. Lastly, [added\r\nextension] is an extension that Phobos threat actors decide to associate their ransomware with. Below are known\r\nextensions Phobos uses:\r\n1500dollars\r\nactin\r\nActon\r\nactor\r\nAcuff\r\nAcuna\r\nacute\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/\r\nPage 3 of 8\n\nadage\r\nAdair\r\nAdame\r\nbanhu\r\nbanjo\r\nBanks\r\nBanta\r\nBarak\r\nbbc\r\nblend\r\nBORISHORSE\r\nbqux\r\nCaleb\r\nCales\r\nCaley\r\ncalix\r\nCalle\r\nCalum\r\nCalvo\r\nCAPITAL\r\ncom\r\nDDoS\r\ndeal\r\ndeuce\r\nDever\r\ndevil\r\nDevoe\r\nDevon\r\nDevos\r\ndewar\r\neight\r\neject\r\neking\r\nElbie\r\nelbow\r\nelder\r\nFrendi\r\nhelp\r\nKARLOS\r\nkarma\r\nmamba\r\nphobos\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/\r\nPage 4 of 8\n\nphoenix\r\nPLUT\r\nWALLET\r\nzax\r\nFor example, the new file name of sample.bmp after encryption is sample.bmp.id[23043C5D-2394].\r\n[agagekeys@qq.com].Caleb.\r\nPhobos encrypts files with the following extensions:\r\nHowever, it skips encoding the following OS files and files in the C:Windows folder:\r\nboot.ini\r\nbootfont.bin\r\nntldr\r\nntdetect.com\r\nio.sys\r\nPhobos fully encodes files with sizes that can be classed as typical. For large files, however, it performs a different\r\nalgorithm wherein it partially encrypts selected portions of such files. This is an effective method to severely cut\r\ndown the time it takes to encrypt large files and, at the same time, maximize the damage it could do to such a file\r\nif something goes wrong with its decryption.\r\nThis ransomware attacks files in all local drives as well as network shares.\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/\r\nPage 5 of 8\n\nTerminated processes. Phobos ransomware is known to terminate the following active processes on affected\r\nsystems so that no programs can stop it from accessing files to eventually encrypt:\r\nDeleted shadow copies and local backups. Like Sodinokibi and other ransomware families, Phobos deletes\r\nshadow copies and backup copies of files to prevent users from restoring encrypted files, thus, forcing them to do\r\nthe threat actors’ bidding.\r\nSystems not booting in recovery mode. Recovery mode is innate in Windows systems. If users encounter a\r\ntechnical flaw leading to the system crashing or getting corrupted, they have the option to restore the OS to its\r\nnormal state by reloading its last known state before the flaw. Phobos removes this option by preventing users\r\nfrom entering this mode.\r\nDisabled firewall. As we already know, malware that firewalls stop could be allowed into the affected system.\r\nProtect your system from Phobos ransomware\r\nMalwarebytes’ signature-less detection, coupled with real-time anti-malware and anti-ransomware technology,\r\nidentifies and protects consumer and business users from Phobos ransomware in various stages of attack.\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/\r\nPage 6 of 8\n\nWe recommend both consumers and IT administrators take the following actions to secure and mitigate against\r\nPhobos ransomware attacks:\r\nSet your RDP server, which is built in in the Windows OS, to deny public IPs access to TCP port 3389, the\r\ndefault port Windows Remote Desktop listens on. If you or your organizations have no need for RDP,\r\nbetter to disable the service altogether. Critical systems or systems with sensitive information should not\r\nhave RDP enabled.\r\nAlong with RDP port blocking, we also suggest the blocking of TCP port 445, the default port a Server\r\nMessage Block (SMB) uses to communicate in a Windows-based LAN at the network perimeter. Note that\r\nyou or your organization may have to do in-depth testing to see how your system and/or programs are\r\nimpacted by this block. As a rule of thumb, block all unused ports.\r\nAllow RDP access to IPs that are under you or your organization’s control.\r\nEnable the logging of RDP access attempts and review them regularly to detect instances of potential\r\nintrusion.\r\nEnforce the use of strong passwords and account lockout policies for Active Directory domains and local\r\nWindows accounts.\r\nEnforce multi-factor authentication (MFA) to RDP and local account logons whenever possible.\r\nEnforce the use of a virtual private networks (VPNs) if your organization allows employees to work\r\nremotely.\r\nCome up with and implement a sound backup strategy.\r\nMaintain an inventory of running services and applications on your system, and review it regularly. For\r\ncritical systems, it’s best to have an active monitoring and alerting scheme in place.\r\nHave a disaster recovery scheme in place in case of a successful breach via RDP happens.\r\nKeep all your software, including OS and anti-malware, up-to-date.\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/\r\nPage 7 of 8\n\nOn a final note, if you have all your personal or organization resources properly locked down and secured, and\r\nyou or your organization adhere to good cyber hygiene practices, there is little to be feared about Phobos or any\r\nransomware in general.\r\nIndicators of Compromise (IOCs)\r\ne59ffeaf7acb0c326e452fa30bb71a36\r\neb5d46bf72a013bfc7c018169eb1739b\r\nfa4c9359487bbda57e0df32a40f14bcd\r\nHave a threat-free 2020, everyone!\r\nAbout the author\r\nKnows a bit about everything and a lot about several somethings. Writes about those somethings, usually in long-form.\r\nSource: https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/\r\nhttps://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/"
	],
	"report_names": [
		"threat-spotlight-phobos-ransomware-lives-up-to-its-name"
	],
	"threat_actors": [
		{
			"id": "20c759c2-cd02-45bb-85c6-41bde9e6a7cf",
			"created_at": "2024-01-18T02:02:34.189827Z",
			"updated_at": "2026-04-10T02:00:04.721082Z",
			"deleted_at": null,
			"main_name": "HomeLand Justice",
			"aliases": [
				"Banished Kitten",
				"Karma",
				"Red Sandstorm",
				"Storm-0842",
				"Void Manticore"
			],
			"source_name": "ETDA:HomeLand Justice",
			"tools": [
				"BABYWIPER",
				"BiBi Wiper",
				"BiBi-Linux Wiper",
				"BiBi-Windows Wiper",
				"Cl Wiper",
				"LowEraser",
				"No-Justice Wiper",
				"Plink",
				"PuTTY Link",
				"RevSocks",
				"W2K Res Kit"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434584,
	"ts_updated_at": 1775826717,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6159873e83e3060235016ec960a270229117b1dc.pdf",
		"text": "https://archive.orkl.eu/6159873e83e3060235016ec960a270229117b1dc.txt",
		"img": "https://archive.orkl.eu/6159873e83e3060235016ec960a270229117b1dc.jpg"
	}
}