Phobos, a new form of ransomware, was first discovered in December 2018 impacting global businesses. It’s technical and operational details are very similar to recent Dharma variants, also known as CrySiS. Phobos is disseminated through exploited Remote Desktop Protocol (RDP) connections. Both Phobos and Dharma use the same mutex of the RSA algorithm which is implemented just prior to the encryption process. Phobos does not avoid User Account Control (UAC), rather, it uses this to begin deploying a second copy of itself upon download, elevating privileges. This malware is particularly aggressive as it continues to encrypt files after the initial ransom note appears and can be run repeatedly, with or without internet connection. In the case of large file encryption, Phobos attempts to minimize the amount of time taken by encrypting chunks, leaving some fragments untouched.

Technical Details and Reporting:

  • Malware Bytes provides an extensive deep dive into Phobos’ technical details and IOCs here.