By Richard Arneson
An ambitious, but apparently unoriginal, cybercrime gang is taking responsibility for a rash of malware attacks that began just prior to the Christmas holidays. They’ve named it Phobos, ostensibly taken from the name given to the personification of fear in Greek mythology. Apparently, fear wasn’t granted god status by the ancient Greeks.
The gang, which apparently forgot to name itself, was inspired by two (2) earlier and very prolific attacks: Dharma and CrySiS, the origin and meaning of its name pretty self-explanatory. But it’s obvious to the security professionals that the gang is only flattering itself—they have no doubt that the same band of reprobates is behind all three (3) attacks.
Like Dharma, Phobos preys on open or poorly secured RDP (Remote Desktop Protocol) ports. From these weakened RDPs, Phobos sneaks and slithers into networks and launches the ransomware attack, where it begins encrypting files. It can affect files on local, mapped network and virtual machine drives.
Because it’s called ransomware, victims are soon left with this decision—should I, or shouldn’t I, pay to access my affected files, which will be locked with the .phobos extension. And, as it usually the case, they want payment in Bitcoin, the currency of choice for launchers of ransomware. (Here’s a not-so-subtle tip: DON’T PAY. It only supports and exacerbates the crime.)
It’s obvious that Phobos is Dharma-inspired—the ransom note appears exactly like the one (1) that was used by Dharma, text and typeface, and all. In addition, most of Phobos’ code is identical to Dharma’s; it’s basically a cut and paste version of the latter. And, really, why wouldn’t it mimic Dharma? In the cybercrime world, Dharma is probably 2018’s MVP in the ransomware division. Or, at the very least, it’s on the all-star team; it was arguably the most damaging ransomware of the year.
To prevent hurt feelings, the developers of Phobos borrowed from CrySiS, as well. Phobos is so similar to it that anti-virus software often detects Phobos as CrySis. The variants between the two (2) are so slight that many in the security industry refer to them interchangeably. Technically, though, they’re relatives, and are part of the same sinister crime family.
How are they finding victims’ RDP ports?
Sadly, there’s a marketplace for everything, even RDP ports. On underground cybercrime forums, expansive lists of RDP ports are advertised for sale at bargain basement rates. They’ve been collected by attackers via brute-force attacks, or, in many cases, by playing a game of “Guess the RDP Port.”
Secure ports, backup data, repeat often
To help mitigate the risks of falling victim to ransomware, all RDP ports must be secured with passwords. Not doing so means a simple tap on the [enter] key unlock the gate. And, of course, back up data on a regular basis.
If you’re already a ransomware victim, you can go to ID Ransomware and upload one (1) of the encrypted, affected files. They’ll tell you which strain you’ve been infected with, and there are probably more than you’d imagined. Currently, ID Ransomware can identify over six hundred (600) different strains of it.
Ransomware is more than locking victims’ files. By the time they realize their files have been locked, the cybercriminals may have been traipsing about networks for weeks or months—maybe longer. The ransomware may simply be their coup de grace, launched only after they’ve downloaded as much of the victim’s information as they deem worthwhile.
They’re Security Experts
To find out how to secure your organization’s network and protect mission critical data, contact GDT’s tenured and talented engineers and security analysts at SOC@GDT.com. From their Security and Network Operations Centers, they manage, monitor and protect the networks of companies of all sizes, including those for some of the most notable enterprises, service providers, healthcare organizations and government agencies in the world. They’d love to hear from you.