| Category | Details | References |
|---|---|---|
| Actors | ||
| First Observed | December 2018 | 1 |
| Threat Actors | TBD | |
| Environment | ||
| Platforms | Windows | 2 |
| Artifacts | ||
| Extensions | .phobos (Typically an alphanumeric ID and an email address will prepend the file extension), .acute, id[XXXXXXXX-2275].[helprecover@foxmail.com].help | 3 4 1 |
| Ransomware Notes | info.txt, info.hta Phobos.hta, Encrypted.txt, Data.hta, Info.hta, info.txt | 2 5 |
| Services It Disables | At least 41 named processes Local Windows Firewall | 3 2 |
| Other Observables | Skips at least 342 file extensions | 3 |
| Automation | ||
| Automatically Gains Accesss | No | |
| Automatically Escalates Privileges | Yes | 1 |
| Requires Human Interaction | Yes. Requires a manual click on UAC prompt | 2 |
| Automatic Exfiltration | No | 1 |
| Automatic Propagation | Partially, will encrypt and enumerate network shares | 1 6 |
Please note, this page was last updated at 2023-03-14 20:21.
-
https://blog.360totalsecurity.com/en/new-variant-of-phobos-ransomware-is-coming/ ↩ ↩2 ↩3 ↩4 ↩5
-
https://blogs.blackberry.com/en/2021/09/threat-thursday-phobos-ransomware ↩ ↩2 ↩3 ↩4
-
https://www.malwarebytes.com/blog/news/2019/07/a-deep-dive-into-phobos-ransomware ↩ ↩2 ↩3
-
https://www.bleepingcomputer.com/forums/t/688649/phobos-ransomware-id-idemailphobos-adame-help-support/ ↩